Why "dig foo" fails but "dig +trace foo" succeeds?
Mark Andrews
Mark_Andrews at isc.org
Wed Nov 17 22:07:13 UTC 2004
> On Wed, 2004-11-17 at 16:38, Mark Andrews wrote:
> > > > Next you want to eliminate a broken/misconfigured firewall
> > > > from the problem space. You should be able to get a answer
> > > > to both of these queries. If you don't you need to fix your
> > > > firewall to handle EDNS queries.
> > > >
> > > > dig +bufsiz=4096 www.powweb.com @a.root-servers.net
> > > > dig www.powweb.com @a.root-servers.net
> > >
> > > Both queries failed, so we've opened up a call to the firewall vendor as
> well
> > > .
> >
> > I would expect the "+bufsiz=4096" one to fail and the other
> > to succeed.
>
> For completeness, here is what I see:
>
>
>
> wicket 82# dig +bufsiz=4096 www.powweb.com @a.root-servers.net
>
> ; <<>> DiG 9.2.4rc6 <<>> +bufsiz=4096 www.powweb.com @a.root-servers.net
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7158
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.powweb.com. IN A
>
> ;; AUTHORITY SECTION:
> com. 172800 IN NS A.GTLD-SERVERS.NET.
> com. 172800 IN NS G.GTLD-SERVERS.NET.
> com. 172800 IN NS H.GTLD-SERVERS.NET.
> com. 172800 IN NS C.GTLD-SERVERS.NET.
> com. 172800 IN NS I.GTLD-SERVERS.NET.
> com. 172800 IN NS B.GTLD-SERVERS.NET.
> com. 172800 IN NS D.GTLD-SERVERS.NET.
> com. 172800 IN NS L.GTLD-SERVERS.NET.
> com. 172800 IN NS F.GTLD-SERVERS.NET.
> com. 172800 IN NS J.GTLD-SERVERS.NET.
> com. 172800 IN NS K.GTLD-SERVERS.NET.
> com. 172800 IN NS E.GTLD-SERVERS.NET.
> com. 172800 IN NS M.GTLD-SERVERS.NET.
>
> ;; ADDITIONAL SECTION:
> A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
> A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
> G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
> H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
> C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
> I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
> B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
> B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
> D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
> L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
> F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
> J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
> K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
> E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
> M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30
>
> ;; Query time: 17 msec
> ;; SERVER: 198.41.0.4#53(a.root-servers.net)
> ;; WHEN: Wed Nov 17 16:48:08 2004
> ;; MSG SIZE rcvd: 531
Good your firewall is *not* blocking large (> 512) EDNS responses.
These are referrals from the root servers to the com servers and
are as expected.
> wicket 83# dig www.powweb.com @a.root-servers.net
>
> ; <<>> DiG 9.2.4rc6 <<>> www.powweb.com @a.root-servers.net
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1738
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
>
> ;; QUESTION SECTION:
> ;www.powweb.com. IN A
>
> ;; AUTHORITY SECTION:
> com. 172800 IN NS A.GTLD-SERVERS.NET.
> com. 172800 IN NS G.GTLD-SERVERS.NET.
> com. 172800 IN NS H.GTLD-SERVERS.NET.
> com. 172800 IN NS C.GTLD-SERVERS.NET.
> com. 172800 IN NS I.GTLD-SERVERS.NET.
> com. 172800 IN NS B.GTLD-SERVERS.NET.
> com. 172800 IN NS D.GTLD-SERVERS.NET.
> com. 172800 IN NS L.GTLD-SERVERS.NET.
> com. 172800 IN NS F.GTLD-SERVERS.NET.
> com. 172800 IN NS J.GTLD-SERVERS.NET.
> com. 172800 IN NS K.GTLD-SERVERS.NET.
> com. 172800 IN NS E.GTLD-SERVERS.NET.
> com. 172800 IN NS M.GTLD-SERVERS.NET.
>
> ;; ADDITIONAL SECTION:
> A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
> A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
> G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
> H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
> C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
> I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
> B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
> B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
> D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
> L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
> F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
> J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
> K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
> E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
>
> ;; Query time: 16 msec
> ;; SERVER: 198.41.0.4#53(a.root-servers.net)
> ;; WHEN: Wed Nov 17 16:48:18 2004
> ;; MSG SIZE rcvd: 504
>
>
>
> --
> Norman Joseph, System Engineer joseph at ctc.com IC|XC
> Concurrent Technologies Corporation 814/269.2633 --+--
> Federal Systems Group/IT & Systems Engineering NI|KA
>
> ***** If we don't change the direction we are headed, *****
> we will end up where we are going.
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list