Bind 9.11 serving up false answers for a single domain.

Mark Andrews marka at isc.org
Wed Feb 10 05:09:38 UTC 2021 

Run ‘dig +trace +all internet-dns1.state.ma.us’ which will show you the glue
records then try ‘dig +dnssec +norec internet-dns1.state.ma.us @<address>’ for
all the addresses in the glue records.

e.g.
	dig +dnssec +norec internet-dns1.state.ma.us @146.243.122.17

Mark

> On 10 Feb 2021, at 14:50, sami's strat <sami.strat at gmail.com> wrote:
> 
> Thanks Mark.
> 
> However, the traceroute to the hostnamed failed for the same reason.  Please note:
> 
> [root at myhost data]# dig internet-dns1.state.ma.us
>  
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> internet-dns1.state.ma.us
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61641
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;internet-dns1.state.ma.us.     IN      A
>  
> ;; Query time: 1263 msec
> ;; SERVER: 192.168.33.12#53(192.168.33.12)
> ;; WHEN: Tue Feb 09 22:34:15 EST 2021
> ;; MSG SIZE  rcvd: 54
>  
> [root at myhost data]# dig internet-dns1.state.ma.us +trace
>  
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> internet-dns1.state.ma.us +trace
> ;; global options: +cmd
> .                       516485  IN      NS      c.root-servers.net.
> .                       516485  IN      NS      e.root-servers.net.
> .                       516485  IN      NS      f.root-servers.net.
> .                       516485  IN      NS      l.root-servers.net.
> .                       516485  IN      NS      m.root-servers.net.
> .                       516485  IN      NS      d.root-servers.net.
> .                       516485  IN      NS      g.root-servers.net.
> .                       516485  IN      NS      k.root-servers.net.
> .                       516485  IN      NS      b.root-servers.net.
> .                       516485  IN      NS      h.root-servers.net.
> .                       516485  IN      NS      a.root-servers.net.
> .                       516485  IN      NS      i.root-servers.net.
> .                       516485  IN      NS      j.root-servers.net.
> .                       516485  IN      RRSIG   NS 8 0 518400 20210222230000 20210209220000 42351 . QCzDH8eHlHVbx4SxIIwk8xnk6ky/q+zRh8KAUfI98lqHcIP4NLxzCe6f mC2sNX1VcthEy6Lwnobm8OyJCRpNEHedYrS01aMhAVzUfM+/PJ9MWn0w SkmXxyZMJZXF/kl4GDNX0x/GW3+DkeTeZI9+B540Yvj47qJv2bD9nIQG NtE7bDze7bgMJkIuBlEzPfwp7YW5ud8qdC6HdUoEMqygwZcWAiQu8gpb q21z8W5hcdci1OouDFytNWrXAvfSsuR635+GzSj+RZjYo+447uP7lKsK N5aeVQ/BPh5jM32xVO+zwyp7v9Nky1vSP/BchMQ/3cqg3Ee7zobl8OQd CSd/SA==
> ;; Received 1097 bytes from 192.168.33.12#53(192.168.33.12) in 0 ms
>  
> us.                     172800  IN      NS      a.cctld.us.
> us.                     172800  IN      NS      b.cctld.us.
> us.                     172800  IN      NS      c.cctld.us.
> us.                     172800  IN      NS      e.cctld.us.
> us.                     172800  IN      NS      f.cctld.us.
> us.                     172800  IN      NS      k.cctld.us.
> us.                     86400   IN      DS      21364 8 1 260D0461242BCF8F05473A08B05ED01E6FA59B9C
> us.                     86400   IN      DS      21364 8 2 B499CFA7B54D25FDE1E6FE93076FB013DAA664DA1F26585324740A1E 6EBDAB26
> us.                     86400   IN      RRSIG   DS 8 1 86400 20210222230000 20210209220000 42351 . rujvGB0s2bsqzBuzRliH6QK9vH84ETZV7gZMEhJyzMFofWhj9ZZaNWE/ VvdA9rC16IOEocvARv2rOqk7G3KTzdkHHZcwcZSQyVqsOIaIywGFuEgd viSXF6+M5MocUgEMp5dtt6SBLHG+lE/FV/3HylKSHsxdO/F6PeWKgcBZ D4lZQ6w5asmlbdKJKMhlWPp6UaxBE7ACaxndBQixoNqXQuPrXpXi1Fnj ntFtTfn57hMyrdTojIJ8X7/HKjCrbm3CL/WJ+VZR051OGCdZVjpUaDXR x7G9lDhu3K5clar9PGYyUJM7+RBKzrQJep7HrjL2nZdoTyfY4i33S+EZ sTlTOA==
> ;; Received 707 bytes from 199.7.91.13#53(d.root-servers.net) in 4 ms
>  
> state.ma.us.            7200    IN      NS      internet-dns3.state.ma.us.
> state.ma.us.            7200    IN      NS      internet-dns1.state.ma.us.
> state.ma.us.            7200    IN      NS      internet-dns2.state.ma.us.
> state.ma.us.            3600    IN      DS      47628 7 2 5379F9F747214E5A63416775396BCFF98FA4867AE66E09BCBEBE0DCC 1682C369
> state.ma.us.            3600    IN      DS      41388 7 1 36D899932AF794EADD671161515E48FE829BB7FE
> state.ma.us.            3600    IN      DS      41388 7 2 BBAB433D3853571F42516E70659AF1F85FA4FBA0FDFCEAD4D092592A 00C78769
> state.ma.us.            3600    IN      DS      47628 7 1 485E0EE2F7C08FCE51D1E284321242930274833A
> state.ma.us.            3600    IN      RRSIG   DS 8 3 3600 20210307200856 20210205191212 53985 us. O8KqBHzlZsDqrZi0NQO4JEiN0b8j04/Lb8W2uVz5PyrAat1VgZKQ3Ws6 6PNtbZDMv6YX6QA8fWFLxNmeJ1/4L3wLu8EKYXaThA9Zxll7mKFj1iPf nqiVq5hOo8Ul3inmfM/tjCQ21IHc/v0JZygZNd/h0SxXWlQXi+W3G9LN +4z/qxtl9dGD1ka54Ln3MAVxB1Tp4pt0ri4qPLmfGKf/HA==
> couldn't get address for 'internet-dns3.state.ma.us': not found
> couldn't get address for 'internet-dns1.state.ma.us': not found
> couldn't get address for 'internet-dns2.state.ma.us': not found
> dig: couldn't get address for 'internet-dns3.state.ma.us': no more
> [root at myhost data]#
> 
> On Tue, Feb 9, 2021 at 10:10 PM Mark Andrews <marka at isc.org> wrote:
> Well you could try tracing the addresses of the nameservers for which
> there where errors reported.  It could be as simple as a routing issue
> between you and these servers.
> 
> > On 10 Feb 2021, at 13:25, sami's strat <sami.strat at gmail.com> wrote:
> > 
> > couldn't get address for 'internet-dns1.state.ma.us': not found
> > couldn't get address for 'internet-dns3.state.ma.us': not found
> > couldn't get address for 'internet-dns2.state.ma.us': not found
> > dig: couldn't get address for 'internet-dns1.state.ma.us': no more
> 
> Yet, I do this on my personal computer at home, and it works without an issue.
> 
> Any other thoughts?  TIA 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list