DNS problem with symantec.com
Mark Andrews
Mark_Andrews at isc.org
Tue Mar 23 21:22:50 UTC 2004
You have a firewall blocking the EDNS responses > 512 octets.
Contact your firewall vendor for a upgrade.
Mark
; <<>> DiG 9.2.3 <<>> +dnssec enterprisesecurity.symantec.com @ns1.symantec.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40603
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;enterprisesecurity.symantec.com. IN A
;; ANSWER SECTION:
enterprisesecurity.symantec.com. 900 IN CNAME enterprisesecurity.production.ma.circleonline.net.
;; AUTHORITY SECTION:
. 236547 IN NS D.ROOT-SERVERS.net.
. 236547 IN NS A.ROOT-SERVERS.net.
. 236547 IN NS H.ROOT-SERVERS.net.
. 236547 IN NS C.ROOT-SERVERS.net.
. 236547 IN NS G.ROOT-SERVERS.net.
. 236547 IN NS F.ROOT-SERVERS.net.
. 236547 IN NS B.ROOT-SERVERS.net.
. 236547 IN NS J.ROOT-SERVERS.net.
. 236547 IN NS K.ROOT-SERVERS.net.
. 236547 IN NS L.ROOT-SERVERS.net.
. 236547 IN NS M.ROOT-SERVERS.net.
. 236547 IN NS I.ROOT-SERVERS.net.
. 236547 IN NS E.ROOT-SERVERS.net.
;; ADDITIONAL SECTION:
D.ROOT-SERVERS.net. 322947 IN A 128.8.10.90
A.ROOT-SERVERS.net. 322947 IN A 198.41.0.4
H.ROOT-SERVERS.net. 322947 IN A 128.63.2.53
C.ROOT-SERVERS.net. 322947 IN A 192.33.4.12
G.ROOT-SERVERS.net. 322947 IN A 192.112.36.4
F.ROOT-SERVERS.net. 322947 IN A 192.5.5.241
B.ROOT-SERVERS.net. 322947 IN A 192.228.79.201
J.ROOT-SERVERS.net. 322947 IN A 192.58.128.30
K.ROOT-SERVERS.net. 322947 IN A 193.0.14.129
L.ROOT-SERVERS.net. 322947 IN A 198.32.64.12
M.ROOT-SERVERS.net. 322947 IN A 202.12.27.33
I.ROOT-SERVERS.net. 322947 IN A 192.36.148.17
E.ROOT-SERVERS.net. 322947 IN A 192.203.230.10
;; Query time: 320 msec
;; SERVER: 198.6.49.5#53(ns1.symantec.com)
;; WHEN: Wed Mar 24 08:20:22 2004
;; MSG SIZE rcvd: 539
> Simon Waters (Simon at wretched.demon.co.uk) wrote:
>
> : Next time try "dig @problem?serverip enterprisesecurity.symantec.com" if
> : it gives the right answer it is probably a client problem.
>
> Hi, thanks for the reply. I tried running dig from our main campus
> DNS (uahis1.uah.edu, or 146.229.1.2) and got basically the same result.
> If I run it with no option, it times out. If I specifically look for the
> CNAME, it finds it, then subsequent lookups for the A record work fine:
>
> # dig enterprisesecurity.symantec.com
>
> ; <<>> DiG 8.3 <<>> enterprisesecurity.symantec.com
> ;; res options: init recurs defnam dnsrch
> ;; res_nsend to server default -- 146.229.1.2: Connection timed out
> #
>
> Now look for the CNAME...
>
> # dig enterprisesecurity.symantec.com cname
>
> ; <<>> DiG 8.3 <<>> enterprisesecurity.symantec.com cname
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> ;; QUERY SECTION:
> ;; enterprisesecurity.symantec.com, type = CNAME, class = IN
>
> ;; ANSWER SECTION:
> enterprisesecurity.symantec.com. 15M IN CNAME enterprisesecurity.production
> .ma.circleonline.net.
>
> ;; AUTHORITY SECTION:
> symantec.com. 5h31m49s IN NS ns3.symantec.com.
> symantec.com. 5h31m49s IN NS ns4.symantec.com.
> symantec.com. 5h31m49s IN NS ns1.symantec.com.
> symantec.com. 5h31m49s IN NS ns2.symantec.com.
>
> ;; ADDITIONAL SECTION:
> ns3.symantec.com. 6h47m5s IN A 206.204.212.86
> ns4.symantec.com. 6h47m5s IN A 206.204.52.11
> ns1.symantec.com. 6h47m5s IN A 198.6.49.5
> ns2.symantec.com. 6h47m5s IN A 198.6.49.111
>
> ;; Total query time: 132 msec
> ;; FROM: uahis1.uah.edu to SERVER: default -- 146.229.1.2
> ;; WHEN: Tue Mar 23 10:07:53 2004
> ;; MSG SIZE sent: 49 rcvd: 279
>
> And once I have "primed the pump", so to speak, it works:
>
> # dig enterprisesecurity.symantec.com
>
> ; <<>> DiG 8.3 <<>> enterprisesecurity.symantec.com
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 10
> ;; QUERY SECTION:
> ;; enterprisesecurity.symantec.com, type = A, class = IN
>
> ;; ANSWER SECTION:
> enterprisesecurity.symantec.com. 14m14s IN CNAME enterprisesecurity.product
> ion.ma.circleonline.net.
> enterprisesecurity.production.ma.circleonline.net. 31m33s IN A 64.55.213.14
>
> ;; AUTHORITY SECTION:
> net. 8h18m8s IN NS l.gtld-servers.net.
> net. 8h18m8s IN NS h.gtld-servers.net.
> net. 8h18m8s IN NS e.gtld-servers.net.
> net. 8h18m8s IN NS i.gtld-servers.net.
> net. 8h18m8s IN NS m.gtld-servers.net.
> net. 8h18m8s IN NS g.gtld-servers.net.
> net. 8h18m8s IN NS f.gtld-servers.net.
> net. 8h18m8s IN NS c.gtld-servers.net.
> net. 8h18m8s IN NS k.gtld-servers.net.
> net. 8h18m8s IN NS b.gtld-servers.net.
> net. 8h18m8s IN NS j.gtld-servers.net.
> net. 8h18m8s IN NS d.gtld-servers.net.
> net. 8h18m8s IN NS a.gtld-servers.net.
>
> ;; ADDITIONAL SECTION:
> l.gtld-servers.net. 1d21h5m51s IN A 192.41.162.30
> h.gtld-servers.net. 1d21h5m51s IN A 192.54.112.30
> e.gtld-servers.net. 1d21h5m51s IN A 192.12.94.30
> i.gtld-servers.net. 1d21h5m51s IN A 192.43.172.30
> m.gtld-servers.net. 1d21h5m51s IN A 192.55.83.30
> g.gtld-servers.net. 1d21h5m51s IN A 192.42.93.30
> f.gtld-servers.net. 1d21h5m51s IN A 192.35.51.30
> c.gtld-servers.net. 1d21h5m51s IN A 192.26.92.30
> k.gtld-servers.net. 1d21h5m51s IN A 192.52.178.30
> b.gtld-servers.net. 1d21h5m51s IN A 192.33.14.30
>
> ;; Total query time: 22 msec
> ;; FROM: uahis1.uah.edu to SERVER: default -- 146.229.1.2
> ;; WHEN: Tue Mar 23 10:08:39 2004
> ;; MSG SIZE sent: 49 rcvd: 509
>
> So this appears to be a BIND issue. Is this a known problem, or could
> it be a config problem? Thanks...
>
> Jim McCullars
> University of Alabama in Huntsville
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list