FW: "no data known" vrs "host not found"

admjcd admjcd at VOLPE.DOT.GOV
Tue Mar 26 17:44:58 UTC 2002 

The DNS servers are Bind 9 I think. Can I tell from nslookup from a windows command prompt?

Yes, its sendmail and this is from a message header:  (8.8.8/1.1.22.3/21May99-0417PM) that says the version right?

There are Two DNS servers with one set up as a backup. I am actually the mail person and run our Exchange servers but our DNS peolple handle the sendmail server. They do not like that I am pressing this issue, but the customers call me when the mail fails.

Also I did some research on "negative Caching" and found this :

http://www.faqs.org/rfcs/rfc2308.html

   "Negative responses without SOA records SHOULD NOT be cached as there
   is no way to prevent the negative responses looping forever between a
   pair of servers even with a short TTL.

   Despite the DNS forming a tree of servers, with various mis-
   configurations it is possible to form a loop in the query graph, e.g.
   two servers listing each other as forwarders, various lame server
   configurations.  Without a TTL count down a cache negative response

   when received by the next server would have its TTL reset.  This
   negative indication could then live forever circulating between the
   servers involved."





-----Original Message-----
From: James Griffin [mailto:agriffin at cpcug.org] 
Sent: Monday, March 25, 2002 8:28 PM
To: admjcd
Cc: Barry Margolin; comp-protocols-dns-bind at isc.org
Subject: Re: "no data known" vrs "host not found"


Barry Margolin wrote:
> 
> In article <a7o8n2$mdh at pub3.rc.vix.com>, admjcd
> <admjcd at VOLPE.DOT.GOV> wrote:
> >So your saying the mail server does some weird query to the dns
> >server and the query fails.
> 
> The query isn't particularly weird, but the army.mil servers seem to
> respond incorrectly to it.
> 
[snip of Barry's discussion up to this point]

Barry, your analysis suggests that it would be interesting to know what MTA is being used by admjcd.  It has been awhile since I administered sendmail, but it has several DNS lookup tuning options that may have some bearing on this puzzle.  admjcd can you tell us?  Is it sendmail and if so what version?

Also, I thought it might be interesting to take a quick 'doc' look at dot.gov. on the chance that what we are seeing might be related to the servers listed in the client's /etc/resolv (or the Microsoft (CAM, UUoA) equivalent).  It looks like there is some work to be done to clean up dot.gov.

Doc-2.2.3: doc -v -p dot.gov.
Doc-2.2.3: Starting test of dot.gov.   parent is gov.
Doc-2.2.3: Test date - Mon Mar 25 20:06:19 EST 2002
Note: Skipping parent domain testing
Found 5 NS and 3 glue records for dot.gov. @a.root-servers.net.
(non-AUTH)
Using NSlist from parent domain server a.root-servers.net.
NS list summary for dot.gov. from parent (gov.) servers
  == auth120.ns.uu.net. dns1.dot.gov. dns2.dot.gov.
  == nsdc.ba-dsg.net. rns.dot.gov.
soa @auth120.ns.uu.net. for dot.gov. serial: 2000282596
soa @dns1.dot.gov. for dot.gov. serial: 2000282596
soa @dns2.dot.gov. for dot.gov. serial: 2000282596
soa @nsdc.ba-dsg.net. for dot.gov. serial: 2000282572
soa @rns.dot.gov. for dot.gov. serial: 2000282598
WARN: Found 3 unique SOA serial #'s for dot.gov.
Authoritative domain (dot.gov.) servers agree on NS for dot.gov.
ERROR: NS list from dot.gov. authoritative servers does not
  === match NS list from parent (gov.) servers
NS list summary for dot.gov. from authoritative servers
  == dns1.dot.gov. dns2.dot.gov. rns.dot.gov.
ERROR: auth120.ns.uu.net. claims to be authoritative, but does not appear in NS list from authoritative servers
ERROR: nsdc.ba-dsg.net. claims to be authoritative, but does not appear in NS list from authoritative servers Checking 2 potential addresses for hosts at dot.gov.
  == 199.79.179.200 199.79.180.25
in-addr PTR record found for 199.79.179.200
in-addr PTR record found for 199.79.180.25
Summary:
   ERRORS found for dot.gov. (count: 3)
   WARNINGS issued for dot.gov. (count: 1)
Done testing dot.gov.  Mon Mar 25 20:06:41 EST 2002



Here is 'doc' for hua.army.mil which at the time of the test looks OK.

Doc-2.2.3: doc -v hua.army.mil.
Doc-2.2.3: Starting test of hua.army.mil.   parent is army.mil.
Doc-2.2.3: Test date - Mon Mar 25 20:18:21 EST 2002
soa @ns01.army.mil. for army.mil. has serial: 10000
soa @ns02.army.mil. for army.mil. has serial: 10000
soa @ns03.army.mil. for army.mil. has serial: 10000
SOA serial #'s agree for army.mil. domain
Found 3 NS and 3 glue records for hua.army.mil. @ns01.army.mil. (AUTH) Found 3 NS and 3 glue records for hua.army.mil. @ns02.army.mil. (AUTH) Found 3 NS and 3 glue records for hua.army.mil. @ns03.army.mil. (AUTH) DNServers for army.mil.
   === 3 were also authoritatve for hua.army.mil.
   === 0 were non-authoritative for hua.army.mil.
Servers for army.mil. that are also authoritative for hua.army.mil.
   === agree on NS records for hua.army.mil.
NS list summary for hua.army.mil. from parent (army.mil.) servers
  == ns01.army.mil. ns02.army.mil. ns03.army.mil.
soa @ns01.army.mil. for hua.army.mil. serial: 10000
soa @ns02.army.mil. for hua.army.mil. serial: 10000
soa @ns03.army.mil. for hua.army.mil. serial: 10000
SOA serial #'s agree for hua.army.mil.
Authoritative domain (hua.army.mil.) servers agree on NS for hua.army.mil. NS list from hua.army.mil. authoritative servers matches list from
  === parent (army.mil.) servers also authoritative for hua.army.mil. Checking 0 potential addresses for hosts at hua.army.mil.
  ==
Summary:
   No errors or warnings issued for hua.army.mil.
Done testing hua.army.mil.  Mon Mar 25 20:18:48 EST 2002

More information about the bind-users mailing list