Delegation not working
Mark Andrews
Mark_Andrews at isc.org
Thu May 7 22:33:04 UTC 2009
In message <F43437AD793B466C9F4F93830225F3EC at netadmin.bart.gov>, "Mike Bernhardt" writes:
> I found the problem. After the various delegation config issues were cleared
> and it still didn't work, I started doing some traces. The problem turned
> out to be
> 1. We had a query source port of 53 configured that was left over from some
> old legacy compatibility issues.
> 2. The firewall between us and the subdomain authority was only allowing
> queries from high-numbered ports.
> 3. The dns rule in the firewall was configured to not log, so the drops
> didn't show up when I looked previously.
>
> I removed the query source-port option and all is now good. Thank you to
> Chris Buxton for all of his patience. I learned a few things along the way.
I hope you also fixed the firewall not to care about the
source port of DNS queries. There is no requirement for
DNS queries to be sourced from any particular port range.
Mark
> Mike
>
> -----Original Message-----
> From: Chris Buxton [mailto:cbuxton at menandmice.com]
> Sent: Thursday, May 07, 2009 1:19 PM
> To: Mike Bernhardt
> Cc: bind-users at lists.isc.org
> Subject: Re: Delegation not working
>
> Mike,
>
> That was two separate commands.
>
> dig +norec -x 10.0.2.252 @148.165.126.87
>
> and
>
> dig +norec -x 10.0.2.252 @10.2.242.222
>
> So most of what you sent back is gibberish. However, at the top, there
> is the message "connection timed out; no servers could be reached".
> There's at least part of your problem.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> On May 7, 2009, at 12:50 PM, Mike Bernhardt wrote:
>
> > That gave me:
> > dig +norec -x 10.0.2.252 @148.165.126.87 dig +norec -x 10.0.2.252
> > @10.2.242.222
> > ;; connection timed out; no servers could be reached
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34563
> > ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
> >
> > ;; QUESTION SECTION:
> > ;dig. IN A
> >
> > ;; AUTHORITY SECTION:
> > . 162058 IN NS C.ROOT-SERVERS.NET.
> > . 162058 IN NS D.ROOT-SERVERS.NET.
> > . 162058 IN NS E.ROOT-SERVERS.NET.
> > . 162058 IN NS F.ROOT-SERVERS.NET.
> > . 162058 IN NS G.ROOT-SERVERS.NET.
> > . 162058 IN NS H.ROOT-SERVERS.NET.
> > . 162058 IN NS I.ROOT-SERVERS.NET.
> > . 162058 IN NS J.ROOT-SERVERS.NET.
> > . 162058 IN NS K.ROOT-SERVERS.NET.
> > . 162058 IN NS L.ROOT-SERVERS.NET.
> > . 162058 IN NS M.ROOT-SERVERS.NET.
> > . 162058 IN NS A.ROOT-SERVERS.NET.
> > . 162058 IN NS B.ROOT-SERVERS.NET.
> >
> > ;; ADDITIONAL SECTION:
> > A.ROOT-SERVERS.NET. 599086 IN A 198.41.0.4
> > A.ROOT-SERVERS.NET. 552012 IN AAAA 2001:503:ba3e::2:30
> > B.ROOT-SERVERS.NET. 35325 IN A 192.228.79.201
> > C.ROOT-SERVERS.NET. 599099 IN A 192.33.4.12
> > D.ROOT-SERVERS.NET. 599100 IN A 128.8.10.90
> > E.ROOT-SERVERS.NET. 599101 IN A 192.203.230.10
> > F.ROOT-SERVERS.NET. 599102 IN A 192.5.5.241
> > F.ROOT-SERVERS.NET. 552012 IN AAAA 2001:500:2f::f
> > G.ROOT-SERVERS.NET. 599090 IN A 192.112.36.4
> > H.ROOT-SERVERS.NET. 599091 IN A 128.63.2.53
> > H.ROOT-SERVERS.NET. 552012 IN AAAA 2001:500:1::803f:235
> > I.ROOT-SERVERS.NET. 599092 IN A 192.36.148.17
> > J.ROOT-SERVERS.NET. 208142 IN A 192.58.128.30
> > J.ROOT-SERVERS.NET. 208142 IN AAAA 2001:503:c27::2:30
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 148.165.30.30#53(148.165.30.30)
> > ;; WHEN: Thu May 7 12:52:39 2009
> > ;; MSG SIZE rcvd: 504
> >
> >
> > ; <<>> DiG 9.3.4 <<>> +norec -x 10.0.2.252 @148.165.126.87 dig
> > +norec -x
> > 10.0.2.252 @10.2.242.222
> > ; (1 server found)
> > ;; global options: printcmd
> > ;; connection timed out; no servers could be reached
> >
> > -----Original Message-----
> > From: Chris Buxton [mailto:cbuxton at menandmice.com]
> > Sent: Thursday, May 07, 2009 12:50 PM
> > To: Mike Bernhardt
> > Cc: bind-users at lists.isc.org
> > Subject: Re: Delegation not working
> >
> > On May 7, 2009, at 12:37 PM, Mike Bernhardt wrote:
> >> And dig gives me this:
> >> dig +norec @athena -x 10.0.2.252
> >>
> >> ;; QUESTION SECTION:
> >> ;252.2.0.10.in-addr.arpa. IN PTR
> >>
> >> ;; AUTHORITY SECTION:
> >> 0.10.in-addr.arpa. 14400 IN NS mrep-02.adm.bart.gov.
> >> 0.10.in-addr.arpa. 14400 IN NS dhcp-01.adm.bart.gov.
> >>
> >> ;; ADDITIONAL SECTION:
> >> dhcp-01.adm.bart.gov. 86400 IN A 148.165.126.87
> >> mrep-02.adm.bart.gov. 86400 IN A 10.2.242.222
> >
> > That looks perfect.
> >
> >> Without +norec, it times out.
> >
> >
> > OK, now we're getting somewhere. Why would the server "athena" have
> > trouble querying those two servers? Try this from "athena" itself:
> >
> > dig +norec -x 10.0.2.252 @148.165.126.87
> > dig +norec -x 10.0.2.252 @10.2.242.222
> >
> > Chris Buxton
> > Professional Services
> > Men & Mice
> >
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list