bind-users Digest, Vol 1727, Issue 1
Amit Kumar Gupta
jtosys at bol.net.in
Mon Jul 4 11:02:07 UTC 2016
Dear All,
We are Tier 2 ISP in Delhi. Our subscribers are not able to open dropbox.com using our DNS IPs.
BIND version is 9.8.0.
Packet captured of dns query is as below.
snoop -i cc040716 -v -p 320 -x 0
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 320 arrived at 14:55:7.45529
ETHER: Packet size = 718 bytes
ETHER: Destination = 0:21:28:a4:70:3e,
ETHER: Source = c4:7d:4f:e8:32:0,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x20
IP: xxx. .... = 1 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 704 bytes
IP: Identification = 55040
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 54 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = f418
IP: Source address = 192.35.51.30, 192.35.51.30
IP: Destination address = 203.94.248.83,
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 684
UDP: Checksum = 26DC
UDP:
DNS: ----- DNS Header -----
DNS:
DNS: Response ID = 48938
DNS:
DNS: Response Code: 0 (OK)
DNS: Reply to 1 question(s)
DNS: Domain Name: dns1.p05.nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 1 (Address)
DNS:
DNS: 0 answer(s)
DNS: 8 name server resource(s)
DNS: Domain Name: nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 2 (Authoritative Name Server)
DNS: TTL (Time To Live): 172800
DNS: Authoritative Name Server: dns1.p01.nsone.net.
DNS:
DNS: Domain Name: nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 2 (Authoritative Name Server)
DNS: TTL (Time To Live): 172800
DNS: Authoritative Name Server: dns2.p01.nsone.net.
DNS:
DNS: Domain Name: nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 2 (Authoritative Name Server)
DNS: TTL (Time To Live): 172800
DNS: Authoritative Name Server: dns3.p01.nsone.net.
DNS:
DNS: Domain Name: nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 2 (Authoritative Name Server)
DNS: TTL (Time To Live): 172800
DNS: Authoritative Name Server: dns4.p01.nsone.net.
DNS:
DNS: Domain Name: A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net.
DNS: Class: 1 (Internet)
DNS: Type: 50 (Unknown (50))
DNS: TTL (Time To Live): 86400
DNS: Unknown (50):
DNS:
DNS: Domain Name: A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net.
DNS: Class: 1 (Internet)
DNS: Type: 46 (Unknown (46))
DNS: TTL (Time To Live): 86400
DNS: Unknown (46):
DNS:
DNS: Domain Name: 8CGRCSFM6NC5SV9ITU209NSP03D6GOKR.net.
DNS: Class: 1 (Internet)
DNS: Type: 50 (Unknown (50))
DNS: TTL (Time To Live): 86400
DNS: Unknown (50):
DNS:
DNS: Domain Name: 8CGRCSFM6NC5SV9ITU209NSP03D6GOKR.net.
DNS: Class: 1 (Internet)
DNS: Type: 46 (Unknown (46))
DNS: TTL (Time To Live): 86400
DNS: Unknown (46):
DNS:
DNS: 5 additional record(s)
DNS: Domain Name: dns1.p01.nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 1 (Address)
DNS: TTL (Time To Live): 172800
DNS: Address: 198.51.44.1
DNS:
DNS: Domain Name: dns2.p01.nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 1 (Address)
DNS: TTL (Time To Live): 172800
DNS: Address: 198.51.45.1
DNS:
DNS: Domain Name: dns3.p01.nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 1 (Address)
DNS: TTL (Time To Live): 172800
DNS: Address: 198.51.44.65
DNS:
DNS: Domain Name: dns4.p01.nsone.net.
DNS: Class: 1 (Internet)
DNS: Type: 1 (Address)
DNS: TTL (Time To Live): 172800
DNS: Address: 198.51.45.65
DNS:
DNS: Domain Name:
DNS: Class: 4096 (Unknown (4096))
DNS: Type: 41 (Unknown (41))
DNS: TTL (Time To Live): 32768
DNS: Unknown (41):
DNS:
0: 0021 28a4 703e c47d 4fe8 3200 0800 4520 .!(¤p>.}O.2...E
16: 02c0 d700 0000 3611 f418 c023 331e cb5e ..×...6....#3..^
32: f853 0035 0035 02ac 26dc bf2a 8000 0001 .S.5.5..&..*....
48: 0000 0008 0005 0464 6e73 3103 7030 3505 .......dns1.p05.
64: 6e73 6f6e 6503 6e65 7400 0001 0001 c015 nsone.net.......
80: 0002 0001 0002 a300 000b 0464 6e73 3103 ......£....dns1.
96: 7030 31c0 15c0 1500 0200 0100 02a3 0000 p01..........£..
112: 0704 646e 7332 c035 c015 0002 0001 0002 ..dns2.5........
128: a300 0007 0464 6e73 33c0 35c0 1500 0200 £....dns3.5.....
144: 0100 02a3 0000 0704 646e 7334 c035 2041 ...£....dns4.5 A
160: 3152 5439 3842 5335 5147 4339 4e46 4935 1RT98BS5QGC9NFI5
176: 3153 3948 4349 3437 554c 4a47 364a 48c0 1S9HCI47ULJG6JH.
192: 1b00 3200 0100 0151 8000 2301 0100 0000 ..2....Q..#.....
208: 1450 77ef 3df3 a33a 2d14 993a 1e87 4e13 .Pw.=.£:-..:..N.
224: 44d7 43c9 0b00 0722 0000 0000 0290 c074 D×C....".......t
240: 002e 0001 0001 5180 0097 0032 0802 0001 ......Q....2....
256: 5180 5780 889e 5777 3db6 c64a 036e 6574 Q.W..žWw=..J.net
272: 002f 70a8 85f5 aa86 788e 247d fca2 d237 ./p¨..ª.x.$}...7
288: d060 91d0 b35b cb6e ad21 bca5 e199 fca6 .`...[.n.!.¥...¦
304: 85bc 326d ee37 8df7 953f b8a9 d1af 7982 ..2m.7...?.©..y.
320: 95cd 45d3 f5e9 55b5 c987 2eae 53e1 c99d ..E...U.....S..
336: 93d9 3ec8 8dc9 f9a8 131a 3733 6fe4 295a ..>....¨..73o.)Z
352: 5286 78fe 310f 5967 6fc4 b2b4 4f01 1209 R.x.1.Ygo...O...
368: ca28 7fd0 c184 a3ec 13f6 aa9d a867 76ff .(....£ì..ª¨gv.
384: f694 14f4 68a2 7e13 c962 100a 5f30 c4a3 ....h.~..b.._0.£
400: 5e20 3843 4752 4353 464d 364e 4335 5356 ^ 8CGRCSFM6NC5SV
416: 3949 5455 3230 394e 5350 3033 4436 474f 9ITU209NSP03D6GO
432: 4b52 c01b 0032 0001 0001 5180 0022 0101 KR...2....Q.."..
448: 0000 0014 4322 50c1 9b34 5dec df15 a7dc ....C"P.›4]ì....
464: 02e4 f81b dbdd 3688 0006 2000 0000 0012 ......6... .....
480: c167 002e 0001 0001 5180 0097 0032 0802 .g......Q....2..
496: 0001 5180 577f 3710 5775 ec28 c64a 036e ..Q.W.7.Wuì(.J.n
512: 6574 0079 12e3 6c65 778a 9fd1 8c19 f16d et.y..lew...Œ..m
528: 96a2 1d65 7de7 675b 9e49 707b ff5d 1650 ...e}.g[žIp{.].P
544: 54cf 8092 5980 cd8d c69d 3034 9921 8d63 T...Y....04.!.c
560: f107 f32c 666b 789c 1b35 7959 97d5 8e63 ...,fkxœ.5yY...c
576: ee87 c4cd eaf4 e60a d2a0 ec68 d0e9 a9b1 ......... ìh..©.
592: 71b6 de80 ada6 9549 a172 3394 15e0 db08 q....¦.I¡r3.....
608: c424 0076 41d0 da11 9c18 d044 9fff a1b8 .$.vA...œ..D..¡.
624: fae5 4468 55b3 bcf7 bfc9 803d 96ec 20e4 ..DhU......=.ì .
640: 8002 1dc0 3000 0100 0100 02a3 0000 04c6 ....0......£....
656: 332c 01c0 4700 0100 0100 02a3 0000 04c6 3,..G......£....
672: 332d 01c0 5a00 0100 0100 02a3 0000 04c6 3-..Z......£....
688: 332c 41c0 6d00 0100 0100 02a3 0000 04c6 3,A.m......£....
704: 332d 4100 0029 1000 0000 8000 0000 3-A..)........
bash-3.2# dig dropbox.com 203.94.243.70
; <<>> DiG 9.6-ESV-R4-P2 <<>> dropbox.com 203.94.243.70
;; global options: +cmd
;; connection timed out; no servers could be reached
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40790
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;203.94.243.70. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016070400 1800 900 604800 86400
. 10800 IN RRSIG SOA 8 0 86400 20160714050000 20160704040000 46551 . AMWLSRBkj9ae0hGcThBgcpyZmFaPZxSJzoDlnHtw6hCx5YEEFCsAUa3A 4t0o8wCp8YyN77AYqgmem4mlnlC7CiPG4iyuqEg2atOiLiKCIAk8SMgZ 7lS4XKZI+vnqGvPMGHUUDEb8lf7M1oQfPXJNK2CEVaoLYaW6PCybqK5z fIQ=
. 10800 IN RRSIG NSEC 8 0 86400 20160714050000 20160704040000 46551 . mm2xWpyqZN78e82EHnSvEss3i3363drdTqV+f1ZdmJoSfJXTXRl51J3e /NRF7hW3xEBZv7Le9E1A72nIZuOKdxlZ5kzPjN7EqUCf8hLEe1LdBJ8N 5arnqZIlfefxt0V5dMPbJp3Na8H1kcH/79CiLDCIroWIh3TLR8lWszni Xwc=
. 10800 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
;; Query time: 1798 msec
;; SERVER: 203.94.243.70#53(203.94.243.70)
;; WHEN: Mon Jul 4 16:35:30 2016
;; MSG SIZE rcvd: 458
Regards
Manager(Internet-Systems)
MTNL Delhi
Send bind-users mailing list submissions to
bind-users at lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-request at lists.isc.org
You can reach the person managing the list at
bind-users-owner at lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. RE: Disable DNSSEC (Eric Davis)
2. Re: Disable DNSSEC (Bill Owens)
3. Re: Disable DNSSEC (Thomas Schulz)
4. When Updates Fail (Martin McCormick)
5. Re: When Updates Fail (Chris Buxton)
----------------------------------------------------------------------
Message: 1
Date: Tue, 7 Jan 2014 16:34:27 +0000
From: Eric Davis <eric at mail.rockefeller.edu>
To: "'owens at nysernet.org'" <owens at nysernet.org>
Cc: "'bind-users at lists.isc.org'" <bind-users at lists.isc.org>
Subject: RE: Disable DNSSEC
Message-ID:
<54CBB3D067EE024D823BDA66EADEBE4E0F57D28C at RUMBX1.rockefeller.edu>
Content-Type: text/plain; charset="us-ascii"
Duh...silly mistake...I did a DIG on the NS record..Once the DS record is removed DNS queries should work fine right? Thanks Bill.
-----Original Message-----
From: Bill Owens [mailto:owens at nysernet.org]
Sent: Tuesday, January 07, 2014 11:28 AM
To: Eric Davis
Cc: bind-users at lists.isc.org
Subject: Re: Disable DNSSEC
On Tue, Jan 07, 2014 at 04:24:31PM +0000, Eric Davis wrote:
> So I guess my DS record has the same TTL as my default TTL for my records? My default is 8 hours, so if I wait 8 hours after I remove the DS from my parent zone then I should be ok? My parent zone is a TLD(.edu).
The DS record is in the parent zone (.edu) and it has a one-day TTL:
;; AUTHORITY SECTION:
rockefeller.edu. 172800 IN NS r2d2.rockefeller.edu.
rockefeller.edu. 172800 IN NS rockyd.rockefeller.edu.
rockefeller.edu. 86400 IN DS 40486 5 1 954F779D591F011288CAD43D64D96EA543E0D3E5
rockefeller.edu. 86400 IN RRSIG DS 8 2 86400 20140113054536 20140106043536 20750 edu. 0XmRgd7FPG56t7etP2dK0W9gvVVm5oJlaCXufHlWnLsPWwNcAGIEQBCp RxBicOFdPgmxvm1VV+IXq7W2qEKiFOchCgfqm9ugqQ7/DOR0DJW1edgI ZqUVLfMgp/VT1+6EXU+wGiR7D2rZs1xvyu82cMQCkBseiKVAJv2F35LK MSE=
Bill.
------------------------------
Message: 2
Date: Tue, 7 Jan 2014 11:45:48 -0500
From: Bill Owens <owens at nysernet.org>
To: Eric Davis <eric at mail.rockefeller.edu>
Cc: "'bind-users at lists.isc.org'" <bind-users at lists.isc.org>
Subject: Re: Disable DNSSEC
Message-ID: <20140107164548.GC10357 at nysernet.org>
Content-Type: text/plain; charset=us-ascii
On Tue, Jan 07, 2014 at 04:34:27PM +0000, Eric Davis wrote:
> Duh...silly mistake...I did a DIG on the NS record..Once the DS record is removed DNS queries should work fine right? Thanks Bill.
Once the DS record is removed from the .edu zone, queriers won't expect your zone to be signed any more. At that point, you can leave it signed or remove the signatures, and it won't make any difference. You just need to wait at least 24 hours from the time the record disappears from the .edu zone.
Bill.
------------------------------
Message: 3
Date: Tue, 7 Jan 2014 13:07:20 -0500 (EST)
From: schulz at adi.com (Thomas Schulz)
To: eric at mail.rockefeller.edu, owens at nysernet.org
Cc: bind-users at lists.isc.org
Subject: Re: Disable DNSSEC
Message-ID: <201401071807.s07I7KUv024657 at dolphin.adi.com>
>
> Once the DS record is removed from the .edu zone, queriers won't
> expect your zone to be signed any more. At that point, you can leave
> it signed or remove the signatures, and it won't make any difference.
> You just need to wait at least 24 hours from the time the record
> disappears from the .edu zone.
>
I suggest you wait a little bit longer then that. There are multiple
name servers for edu and you want to make sure that all of them have
removed the DS record.
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com
------------------------------
Message: 4
Date: Tue, 07 Jan 2014 16:05:10 -0600
From: Martin McCormick <martin at dc.cis.okstate.edu>
Cc: bind-users at lists.isc.org
Subject: When Updates Fail
Message-ID: <201401072205.s07M5AkN059050 at x.it.okstate.edu>
Content-Type: text/plain; charset="us-ascii"
Is there any way to tell what is actually being sent to
bind when attempting a dynamic update?
I have a perl script which is obviously broken because
every forward update it tries to send fails.
07-Jan-2014 15:38:09.458 client 192.168.1.5#17352: request has invalid signature: TSIG ns: tsig verify failure (BADKEY)
The key is actually one we use all the time for
nsupdates and they are still working fine. For all I know, I am
sending a null string due to a typo I haven't noticed yet but
the zone name and key look okay when single-stepping through the
script. Heaven only knows what is actually being received by
bind. Is there any way to narrow down wht part of the request is
broken/missing?
Thank you.
Martin McCormick
------------------------------
Message: 5
Date: Tue, 7 Jan 2014 15:27:13 -0800
From: Chris Buxton <clists at buxtonfamily.us>
To: Martin McCormick <martin at dc.cis.okstate.edu>
Cc: BIND Users <bind-users at lists.isc.org>
Subject: Re: When Updates Fail
Message-ID: <31BDB4EB-F879-495A-B4E3-C52A8C96D9AD at buxtonfamily.us>
Content-Type: text/plain; charset=windows-1252
On Jan 7, 2014, at 2:05 PM, Martin McCormick <martin at dc.cis.okstate.edu> wrote:
> Is there any way to tell what is actually being sent to
> bind when attempting a dynamic update?
>
> I have a perl script which is obviously broken because
> every forward update it tries to send fails.
>
> 07-Jan-2014 15:38:09.458 client 192.168.1.5#17352: request has invalid signature: TSIG ns: tsig verify failure (BADKEY)
Are you using Net::DNS to send your updates? If so, what version? There is a bug in 0.73 with regard to TSIG. One solution, for the time being, is to downgrade to 0.72. Or there?s a release candidate for 0.74 that apparently fixes it, but I haven?t tested it.
Regards,
Chris Buxton
------------------------------
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
End of bind-users Digest, Vol 1727, Issue 1
*******************************************
More information about the bind-users
mailing list