named slow resolving to internet
Kevin Darcy
kcd at chrysler.com
Wed Oct 31 23:57:52 UTC 2007
Yes, but you'll notice that the +dnssec query advertised a larger buffer
size ("
EDNS: version: 0, flags: do; udp: 4096"). The fact that both queries returned successfully and quickly implies that you don't have any EDNS-challenged devices in the path between your box and a.root-servers.net.
This is what diagnosis is all about, elminating possible causes.
- Kevin
Binmakhashen, Latif wrote:
> The answer is 0?
>
> I compiled bind without the OpenSSL library so no security features are
> enabled.
>
>
> HPADM2/home/rootlbm > dig www.ducks.com @a.root-servers.net
>
> ; <<>> DiG 9.3.2 <<>> www.ducks.com @a.root-servers.net
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1585
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
>
> ;; QUESTION SECTION:
> ;www.ducks.com. IN A
>
> ;; AUTHORITY SECTION:
> com. 172800 IN NS B.GTLD-SERVERS.NET.
> com. 172800 IN NS C.GTLD-SERVERS.NET.
> com. 172800 IN NS D.GTLD-SERVERS.NET.
> com. 172800 IN NS E.GTLD-SERVERS.NET.
> com. 172800 IN NS F.GTLD-SERVERS.NET.
> com. 172800 IN NS G.GTLD-SERVERS.NET.
> com. 172800 IN NS H.GTLD-SERVERS.NET.
> com. 172800 IN NS I.GTLD-SERVERS.NET.
> com. 172800 IN NS J.GTLD-SERVERS.NET.
> com. 172800 IN NS K.GTLD-SERVERS.NET.
> com. 172800 IN NS L.GTLD-SERVERS.NET.
> com. 172800 IN NS M.GTLD-SERVERS.NET.
> com. 172800 IN NS A.GTLD-SERVERS.NET.
>
> ;; ADDITIONAL SECTION:
> A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
> A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
> B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
> B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
> C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
> D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
> E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
> F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
> G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
> H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
> I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
> J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
> K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
> L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
>
> ;; Query time: 28 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Wed Oct 31 19:44:10 2007
> ;; MSG SIZE rcvd: 503
>
> HPADM2/home/rootlbm > dig +dnssec www.ducks.com @a.root-servers.net
>
> ; <<>> DiG 9.3.2 <<>> +dnssec www.ducks.com @a.root-servers.net
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1522
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.ducks.com. IN A
>
> ;; AUTHORITY SECTION:
> com. 172800 IN NS I.GTLD-SERVERS.NET.
> com. 172800 IN NS J.GTLD-SERVERS.NET.
> com. 172800 IN NS K.GTLD-SERVERS.NET.
> com. 172800 IN NS L.GTLD-SERVERS.NET.
> com. 172800 IN NS M.GTLD-SERVERS.NET.
> com. 172800 IN NS A.GTLD-SERVERS.NET.
> com. 172800 IN NS B.GTLD-SERVERS.NET.
> com. 172800 IN NS C.GTLD-SERVERS.NET.
> com. 172800 IN NS D.GTLD-SERVERS.NET.
> com. 172800 IN NS E.GTLD-SERVERS.NET.
> com. 172800 IN NS F.GTLD-SERVERS.NET.
> com. 172800 IN NS G.GTLD-SERVERS.NET.
> com. 172800 IN NS H.GTLD-SERVERS.NET.
>
> ;; ADDITIONAL SECTION:
> A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
> A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
> B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
> B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
> C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
> D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
> E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
> F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
> G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
> H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
> I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
> J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
> K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
> L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
> M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30
>
> ;; Query time: 23 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Wed Oct 31 19:44:23 2007
> ;; MSG SIZE rcvd: 530
>
> HPADM2/home/rootlbm >
>
>
> Kind regards,
>
> Latif Binmakhashen
> Senior Unix Admin.
> Omnicare Inc.
> Direct Line: (614) 652-3217
> latif.binmakhashen at omnicare.com
>
>
> -- NOTICE --
> This e-mail message is confidential, intended only for the named
> recipient(s) above and may contain information that is privileged or
> exempt from disclosure under applicable law. If you have received this
> message in error, or are not the named recipient(s), please immediately
> notify the sender and delete this e-mail message from your computer.
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Mark Andrews
> Sent: Wednesday, October 31, 2007 7:25 PM
> To: Kevin Darcy
> Cc: comp-protocols-dns-bind at isc.org
> Subject: Re: named slow resolving to internet
>
>
> Long lookup times can be the result of firewalls that are
> blocking EDNS responses. Named will retry using plain DNS
> but it has to timeout first.
>
> Do you get responses to both of these queries?
>
> dig www.ducks.com @a.root-servers.net
>
> dig +dnssec www.ducks.com @a.root-servers.net
>
> If not you need to look at your firewall settings.
>
More information about the bind-users
mailing list