trouble with hp.com mx record

Anders Dyekjaer Hansen anders at dyekjaer.dk
Tue Sep 30 08:07:38 UTC 2003 

Hi list,

I just want to share my solution with my hp.com mx problem.

As Mark Andrews said, my firewall(Cisco pix) was blocking edns responses
from hp.com's nameservers due to a bug in cisco's software.

>On Thu, 5 Dec 2002 Mark.Andrews at isc.org wrote:
>
>       It's a issue with any server that supports EDNS (BIND 8 and
>       BIND 9 both support EDNS).   CISCO have been aware of this
>       for a long time.  I've heard a rumour that CISCO have
>       actually fixed this.  I suggest that you contact the CISCO
>       TAC.   At least you will then be informed when they have a
>       fix, if not be told what the fix is.

Currently the software on our pix is 6.31 and this bug should have been
fixed in 6.0 and above. I guess they re-introduced the bug at a later
state...

Anyway the solution(work-around) was to upgrade bind from 8.3.4 to > 8.4.1
and add the following to named.conf:
edns-udp-size 512;

Thanks for your help!

Kind Regards,
Anders

------------------------------- previous post-------------------

> Hi list,
>
> I have two BIND 8.3.4 nameservers running on FreeBSD 4.8 -RELEASE.
>
> Both of theese name servers have trouble resolving hp.com mx record.
>
> When I do a "#dig hp.com mx" I get this:

	Your firewall is blocking EDNS responses.  Note the answer
	below in > 512 bytes.

; <<>> DiG 8.3 <<>> mx hp.net +dnssec @palns6.americas.hp.net +norec
; (1 server found)
;; res options: init defnam dnsrch dnssec
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16704
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 17
;; QUERY SECTION:
;;	hp.net, type = MX, class = IN

;; ANSWER SECTION:
hp.net.			8H IN MX	100 atlsmtp.hp.com.
hp.net.			8H IN MX	10 charon.core.hp.com.
hp.net.			8H IN MX	100 palsmtp.hp.com.

;; AUTHORITY SECTION:
hp.net.			8H IN NS	atlns5.americas.hp.net.
hp.net.			8H IN NS	atlns6.americas.hp.net.
hp.net.			8H IN NS	denns5.americas.hp.net.
hp.net.			8H IN NS	denns6.americas.hp.net.
hp.net.			8H IN NS	nidnw.americas.hp.net.
hp.net.			8H IN NS	palns5.americas.hp.net.
hp.net.			8H IN NS	palns6.americas.hp.net.

;; ADDITIONAL SECTION:
atlsmtp.hp.com.		8H IN A		156.153.255.205
atlsmtp.hp.com.		8H IN A		156.153.255.206
atlsmtp.hp.com.		8H IN A		156.153.255.214
atlsmtp.hp.com.		8H IN A		156.153.255.213
charon.core.hp.com.	8H IN A		15.19.254.18
palsmtp.hp.com.		8H IN A		156.153.255.245
palsmtp.hp.com.		8H IN A		156.153.255.246
palsmtp.hp.com.		8H IN A		156.153.255.237
palsmtp.hp.com.		8H IN A		156.153.255.238
atlns5.americas.hp.net.  2H IN A  15.227.128.21
atlns6.americas.hp.net.  8H IN A  15.227.128.20
denns5.americas.hp.net.  8H IN A  15.235.240.21
denns6.americas.hp.net.  8H IN A  15.235.240.20
nidnw.americas.hp.net.	2H IN A		15.251.160.39
palns5.americas.hp.net.  2H IN A  15.243.160.21
palns6.americas.hp.net.  8H IN A  15.243.160.20
; EDNS: version: 0, udp=4096, flags=0000

;; Total query time: 191 msec
;; FROM: bsdi.dv.isc.org to SERVER: palns6.americas.hp.net  15.243.160.20
;; WHEN: Fri Sep 26 08:22:56 2003
;; MSG SIZE  sent: 35  rcvd: 528

>
> > dig @127.0.0.1 hp.com mx
>
> ; <<>> DiG 8.3 <<>> @127.0.0.1 hp.com mx
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; res_nsend to server 127.0.0.1  127.0.0.1: Operation timed out
>
> I have no trouble with any other domains and hp.com's A record even
resolves
> perfectly.
>
> Sometimes though, after multiple digs, I do get it resolved but when it
> finally does it doesn't store the information in its cache and another dig
> will time out as shown above.
>
> Could this be a network problem? The two nameservers are behind a cisco
pix..
> .
> Do any of you guys have the same problem?
>
> Thanks,
>
> Kind regards,
> Anders
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list