[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
Ryan Novosielski
novosirj at umdnj.edu
Wed Feb 23 18:13:08 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A couple more gems:
https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
(really anything at dnssec-deployment.org)
There was another table that I found someplace and cannot find now that
listed Cisco PIX and mentioned with a * the subtle difference between
versions of that firewall firmware. I can't find that table anywhere --
was HTML, not in a PDF.
On 02/23/2011 11:39 AM, Ryan Novosielski wrote:
> Take a look at this. It is somewhat confusing, but it is helpful and
> should tell you right away if you definitely have a firewall issue (and
> frankly there's little else it could be).
>
> https://www.dns-oarc.net/oarc/services/replysizetest
>
> On 02/23/2011 11:15 AM, Shaoquan Lin wrote:
>> Thanks, Mark,
>
>> Last June I asked our firewall person to make sure our firewall not
>> blocking DNS packets over 512 bytes. He told me our firewall was not
>> blocking. I guess that might be some default setting of the firewall
>> and he does not really know. I did two digs here one with +dnssec and
>> one without. I got the the following:
>
>> 1) with +dnssec :
>> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>
>> 2) without +dnssec :
>> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
>
>> ;; QUESTION SECTION:
>> ;vwall4a.nyc.gov. IN A
>
>> ;; AUTHORITY SECTION:
>> nyc.gov. 86400 IN NS vwall1a.nyc.gov.
>> nyc.gov. 86400 IN NS vwall2a.nyc.gov.
>> nyc.gov. 86400 IN NS vwall3a.nyc.gov.
>> nyc.gov. 86400 IN NS vwall4a.nyc.gov.
>
>> ;; ADDITIONAL SECTION:
>> vwall1a.nyc.gov. 86400 IN A 161.185.1.3
>> vwall2a.nyc.gov. 86400 IN A 161.185.1.12
>> vwall3a.nyc.gov. 86400 IN A 167.153.130.12
>> vwall4a.nyc.gov. 86400 IN A 167.153.130.13
>
>> ;; Query time: 31 msec
>> ;; SERVER: 209.112.123.30#53(209.112.123.30)
>> ;; WHEN: Wed Feb 23 11:12:48 2011
>> ;; MSG SIZE rcvd: 192
>
>> Does this show we do have a firewall problem here?
>
>> Shaoquan Lin
>
>> Mark Andrews wrote:
>>> In message <0539E64AD2B54AD2804C2394F923800B at se179>, "Shaoquan Lin"
>>> writes:
>>>
>>>> Mark,
>>>>
>>>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is
>>>> that I
>>>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
>>>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older
>>>> BINDs like
>>>> 9.3. I don't know if the problem is with the authoritative
>>>> nameservers for gov or the nameservers for nyc.gov or with the BIND I
>>>> am using. I noticed the following:
>>>>
>>>
>>> Just fix your firewalls to allow EDNS responses through. While
>>> this is a bug in the authoritative servers / interpretation of
>>> RFC 1034, its only a issue because your firewall configuration
>>> is a decade out of date that it is a problem.
>>>
>>>
>>>> 1). a.gov-servers.net or b.gov-servers.net does provide A records
>>>> in the additional records of their responses for other subdomain
>>>> under gov like treas.gov, just not nyc.gov. So the problem seems
>>>> with nameservers for nyc.gov. The problem is relatively new and
>>>> there might be some recent changes on nyc.gov.
>>>>
>>>
>>> The gov servers will return glue if you let bigger answers than 512 bytes
>>> through your firewall.
>>>
>>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov
>>> @b.gov-servers.net +dnssec
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
>>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 1472
>>> ;; QUESTION SECTION:
>>> ;vwall4a.nyc.gov. IN A
>>>
>>> ;; AUTHORITY SECTION:
>>> nyc.gov. 86400 IN NS vwall1a.nyc.gov.
>>> nyc.gov. 86400 IN NS vwall2a.nyc.gov.
>>> nyc.gov. 86400 IN NS vwall3a.nyc.gov.
>>> nyc.gov. 86400 IN NS vwall4a.nyc.gov.
>>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8
>>> 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
>>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400
>>> 20110227210022 20110222210022 47602 gov.
>>> ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8
>>> JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn
>>> Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA
>>> 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u
>>> In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9
>>> CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==
>>>
>>> ;; ADDITIONAL SECTION:
>>> vwall1a.nyc.gov. 86400 IN A 161.185.1.3
>>> vwall2a.nyc.gov. 86400 IN A 161.185.1.12
>>> vwall3a.nyc.gov. 86400 IN A 167.153.130.12
>>> vwall4a.nyc.gov. 86400 IN A 167.153.130.13
>>>
>>> ;; Query time: 187 msec
>>> ;; SERVER: 209.112.123.30#53(209.112.123.30)
>>> ;; WHEN: Wed Feb 23 11:54:06 2011
>>> ;; MSG SIZE rcvd: 574
>>>
>>>
>>>> 2) Older version of Binds (like 9.3) seems able to resolve
>>>> vwall4a.nyc.gov as shown the packets I captured in my previous e-mail.
>>>>
>>>> What options in named.conf I can use to set "tc"?
>>>>
>>>> Thank you.
>>>>
>>>> Shaoquan Lin
>>>>
>
>
>
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1lTjMACgkQmb+gadEcsb5KSwCeJKU5Z7SXoRMJH53u1dGt8jj1
AF4AoKWOkg6gcc9Ng4kAmebcIHv+XAIF
=deXw
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: novosirj.vcf
Type: text/x-vcard
Size: 301 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110223/fe242478/attachment.vcf>
More information about the bind-users
mailing list