single query fails until named is killed and restarted

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Fri Nov 3 03:06:15 UTC 2000 

	The ca.gov delegation is broken.  Both the names and the IP address
	must agree.

	Mark

; <<>> DiG 8.3 <<>> ns ca.gov @a.root-servers.net 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; QUERY SECTION:
;;	ca.gov, type = NS, class = IN

;; ANSWER SECTION:
ca.gov.			1D IN NS	NIC.TDCNET.ca.gov.
ca.gov.			1D IN NS	NS2.TDCNET.ca.gov.
ca.gov.			1D IN NS	NS3.NET.ca.gov.

;; ADDITIONAL SECTION:
NIC.TDCNET.ca.gov.	1D IN A		134.186.254.252
NS2.TDCNET.ca.gov.	1D IN A		134.186.4.253
NS3.NET.ca.gov.		1D IN A		205.225.130.209

;; Total query time: 485 msec
;; FROM: drugs.dv.isc.org to SERVER: a.root-servers.net  198.41.0.4
;; WHEN: Fri Nov  3 14:03:57 2000
;; MSG SIZE  sent: 24  rcvd: 137


; <<>> DiG 8.3 <<>> ns ca.gov @NIC.TDCNET.ca.gov 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; QUERY SECTION:
;;	ca.gov, type = NS, class = IN

;; ANSWER SECTION:
ca.gov.			1D IN NS	ns1.net.ca.gov.
ca.gov.			1D IN NS	ns2.net.ca.gov.
ca.gov.			1D IN NS	ns3.net.ca.gov.

;; ADDITIONAL SECTION:
ns1.net.ca.gov.		1D IN A		134.186.254.252
ns2.net.ca.gov.		1D IN A		134.186.4.253
ns3.net.ca.gov.		1D IN A		205.225.130.209

;; Total query time: 325 msec
;; FROM: drugs.dv.isc.org to SERVER: NIC.TDCNET.ca.gov  134.186.254.252
;; WHEN: Fri Nov  3 14:04:14 2000
;; MSG SIZE  sent: 24  rcvd: 130


> Hello,
> 
> We have a few times had a problem resolving particular hostnames (hasn't
> been the same domain each time) from our only DNS server.  The latest
> problem a user reported was with the domain "jbsis.courts.ca.gov." Our
> DNS server (bob) is on a secured subnet (DMZ) behind the same firewall
> as us (but we are behind a different subnet).
> 
> This DNS server does recursive lookups for our internal servers and is
> NAT'd.  The server is running Solaris 2.6 pretty current on patches and
> the DNS version is 8.2.2P5, the latest stable/non-beta release
> before BIND9.
> 
> All kinds of other queries (to ibm.com, nbc.com, etc.) worked fine and
> nothing had been changed for months on either the DNS server or the
> Firewall. Additionally we have servers offsite w/ other ISPs' DNS
> servers and our own private ISP accounts and DNS lookups (at the same
> time as on the failing "bob") for jbsis.courts.ca.gov from those points
> worked fine. The name server for the problem site is ns1.pbi.net and
> doing "dig @ns1.pbi.net jbsis.courts.ca.gov" from the problem server
> (bob) also worked.
> 
> What "cleared" the problem was simply killing the named daemon (ndc
> restart didn't do the trick) and then starting it up.
> 
> The dns logs did not show any error (or anything) for this domain or
> it's IP (logging levels included below in our named.conf file).  It
> didn't show anything because, as you can see from our logging, we
> don't log each query.
> 
> So I am wondering: what happened?  What was the problem?  I can't figure
> it out as a dig in debug mode returned simple timeouts.   What else
> could I have tried to troubleshoot this?
> 
> Additionally, what can I check or run if/when this happens again so that
> I can gather more information and get to the bottom of what causes this
> occassional error.
> 
> If I have left out any info, please let me know.  And thanks for any
> tips or advice.  By the way, I searched deja, AskMrDNS, and the BIND
> archives and found similar problem postings.  Posts I saw and
> investigated which did not apply to us were:  blocked by the firewall,
> overloaded remote server, and mismatched Nameserver.  I did not find
> anything that might explain my own problem, however if you feel there is
> a post or explanation out there that applies, please let me know
> what subject or keywords to search on.
> 
> thanks,
> 
> Adam
> 
> bob% dig jbsis.courts.ca.gov +debug=2
> 
> ; <<>> DiG 8.2 <<>> jbsis.courts.ca.gov +debug=2
> ;; res_nmkquery(QUERY, jbsis.courts.ca.gov, IN, A)
> ;; res options: init debug recurs defnam dnsrch
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56428
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      jbsis.courts.ca.gov, type = A, class = IN
> 
> ;; Querying server (# 1) address = 192.168.1.2
> ;; timeout
> ;; Querying server (# 1) address = 192.168.1.2
> 
> bob% dig @ns1.pbi.net jbsis.courts.ca.gov
> 
> ; <<>> DiG 8.2 <<>> @ns1.pbi.net jbsis.courts.ca.gov
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; QUERY SECTION:
> ;;      jbsis.courts.ca.gov, type = A, class = IN
> 
> ;; ANSWER SECTION:
> jbsis.courts.ca.gov.    2H IN A         209.157.104.251
> 
> ;; AUTHORITY SECTION:
> courts.ca.gov.          2H IN NS        ns1.pbi.net.
> courts.ca.gov.          2H IN NS        ns2.pbi.net.
> 
> ;; ADDITIONAL SECTION:
> ns1.pbi.net.            2D IN A         206.13.28.11
> ns2.pbi.net.            2D IN A         206.13.29.11
> 
> ;; Total query time: 107 msec
> ;; FROM: bob to SERVER: ns1.pbi.net  206.13.28.11
> ;; WHEN: Thu Nov  2 09:50:00 2000
> ;; MSG SIZE  sent: 37  rcvd: 141
> 
> bob% more named.conf
> /*
>  * BIND Configuration File
>  */
> 
> options {
>           directory             "/dns";
>           statistics-file       "named.stats";
>           dump-file             "named_dump.db";
>           notify                yes;
>           recursion             yes;
>           statistics-interval   60;
> };
> 
> logging {
>           channel bob_syslog {
>             syslog   local4;
>             severity info;
>           };
>           channel bob_dnslog {
>             file "/logs/dnslog" versions 5 size 5M;
>             // Set the severity to dynamic to see all the debug
> messages.
>             severity dynamic;
>             print-category yes;
>             print-severity yes;
>             print-time     yes;
>           };
>           category default      { bob_syslog; };
>           category panic        { bob_syslog; bob_dnslog; };
>           category packet       { bob_dnslog; };
>           category eventlib     { bob_dnslog; };
>           category statistics   { bob_syslog; bob_dnslog; };
>           category queries      { null; };
>           category lame-servers { null; };
>           category cname        { null; };
> };
> 
> zone "." in {
>           type hint;
>           file "db.cache";
> };
> 
> zone "0.0.127.in-addr.arpa" in {
>           type master;
>           file "db.127.0.0";
> };
> 
> zone "our.zone.file" in {
>           type master;
>           file "db.ourzone";
> };
> 
> zone "our2.zone2.file2" in {
>           type master;
>           file "db.ourzone2";
> };
> [rest of our domains and reverse lookups deleted]
> 
> 
> 
> Sent via Deja.com http://www.deja.com/
> Before you buy.
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list