Queries to a positively cached zone are failing (phila.gov)
Greg Chavez
greg.chavez at gmail.com
Wed Mar 15 20:00:24 UTC 2006
On Mar 15, 2006, at 14:52, Greg Chavez wrote:
> The third thing I did was test it and the fourth thing I did was slap
> myself again when it didn't work. Same old same old. Dig queries to
> the phila.gov name servers work; queries by BIND time out.
>
> Times out: that's an important distinction. BIND doesn't get back a
> FORMERR; the remote name server *never responds* to the query.
>
> These packets go through a pix firewall before they reach the wild.
I and our network team are concentrating on the possibility that our
PIX firewall, which performs minor surgery on DNS packets for NAT
purposes, may be having trouble accepting "We don't speak EDNS"
responses from phila.gov's name servers, which may be running BIND 4.
If anybody else has any insight as far as PIX and EDNS goes or thinks
we're barking up the wrong tree, please come forward. Otherwise, I'll
close out this thread when we reach a solution.
More information about the bind-users
mailing list