In message <8297a803-1cf6-40bb-92c9-6f647ca63...@uci.edu>, Con Wieland writes:
> Mark,
>
> It is a GM issue-) I appreciate any help but I have had numerous hosts
> @noaa.gov reported one to choose from would be ftp.cpc.ncep.noaa.gov
>
> thanks for any help
> con

>From this part of the world ftp.cpc.ncep.noaa.gov resolves fine and
it validates as authentic data.  You will however note from the
dig +trace (add +dnssec to older versions of dig to get the DNSSEC
records returned) that the final response is 2635 bytes which will
not fit in a single Ethernet packet.  This means the IP layer (v4
and v6) will be fragmenting the responses.

If you have a firewall that is dropping fragmented packets this
will mean that the nameserver will get timeouts rather than answers
and will need to try fallback strategies to get the answers.
Sometimes these take too long which results in SERVFAIL being
returned to the client.

There really is no need to block fragmented packets.  Modern IP
stacks cope.  Really old IP stacks could consume lots of memory
dealing with incomplete packets but that hasn't been a issue for
decades.

Mark

; <<>> DiG 9.10.0a1 <<>> +trace ftp.cpc.ncep.noaa.gov
;; global options: +cmd
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      RRSIG   NS 8 0 518400 20131107000000 
20131030230000 59085 . aCvNEdYy57xb1AobSiCzLakqRRMTm6/tRO0FAiO/s5slccgWhlplvow8 
8PZo0jdHbU6gaKc3EbfzMvSN2sehN8YEVn1bqgzgbXtDn/UYtocQHjNr 
CYDMT0BAMgUKc5gUDl0eW7Pes78AEKddrh/aWZ4gV/c/PO1UCwclTCmW wkk=
;; Received 397 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms

gov.                    172800  IN      NS      a.gov-servers.net.
gov.                    172800  IN      NS      b.gov-servers.net.
gov.                    86400   IN      DS      7698 8 2 
6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
gov.                    86400   IN      DS      7698 8 1 
6F109B46A80CEA9613DC86D5A3E065520505AAFE
gov.                    86400   IN      RRSIG   DS 8 1 86400 20131107000000 
20131030230000 59085 . UA03FJLWwJMvxSdTCrmaqQG42qm9v/WX5Q+pHU3F1B4IV4Eo3l0+C0NU 
ppGccTLhbEISzUHLLQJsl8nXOSt1C4nFAlcm/zLu5ZHG7yR96qCB7PqY 
dbjQXpYxiRE5Gcvw2Gb8/GtdZRI9lJ+GQ0R9/fZolMXukgGE5hZVHm9i jzk=
;; Received 400 bytes from 192.33.4.12#53(c.root-servers.net) in 163 ms

noaa.gov.               86400   IN      NS      ns-e.noaa.gov.
noaa.gov.               86400   IN      NS      ns-mw.noaa.gov.
noaa.gov.               86400   IN      NS      ns-nw.noaa.gov.
noaa.gov.               3600    IN      DS      31531 5 1 
FEFD9EC572F204622204148665FD71C434BA84D5
noaa.gov.               3600    IN      DS      31531 5 2 
CEC7B9358E2BCCA57CCD5097760CFAFA5EBCDE7EE99377CFA71E836C 126EE8B1
noaa.gov.               3600    IN      DS      36283 5 1 
0173D13977FFDF12716E3A1225B1B0B639B8CB46
noaa.gov.               3600    IN      DS      36283 5 2 
80C0FF77866D4FAEC4F696D87D2C7C9652A0ACC3549706FAE38651C7 CDBC5312
noaa.gov.               3600    IN      RRSIG   DS 8 2 3600 20131107160020 
20131031160020 46733 gov. 
AB4T1tm8ExzwiQP9TnbbzO+UdAt3ThgKNP7UKNc/foxzpxWnNP8zpcd2 
SD3gl/n58mttNwGS4jVlI6/yoWWFE/c6aj8l4hS1rJa3PSoSmTTSL4wQ 
8vMzZ5JG9pmisKDGaWI9pGbpd8SCTijsCL3R0QN2zu7Yx953wUmbJrFZ iQQ=
;; Received 572 bytes from 209.112.123.30#53(b.gov-servers.net) in 186 ms

ftp.cpc.ncep.noaa.gov.  60      IN      A       140.90.101.32
ftp.cpc.ncep.noaa.gov.  60      IN      RRSIG   A 5 5 60 20131107203052 
20131031203052 42006 ncep.noaa.gov. 
YD+i1JMg/quwBmxq6in3xRn0nu8O6fbwyshvxLwKWeux5lh/FU74dAU/ 
ttqasLu4Rcu8kXxtzRZjG1HvAwjgnd8b12U59tz4B6m9fpfAvi5qR1Gd 
TIhfALeFu0u1dMcbEd0H/bKNxkmmkAD5zapf+iN21FGYHa++t1WIZkxu 
sK4B1JU08wBy1tfWq9MoMOfqNDTUS/19rOy++7PJNlboEkVhJ+gKuT+z 
ed4oOr0/393joWwm5saTmehOc/wDbEU+xcahhq1u2xHrProgu3tuR68X 
OzSPwE19goKG8It60j3jPtyiLwvh5alc7GoSrcLBm2OXTMm8QsHH629k XVl/cg==
ncep.noaa.gov.          86400   IN      NS      ns-mw.noaa.gov.
ncep.noaa.gov.          86400   IN      NS      ns-nw.noaa.gov.
ncep.noaa.gov.          86400   IN      NS      ns-e.noaa.gov.
ncep.noaa.gov.          86400   IN      RRSIG   NS 5 3 86400 20131107203052 
20131031203052 42006 ncep.noaa.gov. 
poUREStH+jGSqFvEHjgzZbsj9pZfptDDN3XucpYzlEu+KmeghLGNI1pv 
VG4HEWAm9uvGHxtEdOgK0vYGaSf5a4P0VEzyIoRycM1wMA8Rc7wqt9fs 
jA/0ir8Ke0/p9iJLX2y0UDXrQo7aMFE97X8ImdMjGQsoJBL6sYXam54X 
0Q8OMMCI5nJWgr7aDWOFC2K0m43CNajDx7fIusS/tc5e1gmuEqqmP4L7 
8QxuN/lnqj2W+2/DplqpuSSKJlOD3ZIAQpv/O8N25mVxQfsdbbg/vGWN 
yFrrIMfIPrf4RviM2ZE8kIJPfoDu/TKjQZracyIHU9e6ycaQxxGDEXmY PfQgag==
;; Received 2635 bytes from 2610:20:8000:8c00::237#53(ns-e.noaa.gov) in 311 ms

> On Oct 30, 2013, at 5:24 PM, Mark Andrews wrote:
> 
> >=20
> > IF YOU WANT HELP SPECIFY THE FAILING DOMAIN NAME.  YES I AM =
> SHOUTING!!!!
> >=20
> > This report is like saying you have a problem with a car manufacture =
> by GM.
> >=20
> > Mark
> >=20
> > In message <a5e2f1ec-3cee-47c4-b244-12315c669...@uci.edu>, Con Wieland =
> writes:
> >> I recently upgraded to version: 9.8.6. I am having trouble resolving =
> a .gov s
> >> ite. When I reload the name server it will resolve fine for a while =
> then afte
> >> r an hour or two I will get a server fail. I can perform a dig +trace =
> and res
> >> olve but dig will fail. If I do an rndc reload it will work for some =
> period o
> >> f time again.  I suspect negative caching but the site has a the ttl =
> set to 6
> >> 0 so I would expect it to resolve again but it doesn't until a reload =
> is pref
> >> ormed,  other sites seem to be effected but I don't know. This is a =
> high visi
> >> bility site. The only configuration change has been to add RPZ which =
> seems to
> >> be working fine.=20
> >>=20
> >> Other name servers seem to be unaffected. What am I missing? What =
> else can I=20
> >> check? I can provide more details if it would be helpful.
> >>=20
> >> Con Wieland
> >> Office of Information Technology
> >> University of California at Irvine
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to =
> unsubscribe
> >> from this list
> >>=20
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> > --=20
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to