In message <8297a803-1cf6-40bb-92c9-6f647ca63...@uci.edu>, Con Wieland writes: > Mark, > > It is a GM issue-) I appreciate any help but I have had numerous hosts > @noaa.gov reported one to choose from would be ftp.cpc.ncep.noaa.gov > > thanks for any help > con
>From this part of the world ftp.cpc.ncep.noaa.gov resolves fine and it validates as authentic data. You will however note from the dig +trace (add +dnssec to older versions of dig to get the DNSSEC records returned) that the final response is 2635 bytes which will not fit in a single Ethernet packet. This means the IP layer (v4 and v6) will be fragmenting the responses. If you have a firewall that is dropping fragmented packets this will mean that the nameserver will get timeouts rather than answers and will need to try fallback strategies to get the answers. Sometimes these take too long which results in SERVFAIL being returned to the client. There really is no need to block fragmented packets. Modern IP stacks cope. Really old IP stacks could consume lots of memory dealing with incomplete packets but that hasn't been a issue for decades. Mark ; <<>> DiG 9.10.0a1 <<>> +trace ftp.cpc.ncep.noaa.gov ;; global options: +cmd . 518400 IN NS l.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 20131107000000 20131030230000 59085 . aCvNEdYy57xb1AobSiCzLakqRRMTm6/tRO0FAiO/s5slccgWhlplvow8 8PZo0jdHbU6gaKc3EbfzMvSN2sehN8YEVn1bqgzgbXtDn/UYtocQHjNr CYDMT0BAMgUKc5gUDl0eW7Pes78AEKddrh/aWZ4gV/c/PO1UCwclTCmW wkk= ;; Received 397 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms gov. 172800 IN NS a.gov-servers.net. gov. 172800 IN NS b.gov-servers.net. gov. 86400 IN DS 7698 8 2 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0 gov. 86400 IN DS 7698 8 1 6F109B46A80CEA9613DC86D5A3E065520505AAFE gov. 86400 IN RRSIG DS 8 1 86400 20131107000000 20131030230000 59085 . UA03FJLWwJMvxSdTCrmaqQG42qm9v/WX5Q+pHU3F1B4IV4Eo3l0+C0NU ppGccTLhbEISzUHLLQJsl8nXOSt1C4nFAlcm/zLu5ZHG7yR96qCB7PqY dbjQXpYxiRE5Gcvw2Gb8/GtdZRI9lJ+GQ0R9/fZolMXukgGE5hZVHm9i jzk= ;; Received 400 bytes from 192.33.4.12#53(c.root-servers.net) in 163 ms noaa.gov. 86400 IN NS ns-e.noaa.gov. noaa.gov. 86400 IN NS ns-mw.noaa.gov. noaa.gov. 86400 IN NS ns-nw.noaa.gov. noaa.gov. 3600 IN DS 31531 5 1 FEFD9EC572F204622204148665FD71C434BA84D5 noaa.gov. 3600 IN DS 31531 5 2 CEC7B9358E2BCCA57CCD5097760CFAFA5EBCDE7EE99377CFA71E836C 126EE8B1 noaa.gov. 3600 IN DS 36283 5 1 0173D13977FFDF12716E3A1225B1B0B639B8CB46 noaa.gov. 3600 IN DS 36283 5 2 80C0FF77866D4FAEC4F696D87D2C7C9652A0ACC3549706FAE38651C7 CDBC5312 noaa.gov. 3600 IN RRSIG DS 8 2 3600 20131107160020 20131031160020 46733 gov. AB4T1tm8ExzwiQP9TnbbzO+UdAt3ThgKNP7UKNc/foxzpxWnNP8zpcd2 SD3gl/n58mttNwGS4jVlI6/yoWWFE/c6aj8l4hS1rJa3PSoSmTTSL4wQ 8vMzZ5JG9pmisKDGaWI9pGbpd8SCTijsCL3R0QN2zu7Yx953wUmbJrFZ iQQ= ;; Received 572 bytes from 209.112.123.30#53(b.gov-servers.net) in 186 ms ftp.cpc.ncep.noaa.gov. 60 IN A 140.90.101.32 ftp.cpc.ncep.noaa.gov. 60 IN RRSIG A 5 5 60 20131107203052 20131031203052 42006 ncep.noaa.gov. YD+i1JMg/quwBmxq6in3xRn0nu8O6fbwyshvxLwKWeux5lh/FU74dAU/ ttqasLu4Rcu8kXxtzRZjG1HvAwjgnd8b12U59tz4B6m9fpfAvi5qR1Gd TIhfALeFu0u1dMcbEd0H/bKNxkmmkAD5zapf+iN21FGYHa++t1WIZkxu sK4B1JU08wBy1tfWq9MoMOfqNDTUS/19rOy++7PJNlboEkVhJ+gKuT+z ed4oOr0/393joWwm5saTmehOc/wDbEU+xcahhq1u2xHrProgu3tuR68X OzSPwE19goKG8It60j3jPtyiLwvh5alc7GoSrcLBm2OXTMm8QsHH629k XVl/cg== ncep.noaa.gov. 86400 IN NS ns-mw.noaa.gov. ncep.noaa.gov. 86400 IN NS ns-nw.noaa.gov. ncep.noaa.gov. 86400 IN NS ns-e.noaa.gov. ncep.noaa.gov. 86400 IN RRSIG NS 5 3 86400 20131107203052 20131031203052 42006 ncep.noaa.gov. poUREStH+jGSqFvEHjgzZbsj9pZfptDDN3XucpYzlEu+KmeghLGNI1pv VG4HEWAm9uvGHxtEdOgK0vYGaSf5a4P0VEzyIoRycM1wMA8Rc7wqt9fs jA/0ir8Ke0/p9iJLX2y0UDXrQo7aMFE97X8ImdMjGQsoJBL6sYXam54X 0Q8OMMCI5nJWgr7aDWOFC2K0m43CNajDx7fIusS/tc5e1gmuEqqmP4L7 8QxuN/lnqj2W+2/DplqpuSSKJlOD3ZIAQpv/O8N25mVxQfsdbbg/vGWN yFrrIMfIPrf4RviM2ZE8kIJPfoDu/TKjQZracyIHU9e6ycaQxxGDEXmY PfQgag== ;; Received 2635 bytes from 2610:20:8000:8c00::237#53(ns-e.noaa.gov) in 311 ms > On Oct 30, 2013, at 5:24 PM, Mark Andrews wrote: > > >=20 > > IF YOU WANT HELP SPECIFY THE FAILING DOMAIN NAME. YES I AM = > SHOUTING!!!! > >=20 > > This report is like saying you have a problem with a car manufacture = > by GM. > >=20 > > Mark > >=20 > > In message <a5e2f1ec-3cee-47c4-b244-12315c669...@uci.edu>, Con Wieland = > writes: > >> I recently upgraded to version: 9.8.6. I am having trouble resolving = > a .gov s > >> ite. When I reload the name server it will resolve fine for a while = > then afte > >> r an hour or two I will get a server fail. I can perform a dig +trace = > and res > >> olve but dig will fail. If I do an rndc reload it will work for some = > period o > >> f time again. I suspect negative caching but the site has a the ttl = > set to 6 > >> 0 so I would expect it to resolve again but it doesn't until a reload = > is pref > >> ormed, other sites seem to be effected but I don't know. This is a = > high visi > >> bility site. The only configuration change has been to add RPZ which = > seems to > >> be working fine.=20 > >>=20 > >> Other name servers seem to be unaffected. What am I missing? What = > else can I=20 > >> check? I can provide more details if it would be helpful. > >>=20 > >> Con Wieland > >> Office of Information Technology > >> University of California at Irvine > >> _______________________________________________ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to = > unsubscribe > >> from this list > >>=20 > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > > --=20 > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users