Re: lame-servers: error (FORMERR) resolving [something]

Warren Kumari Thu, 17 Jan 2013 06:22:20 -0800

On Jan 17, 2013, at 9:04 AM, Daniele <d.imbrog...@gmail.com> wrote:

> I'm going crazy.
> 
> This is my named.conf
> 
> logging {
> 
>         channel default_logfile {
>                 file "/var/cache/bind/logs/default.log";
>                 severity info;
>                 print-category yes;
>                 print-severity yes;
>                 print-time yes;
>         };
> 
>         category default {
>                 default_logfile;
>         };
> 
>         category lame-servers {null;};
> };
> 
> options {
>         directory "/var/cache/bind";
> 
>         dnssec-validation auto;
> 
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { any; };
> };
> 
> and the default zones (not shown here).
> 
> This is the output of `dig +trace +nodnssec www.isc.org`
> ; <<>> DiG 9.8.1-P1 <<>> +trace +nodnssec www.isc.org
> ;; global options: +cmd
> .            3600000    IN    NS    M.ROOT-SERVERS.NET.
> .            3600000    IN    NS    K.ROOT-SERVERS.NET.
> .            3600000    IN    NS    G.ROOT-SERVERS.NET.
> .            3600000    IN    NS    L.ROOT-SERVERS.NET.
> .            3600000    IN    NS    B.ROOT-SERVERS.NET.
> .            3600000    IN    NS    E.ROOT-SERVERS.NET.
> .            3600000    IN    NS    A.ROOT-SERVERS.NET.
> .            3600000    IN    NS    F.ROOT-SERVERS.NET.
> .            3600000    IN    NS    J.ROOT-SERVERS.NET.
> .            3600000    IN    NS    H.ROOT-SERVERS.NET.
> .            3600000    IN    NS    C.ROOT-SERVERS.NET.
> .            3600000    IN    NS    I.ROOT-SERVERS.NET.
> .            3600000    IN    NS    D.ROOT-SERVERS.NET.
> dig: couldn't get address for 'M.ROOT-SERVERS.NET': not found
> 
> 
> During `dig` operations, using Wireshark I can see outgoing packets to port 
> 53 and incoming ones from port 53


What size is the return packet? Do you have anything in the path that might be 
helpfully trying to monkey with the replies? 
What do you get for just 'dig NS .' and 'dig NS org.'?

Does anything change if you do 'dig +nodnssec +noedns NS .' versus 'dig 
+nodnssec NS .'

Including the comment bit from digs output (;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 17 09:18:57 2013
;; MSG SIZE  rcvd: 512


would help.

W


> 
> The default policy of my firewall, configured via `iptables`, is to accept 
> everything (I'm on VirtualBox); the only rule is to MASQUERADE outgoing 
> packets for NAT reasons (this box is the gateway of my private network).
> 
> What's wrong?
> 
> 2013/1/15 Chris Thompson <c...@cam.ac.uk>
> On Jan 14 2013, Shane Kerr wrote:
> 
> [...]
> 
> You may want to try:
> 
> dig +trace www.isc.org
> 
> [...]
> 
> The next step may be to try:
> 
> dig +trace +dnssec www.isc.org
> 
> Beware that if you have a dig(1) from BIND 9.9.x, +dnssec has become the
> default with +trace. In that case replace the first attempt with
> 
> dig +trace +nodnssec www.isc.org
> 
> -- 
> Chris Thompson
> Email: c...@cam.ac.uk
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Militant Agnostic -- I don't know and you don't either...



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: lame-servers: error (FORMERR) resolving [something]

Reply via email to