<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Offhand, it looks like you might have DNSSEC validation turned on
(thus making responses from the GTLD nameservers bigger than 512
bytes; note that all of the GTLD-server responses in that tcpdump
have truncation flagged), your EDNS0 buffer tuned down to 512 bytes
("edns-udp-size 512", thus eliminating UDP as an option for those
big responses), and then something in your network is sending RSTs
to every attempt at a DNS/TCP connection (thus eliminating TCP as an
option too).<br>
<br>
Something's gotta give. You can't expect reasonable resolution while
all 3 of those conditions prevail.<br>
<br>
Note that your "dig"s don't have +dnssec, +bufsize=xxxxx, or +norec,
so they're really not an apples-to-apples comparison to what named
itself is generating.<br>
<br>
- Kevin<br>
On 1/23/2012 4:06 PM, Steven Vona wrote:
<blockquote
cite="mid:CAPipYF8k+L1cFu4-+MVFdbUoB+K2m2hZnMXR=R1LF1kvWRD=bQ@mail.gmail.com"
type="cite">I am posting here as a last resort and hope someone
can help me.<br>
<br>
I am running RHEL6 and installed bind-chroot package. I have tried
everything, and even posted to a linux forum I belong to for
help. After three pages and a boat load of troubleshooting no
resolution.<br>
<br>
Here is a link to the 3 page forum thread if your interested in
seeing all that we tried to do. There is debug information and
even tcpdump info in there.<br>
<a moz-do-not-send="true"
href="http://www.linuxquestions.org/questions/linux-server-73/bind-dns-recursion-now-working-924978/">http://www.linuxquestions.org/questions/linux-server-73/bind-dns-recursion-now-working-924978/</a><br>
<br>
If anyone can help it would be greatly appreciated. If you need
any more information please let me know.<br>
<br>
<br>
This DNS server does not answer recursive queries. Here is my
config.<br>
<br>
options {<br>
directory "/var/named";<br>
allow-query { any; };<br>
recursion yes;<br>
edns-udp-size 512;<br>
listen-on-v6 { none; };<br>
};<br>
logging{<br>
channel query_log {<br>
file "ns1-bind.log" versions unlimited size 100m;<br>
severity info;<br>
print-time yes;<br>
print-severity yes;<br>
print-category yes;<br>
};<br>
category xfer-in{ query_log; };<br>
category xfer-out{ query_log; };<br>
category update{ query_log; };<br>
category general{ query_log; };<br>
category queries{ query_log; };<br>
channel default_debug {<br>
file "data/named.run";<br>
severity dynamic;<br>
};<br>
};<br>
<br>
key "dnsadmin" {<br>
algorithm hmac-md5;<br>
secret "pjbruihfeuhruehferfw=";<br>
};<br>
<br>
controls {<br>
inet 127.0.0.1 allow { localhost; } keys { dnsadmin; };<br>
};<br>
<br>
<br>
zone "." IN {<br>
type hint;<br>
file "<a moz-do-not-send="true" href="http://named.ca">named.ca</a>";<br>
};<br>
<br>
include "/etc/named.rfc1912.zones";<br>
<br>
<br>
<br>
<br>
When I try to query <a moz-do-not-send="true"
href="http://google.com">google.com</a> it just hangs then
returns a servfail:<br>
# dig @localhost <a moz-do-not-send="true"
href="http://google.com">google.com</a><br>
<br>
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
<<>> @localhost <a moz-do-not-send="true"
href="http://google.com">google.com</a><br>
; (2 servers found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:
58542<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL:
0<br>
<br>
;; QUESTION SECTION:<br>
;<a moz-do-not-send="true" href="http://google.com">google.com</a>.
IN A<br>
<br>
;; Query time: 2695 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Mon Jan 23 16:01:27 2012<br>
;; MSG SIZE rcvd: 28<br>
<br>
<br>
If I do a dig with +trace at the end it works:<br>
[root@ns1 etc]# dig @localhost <a moz-do-not-send="true"
href="http://google.com">google.com</a> +trace<br>
<br>
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
<<>> @localhost <a moz-do-not-send="true"
href="http://google.com">google.com</a> +trace<br>
; (2 servers found)<br>
;; global options: +cmd<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://d.root-servers.net">d.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://c.root-servers.net">c.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://b.root-servers.net">b.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://a.root-servers.net">a.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://l.root-servers.net">l.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://f.root-servers.net">f.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://g.root-servers.net">g.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://j.root-servers.net">j.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://e.root-servers.net">e.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://h.root-servers.net">h.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://i.root-servers.net">i.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://m.root-servers.net">m.root-servers.net</a>.<br>
. 518342 IN NS <a moz-do-not-send="true"
href="http://k.root-servers.net">k.root-servers.net</a>.<br>
;; Received 340 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms<br>
<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://a.gtld-servers.net">a.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://b.gtld-servers.net">b.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://c.gtld-servers.net">c.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://d.gtld-servers.net">d.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://e.gtld-servers.net">e.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://f.gtld-servers.net">f.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://g.gtld-servers.net">g.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://h.gtld-servers.net">h.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://i.gtld-servers.net">i.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://j.gtld-servers.net">j.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://k.gtld-servers.net">k.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://l.gtld-servers.net">l.gtld-servers.net</a>.<br>
com. 172800 IN NS <a moz-do-not-send="true"
href="http://m.gtld-servers.net">m.gtld-servers.net</a>.<br>
;; Received 488 bytes from 199.7.83.42#53(<a
moz-do-not-send="true" href="http://l.root-servers.net">l.root-servers.net</a>)
in 42 ms<br>
<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
172800 IN NS <a moz-do-not-send="true"
href="http://ns2.google.com">ns2.google.com</a>.<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
172800 IN NS <a moz-do-not-send="true"
href="http://ns1.google.com">ns1.google.com</a>.<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
172800 IN NS <a moz-do-not-send="true"
href="http://ns3.google.com">ns3.google.com</a>.<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
172800 IN NS <a moz-do-not-send="true"
href="http://ns4.google.com">ns4.google.com</a>.<br>
;; Received 164 bytes from 192.54.112.30#53(<a
moz-do-not-send="true" href="http://h.gtld-servers.net">h.gtld-servers.net</a>)
in 97 ms<br>
<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
300 IN A 74.125.115.99<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
300 IN A 74.125.115.106<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
300 IN A 74.125.115.104<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
300 IN A 74.125.115.103<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
300 IN A 74.125.115.105<br>
<a moz-do-not-send="true" href="http://google.com">google.com</a>.
300 IN A 74.125.115.147<br>
;; Received 124 bytes from 216.239.32.10#53(<a
moz-do-not-send="true" href="http://ns1.google.com">ns1.google.com</a>)
in 30 ms<br>
<br>
You have new mail in /var/spool/mail/root<br>
<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>