>From here i see a fast response using the local server: ~~~~~ $ dig ic.fbi.gov
; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: _/*NOERROR*/_, id: 2421 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ic.fbi.gov. IN A ;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013071601 7200 3600 2592000 43200 ;; Query time: 158 msec ~~~~~ No error, but no address. Using Google I get a servfail: ~~~~~ $ dig ic.fbi.gov @8.8.8.8 ; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: *_/SERVFAIL/_*, id: 11426 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ic.fbi.gov. IN A ;; Query time: 102 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Jul 17 18:54:41 2013 ;; MSG SIZE rcvd: 28 ~~~~~ SERVFAIL, so something is unclear. On 17/07/13 18:49, Ray Van Dolson wrote: > Hello; > > Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- > bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving > ic.fbi.gov that seems to be DNSSEC related. > > Am fairly certain of this because if I set dnssec-enable and > dnssec-validation to no (have them at 'yes' normally), resolution > succeeds. > > If I run a dig @nameserver ic.fbi.gov from a client machine, dig just > hangs for a bit then eventually times out. dig @nameserver fbi.gov > works fine.... > > On my BIND server, I see the following in a packet capture: > > 0.000000 1.1.1.1 -> 156.154.64.48 DNS Standard query A ic.fbi.gov > 0.026504 156.154.64.48 -> 1.1.1.1 DNS Standard query response > 0.026927 1.1.1.1 -> 156.154.69.48 DNS Standard query DS > 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov > 0.042998 156.154.69.48 -> 1.1.1.1 DNS Standard query response, No such name > 0.043485 1.1.1.1 -> 156.154.67.48 DNS Standard query DS > 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov > 0.048186 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name > 0.048595 1.1.1.1 -> 156.154.67.48 DNS Standard query DS > 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov > 0.053765 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name > 30.043683 1.1.1.1 -> 156.154.65.48 DNS Standard query DS > GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov > 30.061169 156.154.65.48 -> 1.1.1.1 DNS Standard query response, No such name > > So it seems like the issue is related to the DS records queried not > existing, but I've checked a few DNSSEC validation tools out there by > plugging ic.fbi.gov in and things appear to check out. This could be > firewall related on my side (we have Checkpoint firewalls), but other > DNSSEC queries appear to be working OK. > > A dig @8.8.8.8 +dnssec ic.fbi.gov works OK as well also making me think > the issue is somehow on my side.... > > Am reading up on additional troubleshooting steps for DNSSEC, but still > wrapping my head around concepts. > > Anyone have any tips as to where to start "digging" next based on what > I'm seeing above? > > Thanks, > Ray > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
