Problems resolving hosts in vetcentric.com domain

Mark Andrews Mark_Andrews at isc.org
Wed Jun 29 00:16:44 UTC 2005 

	I suspect that there is a non-DNSSEC aware EDNS aware
	firewall in front of a non-EDNS aware nameservers.  This
	is causing DNSSEC queries to not be answered.  Named has
	to timeout before falling back to issuing non-EDNS queries.
	Because named doesn't make a plain EDNS query it doesn't
	get a cachable (FORMERR) indication that the remote server
	doesn't understand EDNS.  As a result every query to this
	zone has to got through the timeout and as the records have
	a low TTL this is a frequent occurance.

	You can use a server clause to disable EDNS with the servers
	for the zone.

	Note: this really needs to be fixed at the remote end by
	replacing / reconfiguring the firewall and upgrading the
	nameserver to be EDNS aware.

	Mark

% dig vetcentric.com soa @65.207.23.10 +bufsize=512 +norec +qr

; <<>> DiG 9.3.1 <<>> vetcentric.com soa @65.207.23.10 +bufsize=512 +norec +qr
; (1 server found)
;; global options:  printcmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32670
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vetcentric.com.                        IN      SOA

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 32670
;; flags: qr ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 247 msec
;; SERVER: 65.207.23.10#53(65.207.23.10)
;; WHEN: Wed Jun 29 09:34:01 2005
;; MSG SIZE  rcvd: 12

% dig vetcentric.com soa @65.207.23.10 +bufsize=512 +norec +qr +dnssec

; <<>> DiG 9.3.1 <<>> vetcentric.com soa @65.207.23.10 +bufsize=512 +norec +qr +dnssec
; (1 server found)
;; global options:  printcmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59965
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;vetcentric.com.                        IN      SOA

;; connection timed out; no servers could be reached
% 

> We are having some problems here where we are temporarily (or in some cases u
> ntil we stop/restart named) unable to resolve hosts within the vetcentric.com
>  domain.  Since a stop/restart of named resolved the problems the first time 
> this occurred, we initially thought something was corrupted with the DNS cach
> e.  However, the problem continues to crop up randomly.  In some cases, it wi
> ll stop resolving for say 20 minutes or so and then begin resolving again wit
> h no action taken on our end.  We have eliminated firewall issues after some 
> extensive investigation on that end and believe it's something DNS related.  
> I've attempted to put named in debug mode (setting level as high as 5); howev
> er, named continues to log only information as shown below despite the level 
> I use.  What's more baffling is that if I attempted to start named from the c
> ommand line with a debug level of 1 or 2 that it does not create the named.ru
> n file.  Only when I enabled debugging at level 3 or higher does i
>  t create it.  In any case, I'm somewhat puzzled as to what is causing this o
> n again/off again type behavior with resolving hosts in this domain.  Any ide
> as, suggestions, etc would be appreciated.  Will provide other information as
>  needed/requested.  
> Our servers are all running 9.3.1 at present.  FWIW, we are able to resolve h
> osts in the domain, including just vetcentric.com itself from remote DNS serv
> ers, thus indicating some issue on our end or somewhere between us and the ve
> tcentric name servers.
> 
> 28-Jun-2005 13:06:46.792 client @1eea90: udprecv
> 28-Jun-2005 13:06:46.792 client @1f0910: accept
> 28-Jun-2005 13:06:46.792 client @1f2b50: udprecv
> 28-Jun-2005 13:06:46.792 client @1f49e8: accept
> 28-Jun-2005 13:06:47.196 client 128.244.197.32#53: UDP request
> 28-Jun-2005 13:06:47.196 client 128.244.197.32#53: view internet: using view 
> 'in
> ternet'
> 28-Jun-2005 13:06:47.196 client 128.244.197.32#53: view internet: query
> 28-Jun-2005 13:06:47.196 client 128.244.197.32#53: view internet: replace
> 28-Jun-2005 13:06:47.197 client @1d9470: create
> 28-Jun-2005 13:06:47.197 client @1d9470: udprecv
> 28-Jun-2005 13:06:47.216 client 128.244.194.100#53: UDP request
> 28-Jun-2005 13:06:47.216 client 128.244.194.100#53: view internet: using view
>  'i
> nternet'
> 28-Jun-2005 13:06:47.216 client 128.244.194.100#53: view internet: query
> 28-Jun-2005 13:06:47.216 client 128.244.194.100#53: view internet: replace
> 28-Jun-2005 13:06:47.216 client @255db0: create
> 28-Jun-2005 13:06:47.216 client @255db0: udprecv
> 28-Jun-2005 13:06:47.341 client 192.112.36.4#53: UDP request
> 28-Jun-2005 13:06:47.341 client 192.112.36.4#53: next
> 28-Jun-2005 13:06:47.341 client 192.112.36.4#53: endrequest
> 28-Jun-2005 13:06:47.341 client @255db0: udprecv
> 
> Bill Smith
> <mailto:bill.smith at jhuapl.edu>
> ISS Server Systems Group
> Johns Hopkins University Applied Physics Laboratory 
> 11100 Johns Hopkins Road 
> Laurel, MD 20723
> Phone:  443-778-5523
> Web:  http://www.jhuapl.edu <http://www.jhuapl.edu/>    
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list