problems resolving domains unser NSxx.DOMAINCONTROL.COM - this problem i have too! :(((((
Mark Andrews
marka at isc.org
Wed Jun 23 07:51:24 UTC 2010
In message <AANLkTinjqoRpLnyqj5tsO2TDwLt_ROPzDMrYMOIPHYTO at mail.gmail.com>, Piff
writes:
> Mark,
>
> more than once you have blamed firewal but I have tested without
> firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig +dnssec".
Wrong. The nameserver DO answer these queries.
# dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com. replacementservices.com.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41760
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;replacementservices.com. IN A
;; ANSWER SECTION:
replacementservices.com. 3600 IN A 72.32.12.235
;; AUTHORITY SECTION:
replacementservices.com. 3600 IN NS ns33.domaincontrol.com.
replacementservices.com. 3600 IN NS ns34.domaincontrol.com.
;; Query time: 346 msec
;; SERVER: 216.69.185.17#53(216.69.185.17)
;; WHEN: Wed Jun 23 17:39:43 2010
;; MSG SIZE rcvd: 109
#
Since you are not getting answers then there is a problem between
you and the nameservers in question and as just about every one
else is getting answers as well this puts the problem close to you.
i.e. Your network or your ISP's network. Something on the path is
doing DPI tests and is rejecting the response. Do you have a NAT
that does DPI?
> The real problem is bind. Freshly reloaded bind will do a query with
> OPT EDNS0 set and after a timeout retry the query without OPT EDNS0
> but after some time the queries are only with OPT EDNS0 set. Why? Why no
> fallback? My machines are running version 9.6-ESV-R1 and 9.4-ESV-R2.
It does fallback to plain DNS.
> -Sai
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list