Named issue
Sudharanjan Patnaik
SP00482735 at TechMahindra.com
Thu Feb 9 10:28:16 UTC 2017
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of bind-users-request at lists.isc.org
Sent: Thursday, February 09, 2017 3:06 PM
To: bind-users at lists.isc.org
Subject: bind-users Digest, Vol 2599, Issue 3
Send bind-users mailing list submissions to
bind-users at lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-request at lists.isc.org
You can reach the person managing the list at
bind-users-owner at lists.isc.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..."
Today's Topics:
1. Re: NAMED issue (Johannes Kastl)
2. Re: domain-unable-resolve (Mark Andrews)
3. Re: domain-unable-resolve (Reindl Harald)
4. RE: domain-unable-resolve (Ejaz)
----------------------------------------------------------------------
Message: 1
Date: Thu, 9 Feb 2017 09:32:02 +0100
From: Johannes Kastl <mail at ojkastl.de>
To: bind-users at lists.isc.org
Subject: Re: NAMED issue
Message-ID: <9db26aa7-acc0-2edd-ab83-28225d6518a0 at ojkastl.de>
Content-Type: text/plain; charset="iso-8859-1"
On 09.02.17 09:24 Sudharanjan Patnaik wrote:
> Issue: The named process is getting hung or stopped at least once a
> day on each of these Replicas. This is happening since more than 1
> year. Meanwhile, many vulnerability patch versions upgraded and
> currently running with the latest BIND 9.9.9.P5. Temporary Fix: A
> script is running to check and restart the named process if stopped or
> hung.
Without logs it might be very hard to help you...
Johannes
Hi Johannes,
Thanks for you response.
Please let me know what logs you need.
Sudharanjan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 244 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170209/d9b44df6/attachment-0001.bin>
------------------------------
Message: 2
Date: Thu, 09 Feb 2017 20:00:17 +1100
From: Mark Andrews <marka at isc.org>
To: "Ejaz" <mejaz at cyberia.net.sa>
Cc: prxjedadmin01 at abudawood.com, "'bind-users'" <bind-users at isc.org>
Subject: Re: domain-unable-resolve
Message-ID: <20170209090017.19C1C6362DC5 at rock.dv.isc.org>
In message <9adb101d282a6$ac1699b0$0443cd10$@cyberia.net.sa>, "Ejaz" writes:
>
> Helo,
>
> Time to time we are having problem in resolving some domains, one of
> them is "abudawood.com" we unable to resolve through our DNS servers
> of "ns10.cyberia.net.sa" where I have latest bind version and all,
> what could be the issue and what is the best way to trouble shoot.
The nameservers for abudawood.com are broken.
ns1.abudawood.com incorrectly returns FORMERR to queries which contain a DNS COOKIE irrespective of the EDNS version field. This behaviour in not compliant with either the initial EDNS specification nor the revised EDNS specification.
ns2.abudawood.com appears to be a old Microsoft DNS server which fails to respond to EDNS queries after the first one. Failure to respond to consistently to DNS queries breaks recovery from packet loss.
Both these servers need to be replaced with ones that are RFC compliant.
EDNS Compliance Tester
Checking: 'abudawood.com.' as at 2017-02-09T08:37:05Z
abudawood.com. @212.118.102.2 (ns1.abudawood.com.): edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,badversion,echoed do=ok ednsflags=ok docookie=formerr,nosoa,echoed edns at 512tcp=ok optlist=formerr,nosoa,subnet
abudawood.com. @212.118.102.3 (ns2.abudawood.com.): edns=timeout edns1=timeout edns at 512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout docookie=timeout edns at 512tcp=status,noopt optlist=timeout The Following Tests Failed
Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.
Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this were you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.
Plain EDNS (edns)
This is the style of the initial query that BIND 9.0.x sends.
dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891
EDNS - Unknown Version Handling (edns1)
dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use
EDNS - Truncated Response (edns at 512)
dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes See RFC6891, 7. Transport Considerations
EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response See RFC6891, 6.1.2 Wire Format
EDNS - Unknown Version with Unknown Option Handling (edns1opt)
dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response See RFC6891
EDNS - DNSSEC (do)
This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x sends.
dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response See RFC3225
EDNS - Unknown Flag Handling (ednsflags)
dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags
EDNS - DNSSEC with DNS COOKIE Option (docookie)
This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4 Windows onwards send.
dig +cookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response See RFC3225, RFC6891, and RFC7873.
EDNS - over TCP Response (edns at 512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0 See RFC5966 and See RFC6891
EDNS - Supported Options Probe (optlist)
dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0 See RFC6891
Codes
ok - test passed.
subnet - EDNS Client Subnet supported [RFC7871].
noopt - OPT record not found when expected.
nosoa - SOA record not found when expected.
echoed - EDNS option echoed back.
status - expected rcode status code not found.
formerr - rcode FORMERR returned.
badversion - expected EDNS version not found.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/f60adf3942
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
------------------------------
Message: 3
Date: Thu, 9 Feb 2017 10:19:36 +0100
From: Reindl Harald <h.reindl at thelounge.net>
To: bind-users at lists.isc.org
Subject: Re: domain-unable-resolve
Message-ID: <3fbbafdf-0d69-55da-203f-eb498a252bd5 at thelounge.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Am 09.02.2017 um 08:32 schrieb Ejaz:
> Time to time we are having problem in resolving some domains, one of
> them is ?*abudawood.com*? we unable to resolve through our DNS servers
> of ?ns10.cyberia.net.sa? where I have latest bind version and all, what
> could be the issue and what is the best way to trouble shoot.
well, that domain is maintained by incompetent admins and violates
several rules - a single point of failre combined with a SOA expire of
15 minutes - i better don't speak out what i think
https://intodns.com/abudawood.com
I could use the nameservers listed below to performe recursive queries.
It may be that I am wrong but the chances of that are low. You should
not have nameservers that allow recursive queries as this will allow
almost anyone to use your nameservers and can cause problems. Problem
record(s) are:
212.118.102.2
ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
212.118.102.3
WARNING: Not all of your nameservers are in different subnets
WARNING: Single point of failure
WARNING: Your SOA REFRESH interval is: 900. That is not so ok
Your SOA EXPIRE number is: 86400. That is NOT OK
------------------------------
Message: 4
Date: Thu, 9 Feb 2017 12:34:19 +0300
From: "Ejaz" <mejaz at cyberia.net.sa>
To: "'Abdul Khader'" <akhader at ies.etisalat.ae>,
<bind-users at lists.isc.org>
Subject: RE: domain-unable-resolve
Message-ID: <9ae3101d282b7$b2633d80$1729b880$@cyberia.net.sa>
Content-Type: text/plain; charset="us-ascii"
Thank you all, for the detailed explanation, I understood as sys admin but
our client will comparing with Google open DNS server.
No, I can't use his DNS server. From ns10.cyberia.net.sa, connection
timed out..
It is one of our VIP customer and complaining that if "I have problem in my
"name servers" when we use open DNS server such as google and several
others, they don't have any issue to resolve their records. Satisfying
customer is become tough.
Only they have problem to resolve the queries when they start using our DNS
ns10.cyberia.net.sa
Ejaz
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
Abdul Khader
Sent: Thursday, February 9, 2017 11:31 AM
To: bind-users at lists.isc.org
Subject: Re: domain-unable-resolve
Is your DNS server(ns10.cyberia.net.sa) able to connect NS servers of of
abudawood.com ?
On 2/9/2017 11:32 AM, Ejaz wrote:
Helo,
Time to time we are having problem in resolving some domains, one of them is
"abudawood.com" we unable to resolve through our DNS servers of
"ns10.cyberia.net.sa" where I have latest bind version and all, what could
be the issue and what is the best way to trouble shoot.
My bind version
[root at ns10 ~]# named -v
BIND 9.11.0 <id:1477c19>
The below is trace result, it reached to their DNS server, but could not
able to get query results.
[root at ns10 ~]# dig ns SAMANet.gov.sa
\
; <<>> DiG 9.11.0 <<>> ns SAMANet.gov.sa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31831
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b7510c2058b91a7d3bc824e8589c0f68772d7bfd43357c41 (good)
;; QUESTION SECTION:
;SAMANet.gov.sa. IN NS
;; ANSWER SECTION:
SAMANet.gov.sa. 3587 IN NS ns2.bluvalt.sa.
SAMANet.gov.sa. 3587 IN NS ns1.bluvalt.sa.
;; ADDITIONAL SECTION:
ns1.bluvalt.sa. 23003 IN A 46.49.128.130
ns2.bluvalt.sa. 23003 IN A 46.49.140.146
;; Query time: 5 msec
;; SERVER: 212.119.64.2#53(212.119.64.2)
;; WHEN: Thu Feb 09 09:42:48 AST 2017
;; MSG SIZE rcvd: 147
[root at ns10 ~]# dig ns sama.org.sa
; <<>> DiG 9.11.0 <<>> ns sama.org.sa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11980
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2bebca3cf5e2d6f3cad9e21b589c0f726413bf957d972607 (good)
;; QUESTION SECTION:
;sama.org.sa. IN NS
;; ANSWER SECTION:
sama.org.sa. 3600 IN NS ns1.bluvalt.sa.
sama.org.sa. 3600 IN NS ns2.bluvalt.sa.
;; ADDITIONAL SECTION:
ns1.bluvalt.sa. 22993 IN A 46.49.128.130
ns2.bluvalt.sa. 22993 IN A 46.49.140.146
;; Query time: 9 msec
;; SERVER: 212.119.64.2#53(212.119.64.2)
;; WHEN: Thu Feb 09 09:42:58 AST 2017
;; MSG SIZE rcvd: 144
[root at ns10 ~]# sama.org.sa. 3600 IN NS
ns1.bluvalt.sa.
bash: sama.org.sa.: command not found...
[root at ns10 ~]# sama.org.sa. 3600 IN NS
ns2.bluvalt.sa.sa ma.org.sa.
3600 IN NS ns1.bluvalt.sa.
bash: sama.org.sa.: command not found...
[root at ns10 ~]# sama.org.sa. 3600 IN NS
ns2.bluvalt.sa.^C
[root at ns10 ~]# named -v
BIND 9.11.0 <id:1477c19>
[root at ns10 ~]# vi /etc/named.conf
[root at ns10 ~]# dig abudawood.com +trace
; <<>> DiG 9.11.0 <<>> abudawood.com +trace
;; global options: +cmd
. 106794 IN NS a.root-servers.net.
. 106794 IN NS c.root-servers.net.
. 106794 IN NS k.root-servers.net.
. 106794 IN NS l.root-servers.net.
. 106794 IN NS f.root-servers.net.
. 106794 IN NS b.root-servers.net.
. 106794 IN NS h.root-servers.net.
. 106794 IN NS m.root-servers.net.
. 106794 IN NS j.root-servers.net.
. 106794 IN NS d.root-servers.net.
. 106794 IN NS i.root-servers.net.
. 106794 IN NS g.root-servers.net.
. 106794 IN NS e.root-servers.net.
. 107999 IN RRSIG NS 8 0 518400 20170222050000
201 70209040000 61045 .
TMv9X94Rxe6LPkPDaUB4KgOOP80SX5cNBXSawftLwIofkZWLDB1H9BUk EP8
P+7OobV6BxU/prHrNaReq4V7GY5GyOIBkvH7N6QqbrTpaYyAuWlWz
gdtF9DthsLfsKSqUMqB50NGBDR
V3erxuenHmX5f2VkLK/Dor3eUMdSBN
wwUN4NPPst9PaORSqmTzSIirRfm7oglOvjKMtIrTu4+cOofHs
XO0bi7j fXu+TT/+6SlFu2x3NXxOZStGSmeWOf6xmkIUNUShjP0HDFz0KxrxOYPj
Y8agXhxchni2js4
92pY6/oFeb4txcps6tk28WdSeYljCCUTsQ39tQTBO PjrnvA==
;; Received 1125 bytes from 212.119.64.2#53(212.119.64.2) in 0 ms
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8
268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20170222050000
2017 0209040000 61045 .
eGzt3EVcYZunW/znWV1jjFpc1UeFZBJOjlAiOHBCD+C8nlKS1pRROSfb atrO
ncICysdXdHedwIV+mhc/3HB6IEzjNcOjJffdX6N3dTEyf2YZmRpO
IekQlr7FWRr9jdsHZmnTyKuhhkc
26Wjd3H3opDdRwn0HvVN+8ny/QAHC
bB+o6piOgjnlNuXxBlLZjF40BrelYfBbPAoLQsdAVUPbvkrEd4
1s/qQk 41jJqJVJ7LzxgyjExhWPoisuFxlcyXQ5nDdPpGxO/IGF3+3RtaUMWGX9
uGuDTsNgk+JmH1nI
72CgQ2c3cVDRrr3DuqWXwMqThdVES1BpOVBHHmCW HrPR5g==
;; Received 865 bytes from 202.12.27.33#53(m.root-servers.net) in 308 ms
abudawood.com. 172800 IN NS ns1.abudawood.com.
abudawood.com. 172800 IN NS ns2.abudawood.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK0Q1GIN43N1ARRC9OS
M6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
20170214054 849 20170207043849
31697 com. rw5pqNm81QqDlCKMB00rpSdoEWHqen1FB/db/7LvS6qozh5wU9
ioVT1T 4NxbTyhK+H5liA9QkCMf2DFbfOqfkfv+hv2gFT3o52wCF+wL5dg+xlC8
BTlcHXfUBUF9Wy8w
QV7geGT3olYyeWJ7F7UfwA5CvR/EII1zRN0VA3ov 0iE=
QH38TLUV3A97CDLH37G57O72CR6PV2TH.com. 86400 IN NSEC3 1 1 0 -
QH3ADNNOO9Q6LEL6VRU
4M8PQU2I56IUP NS DS RRSIG
QH38TLUV3A97CDLH37G57O72CR6PV2TH.com. 86400 IN RRSIG NSEC3 8 2 86400
20170215054 922 20170208043922
31697 com. k6FE6tYUXXZrZHrHZK/s1npMpvp/aj5o1o00Ght0jfnndM0bFK
roR7lh Fz6X0mJKHaAZw10oGT3LPDElABqywAgtbTKoa5usaOsc4g+2BhUXS+t3
E2s3CL9S1myP+DtQ
DRlNMfBpD2NoR4pcPTwlnbiF9VCScLNFWvla6LcV AeQ=
;; Received 595 bytes from 192.54.112.30#53(h.gtld-servers.net) in 138 ms
;; Received 70 bytes from 212.118.102.2#53(ns1.abudawood.com) in 18 ms
Thanks,
Mohammed Ejaz
Asst. Operation Director of Systems.
Cyberia SAUDI ARABIA
P.O.Box: 301079, Riyadh 11372
Phone: (+966) 11 464 7114 Ext. 140
Mobile: (+966) 562311787
Fax: (+966) 11 465 4735
Website: http://www.cyberia.net.sa
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170209/0e66a777/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
------------------------------
End of bind-users Digest, Vol 2599, Issue 3
*******************************************
============================================================================================================================
Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html <http://www.techmahindra.com/Disclaimer.html> externally http://tim.techmahindra.com/tim/disclaimer.html <http://tim.techmahindra.com/tim/disclaimer.html> internally within TechMahindra.
============================================================================================================================
More information about the bind-users
mailing list