I added edns-udp-size 512; which solved the issue but after more reading it
seems like a better option would be to disable EDNS for the specific hosts
since we have had no luck working with them. Looking at the ARM I thought I
could add a server statement for each of the sites name servers but I
apparently have a syntax error. It also seems that the edns-udp-size option can
be put in on a per server basis but
server 140.90.33.237/0 { edns no };
This does not work. I have added this at the root config and in the options
section to no avail.
Con Wieland
Office of Information Technology
University of California at Irvine
On Nov 2, 2013, at 7:10 AM, Con Wieland <cwiel...@uci.edu> wrote:
> Hello,
>
> This solved our issue, how did you diagnose the issue? what did you find?
> what was the ultimate solution? What would the downside be to leaving the
> ends-udp-size setting set to 512
>
> thanks for any help
> con
>
> On Oct 30, 2013, at 2:58 PM, "Samp, Daniel [USA]" <samp_dan...@bah.com> wrote:
>
>> In the past when I've had issues with certain .gov sites (e.g. noaa.gov,
>> nih.gov, ssa.gov) it was due to application based filtering (layer 4). For
>> some reason the responses from these sites are more often than not
>> fragmented and if you have something doing filtering based on ports it may
>> not be delivering the follow-up fragments because they do not have the tcp
>> headers. Do a tcpdump of your DNS traffic from noaa.gov and check to see if
>> reponses are being fragmented and whether you are receiving all of the
>> fragments. We had to set edns-udp-size to 512 as a workaround until we
>> could identify the problematic piece of hardware.
>>
>> Since the only thing you changed was BIND versions, this may have nothing to
>> do with your issue, but I thought I'd throw it out there.
>>
>> -Dan
>>
>> ________________________________________
>> From: bind-users-bounces+samp_daniel=bah....@lists.isc.org
>> [bind-users-bounces+samp_daniel=bah....@lists.isc.org] on behalf of Con
>> Wieland [cwiel...@uci.edu]
>> Sent: Wednesday, October 30, 2013 5:28 PM
>> To: BIND List
>> Subject: [External] Re: intermittent resolution
>>
>> The site I am having issues with are a half a dozen sites at noaa.gov. No I
>> have not tried 9.9.4 when I upgraded 9.8.6 was listed as the current stable
>> version so I went with that.
>>
>> con
>>
>> On Oct 30, 2013, at 11:48 AM, Alan Clegg <a...@clegg.com> wrote:
>>
>>>
>>> On Oct 30, 2013, at 10:03 AM, Con Wieland <cwiel...@uci.edu> wrote:
>>>
>>>> I recently upgraded to version: 9.8.6. I am having trouble resolving a
>>>> .gov site. When I reload the name server it will resolve fine for a while
>>>> then after an hour or two I will get a server fail. I can perform a dig
>>>> +trace and resolve but dig will fail. If I do an rndc reload it will work
>>>> for some period of time again. I suspect negative caching but the site
>>>> has a the ttl set to 60 so I would expect it to resolve again but it
>>>> doesn't until a reload is preformed, other sites seem to be effected but
>>>> I don't know. This is a high visibility site. The only configuration
>>>> change has been to add RPZ which seems to be working fine.
>>>>
>>>> Other name servers seem to be unaffected. What am I missing? What else can
>>>> I check? I can provide more details if it would be helpful.
>>>
>>> Can you tell us _what_ .gov site? Do you see the same problem with 9.9.4?
>>>
>>> AlanC
>>> --
>>> Alan Clegg | +1-919-355-8851 | a...@clegg.com
>>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
