On May 25, 2010, at 6:42 PM, Mark Andrews wrote:
In message <20100525202455.06f0b40...@britaine.cis.anl.gov>, b19...@anl.gov
wri
tes:
One of our networking personnel is trying to access
ftp.cisco.com
and is unable to do so from Argonne. He has no problem from home,
(Comcast). The Comcast DNS servers are
68.87.72.134
68.87.77.134
and report that they are running "Nominum Vantio 4.2.1.0" (about
which
I know very little).
My DNS servers are running BIND 9.7.0-P1. I did some DNS queries
here
and I have made comments after each DNS query.
Are my comments and suppositions correct?
===============================================================
dnsserver% dig ftp.cisco.com
; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; Query time: 177 msec
;; SERVER: 146.139.254.5#53(146.139.254.5)
;; WHEN: Tue May 18 11:01:45 2010
;; MSG SIZE rcvd: 31
dnsserver%
Note the SERVFAIL response. BIND detects that something is wrong.
===============================================================
dnsserver% dig cisco.com ns
; <<>> DiG 9.7.0-P1 <<>> cisco.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;cisco.com. IN NS
;; ANSWER SECTION:
cisco.com. 38065 IN NS ns1.cisco.com.
cisco.com. 38065 IN NS ns2.cisco.com.
;; ADDITIONAL SECTION:
ns1.cisco.com. 2668 IN A 128.107.241.185
ns2.cisco.com. 2831 IN A 64.102.255.44
;; Query time: 1 msec
;; SERVER: 146.139.254.5#53(146.139.254.5)
;; WHEN: Tue May 18 14:08:01 2010
;; MSG SIZE rcvd: 95
dnsserver%
There are two authoritative name servers for cisco.com .
===============================================================
dnsserver% dig ftp.cisco.com @ns1.cisco.com.
; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @ns1.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; ANSWER SECTION:
ftp.cisco.com. 60 IN A 198.133.219.241
;; AUTHORITY SECTION:
ftp.cisco.com. 86400 IN NS rtp5-ddir-
ns.cisco.com.
ftp.cisco.com. 86400 IN NS sjce-ddir-
ns.cisco.com.
;; ADDITIONAL SECTION:
rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
;; Query time: 60 msec
;; SERVER: 128.107.241.185#53(128.107.241.185)
;; WHEN: Tue May 18 14:08:21 2010
;; MSG SIZE rcvd: 133
dnsserver%
If you make a norecusive query you will get the referral.
; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @ns1.cisco.com +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25199
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; AUTHORITY SECTION:
ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
;; ADDITIONAL SECTION:
rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
;; Query time: 347 msec
;; SERVER: 128.107.241.185#53(128.107.241.185)
;; WHEN: Wed May 26 08:30:20 2010
;; MSG SIZE rcvd: 117
The actual cause of the SERVFAIL is further down where the load
balancer does not set AA on the response. Note it also set "RD"
despite RD not being set on the query.
So, the question of the day is: do you think that it took actual work
to mess things up like this, or was it just "luck"?
I have visions of a bunch of disgruntled GLB developers sitting in a
pub and trying to come up with the most unusual set of responses for
any given query...
W
; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45540
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; ANSWER SECTION:
ftp.cisco.com. 60 IN A 198.133.219.241
;; Query time: 181 msec
;; SERVER: 128.107.240.86#53(128.107.240.86)
;; WHEN: Wed May 26 08:31:39 2010
;; MSG SIZE rcvd: 47
Also AAAA queries end up in self referrals.
; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com
+norec aaaa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46026
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ftp.cisco.com. IN AAAA
;; AUTHORITY SECTION:
ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
;; ADDITIONAL SECTION:
rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
;; Query time: 176 msec
;; SERVER: 128.107.240.86#53(128.107.240.86)
;; WHEN: Wed May 26 08:41:32 2010
;; MSG SIZE rcvd: 117
This response (from one of the two name servers) has problems.
1) There is an answer, but without the "aa" (authoritative answer)
flag, the response appears to be coming from the cache.
2) The authority section lists the two nameservers that are
authoritative for the zone ftp.cisco.com.
3) I am not a DNS expert, but with "ra" (recursion available) and
"rd" (recursion desired) both set, I would expect my query to
recurse to a name server that will return an authoritative answer.
Or, since I sent the request to a specific name server, that
server would return no answers but a referral to the authoritative
name servers.
===============================================================
dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.
; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; ANSWER SECTION:
ftp.cisco.com. 60 IN A 198.133.219.241
;; Query time: 288 msec
;; SERVER: 64.102.255.39#53(64.102.255.39)
;; WHEN: Tue May 18 14:08:46 2010
;; MSG SIZE rcvd: 47
dnsserver%
dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.
; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; ANSWER SECTION:
ftp.cisco.com. 60 IN A 198.133.219.241
;; Query time: 219 msec
;; SERVER: 128.107.240.86#53(128.107.240.86)
;; WHEN: Tue May 18 14:09:12 2010
;; MSG SIZE rcvd: 47
dnsserver%
Here I queried both supposedly authoritative name servers, and
from each I get a non-authoritative answer. When I did the same
query yesterday afternoon, neither of these two name servers was
accessible.
I assume that with BIND 9.7.0-P1, if the response is not
authoritative, then BIND will not trust the answer.
===============================================================
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Life is a concentration camp. You're stuck here and there's no way
out and you can only rage impotently against your persecutors.
-- Woody Allen
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
