Delegation not working

Mike Bernhardt bernhardt at bart.gov
Thu May 7 21:38:05 UTC 2009 

I found the problem. After the various delegation config issues were cleared
and it still didn't work, I started doing some traces. The problem turned
out to be
1. We had a query source port of 53 configured that was left over from some
old legacy compatibility issues.
2. The firewall between us and the subdomain authority was only allowing
queries from high-numbered ports.
3. The dns rule in the firewall was configured to not log, so the drops
didn't show up when I looked previously.

I removed the query source-port option and all is now good. Thank you to
Chris Buxton for all of his patience. I learned a few things along the way.

Mike

-----Original Message-----
From: Chris Buxton [mailto:cbuxton at menandmice.com] 
Sent: Thursday, May 07, 2009 1:19 PM
To: Mike Bernhardt
Cc: bind-users at lists.isc.org
Subject: Re: Delegation not working

Mike,

That was two separate commands.

dig +norec -x 10.0.2.252 @148.165.126.87

and

dig +norec -x 10.0.2.252 @10.2.242.222

So most of what you sent back is gibberish. However, at the top, there  
is the message "connection timed out; no servers could be reached".  
There's at least part of your problem.

Chris Buxton
Professional Services
Men & Mice

On May 7, 2009, at 12:50 PM, Mike Bernhardt wrote:

> That gave me:
> dig +norec -x 10.0.2.252 @148.165.126.87 dig +norec -x 10.0.2.252
> @10.2.242.222
> ;; connection timed out; no servers could be reached
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34563
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
>
> ;; QUESTION SECTION:
> ;dig.                           IN      A
>
> ;; AUTHORITY SECTION:
> .                       162058  IN      NS      C.ROOT-SERVERS.NET.
> .                       162058  IN      NS      D.ROOT-SERVERS.NET.
> .                       162058  IN      NS      E.ROOT-SERVERS.NET.
> .                       162058  IN      NS      F.ROOT-SERVERS.NET.
> .                       162058  IN      NS      G.ROOT-SERVERS.NET.
> .                       162058  IN      NS      H.ROOT-SERVERS.NET.
> .                       162058  IN      NS      I.ROOT-SERVERS.NET.
> .                       162058  IN      NS      J.ROOT-SERVERS.NET.
> .                       162058  IN      NS      K.ROOT-SERVERS.NET.
> .                       162058  IN      NS      L.ROOT-SERVERS.NET.
> .                       162058  IN      NS      M.ROOT-SERVERS.NET.
> .                       162058  IN      NS      A.ROOT-SERVERS.NET.
> .                       162058  IN      NS      B.ROOT-SERVERS.NET.
>
> ;; ADDITIONAL SECTION:
> A.ROOT-SERVERS.NET.     599086  IN      A       198.41.0.4
> A.ROOT-SERVERS.NET.     552012  IN      AAAA    2001:503:ba3e::2:30
> B.ROOT-SERVERS.NET.     35325   IN      A       192.228.79.201
> C.ROOT-SERVERS.NET.     599099  IN      A       192.33.4.12
> D.ROOT-SERVERS.NET.     599100  IN      A       128.8.10.90
> E.ROOT-SERVERS.NET.     599101  IN      A       192.203.230.10
> F.ROOT-SERVERS.NET.     599102  IN      A       192.5.5.241
> F.ROOT-SERVERS.NET.     552012  IN      AAAA    2001:500:2f::f
> G.ROOT-SERVERS.NET.     599090  IN      A       192.112.36.4
> H.ROOT-SERVERS.NET.     599091  IN      A       128.63.2.53
> H.ROOT-SERVERS.NET.     552012  IN      AAAA    2001:500:1::803f:235
> I.ROOT-SERVERS.NET.     599092  IN      A       192.36.148.17
> J.ROOT-SERVERS.NET.     208142  IN      A       192.58.128.30
> J.ROOT-SERVERS.NET.     208142  IN      AAAA    2001:503:c27::2:30
>
> ;; Query time: 0 msec
> ;; SERVER: 148.165.30.30#53(148.165.30.30)
> ;; WHEN: Thu May  7 12:52:39 2009
> ;; MSG SIZE  rcvd: 504
>
>
> ; <<>> DiG 9.3.4 <<>> +norec -x 10.0.2.252 @148.165.126.87 dig  
> +norec -x
> 10.0.2.252 @10.2.242.222
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
>
> -----Original Message-----
> From: Chris Buxton [mailto:cbuxton at menandmice.com]
> Sent: Thursday, May 07, 2009 12:50 PM
> To: Mike Bernhardt
> Cc: bind-users at lists.isc.org
> Subject: Re: Delegation not working
>
> On May 7, 2009, at 12:37 PM, Mike Bernhardt wrote:
>> And dig gives me this:
>> dig +norec @athena -x 10.0.2.252
>>
>> ;; QUESTION SECTION:
>> ;252.2.0.10.in-addr.arpa.       IN      PTR
>>
>> ;; AUTHORITY SECTION:
>> 0.10.in-addr.arpa.      14400   IN      NS      mrep-02.adm.bart.gov.
>> 0.10.in-addr.arpa.      14400   IN      NS      dhcp-01.adm.bart.gov.
>>
>> ;; ADDITIONAL SECTION:
>> dhcp-01.adm.bart.gov.   86400   IN      A       148.165.126.87
>> mrep-02.adm.bart.gov.   86400   IN      A       10.2.242.222
>
> That looks perfect.
>
>> Without +norec, it times out.
>
>
> OK, now we're getting somewhere. Why would the server "athena" have
> trouble querying those two servers? Try this from "athena" itself:
>
> dig +norec -x 10.0.2.252 @148.165.126.87
> dig +norec -x 10.0.2.252 @10.2.242.222
>
> Chris Buxton
> Professional Services
> Men & Mice
>

More information about the bind-users mailing list