[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

Ryan Novosielski novosirj at umdnj.edu
Wed Feb 23 16:39:41 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Take a look at this. It is somewhat confusing, but it is helpful and
should tell you right away if you definitely have a firewall issue (and
frankly there's little else it could be).

https://www.dns-oarc.net/oarc/services/replysizetest

On 02/23/2011 11:15 AM, Shaoquan Lin wrote:
> Thanks, Mark,
> 
> Last June I asked our firewall person to make sure our firewall not
> blocking DNS packets over 512 bytes.  He told me our firewall was not
> blocking.  I guess that might be some default setting of the firewall
> and he does not really know.  I did two digs here one with +dnssec and
> one without.  I got the the following:
> 
> 1) with +dnssec :
> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> 2) without +dnssec :
> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;vwall4a.nyc.gov.               IN      A
> 
> ;; AUTHORITY SECTION:
> nyc.gov.                86400   IN      NS      vwall1a.nyc.gov.
> nyc.gov.                86400   IN      NS      vwall2a.nyc.gov.
> nyc.gov.                86400   IN      NS      vwall3a.nyc.gov.
> nyc.gov.                86400   IN      NS      vwall4a.nyc.gov.
> 
> ;; ADDITIONAL SECTION:
> vwall1a.nyc.gov.        86400   IN      A       161.185.1.3
> vwall2a.nyc.gov.        86400   IN      A       161.185.1.12
> vwall3a.nyc.gov.        86400   IN      A       167.153.130.12
> vwall4a.nyc.gov.        86400   IN      A       167.153.130.13
> 
> ;; Query time: 31 msec
> ;; SERVER: 209.112.123.30#53(209.112.123.30)
> ;; WHEN: Wed Feb 23 11:12:48 2011
> ;; MSG SIZE  rcvd: 192
> 
> Does this show we do have a firewall problem here?
> 
> Shaoquan Lin
> 
> Mark Andrews wrote:
>> In message <0539E64AD2B54AD2804C2394F923800B at se179>, "Shaoquan Lin"
>> writes:
>>  
>>> Mark,
>>>
>>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3?  My problem is
>>> that I
>>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
>>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older
>>> BINDs like
>>> 9.3.  I don't know if the problem is with the authoritative
>>> nameservers for gov or the nameservers for nyc.gov or with the BIND I
>>> am using.  I noticed the following:
>>>     
>>
>> Just fix your firewalls to allow EDNS responses through.  While
>> this is a bug in the authoritative servers / interpretation of
>> RFC 1034, its only a issue because your firewall configuration
>> is a decade out of date that it is a problem.
>>
>>  
>>> 1). a.gov-servers.net  or b.gov-servers.net  does provide A records
>>> in the additional records of their responses for other subdomain
>>> under gov like treas.gov, just not nyc.gov.  So the problem seems
>>> with nameservers for nyc.gov.  The problem is relatively new and
>>> there might be some recent changes on nyc.gov.
>>>     
>>
>> The gov servers will return glue if you let bigger answers than 512 bytes
>> through your firewall.
>>
>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov
>> @b.gov-servers.net +dnssec
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1472
>> ;; QUESTION SECTION:
>> ;vwall4a.nyc.gov.        IN    A
>>
>> ;; AUTHORITY SECTION:
>> nyc.gov.        86400    IN    NS    vwall1a.nyc.gov.
>> nyc.gov.        86400    IN    NS    vwall2a.nyc.gov.
>> nyc.gov.        86400    IN    NS    vwall3a.nyc.gov.
>> nyc.gov.        86400    IN    NS    vwall4a.nyc.gov.
>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8
>> 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400
>> 20110227210022 20110222210022 47602 gov.
>> ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8
>> JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn
>> Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA
>> 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u
>> In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9
>> CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==
>>
>> ;; ADDITIONAL SECTION:
>> vwall1a.nyc.gov.    86400    IN    A    161.185.1.3
>> vwall2a.nyc.gov.    86400    IN    A    161.185.1.12
>> vwall3a.nyc.gov.    86400    IN    A    167.153.130.12
>> vwall4a.nyc.gov.    86400    IN    A    167.153.130.13
>>
>> ;; Query time: 187 msec
>> ;; SERVER: 209.112.123.30#53(209.112.123.30)
>> ;; WHEN: Wed Feb 23 11:54:06 2011
>> ;; MSG SIZE  rcvd: 574
>>  
>>  
>>> 2) Older version of Binds (like 9.3) seems able to resolve
>>> vwall4a.nyc.gov as shown the packets I captured in my previous e-mail.
>>>
>>> What options in named.conf I can use to set "tc"?
>>>
>>> Thank you.
>>>
>>> Shaoquan Lin
>>>     
> 


- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1lOE0ACgkQmb+gadEcsb7VKACgp9Makck8GzP1ZEG5q6sczoHH
NVYAn2j1RqU2n9f/ZlC7+GcsKm2oaFzi
=kqJW
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: novosirj.vcf
Type: text/x-vcard
Size: 301 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110223/ff4257b6/attachment.vcf>

More information about the bind-users mailing list