From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
bind-users-requ...@lists.isc.org
Sent: Thursday, February 09, 2017 3:06 PM
To: bind-users@lists.isc.org
Subject: bind-users Digest, Vol 2599, Issue 3
Send bind-users mailing list submissions to
bind-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org
You can reach the person managing the list at
bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific than "Re:
Contents of bind-users digest..."
Today's Topics:
1. Re: NAMED issue (Johannes Kastl)
2. Re: domain-unable-resolve (Mark Andrews)
3. Re: domain-unable-resolve (Reindl Harald)
4. RE: domain-unable-resolve (Ejaz)
----------------------------------------------------------------------
Message: 1
Date: Thu, 9 Feb 2017 09:32:02 +0100
From: Johannes Kastl <m...@ojkastl.de>
To: bind-users@lists.isc.org
Subject: Re: NAMED issue
Message-ID: <9db26aa7-acc0-2edd-ab83-28225d651...@ojkastl.de>
Content-Type: text/plain; charset="iso-8859-1"
On 09.02.17 09:24 Sudharanjan Patnaik wrote:
> Issue: The named process is getting hung or stopped at least once a
> day on each of these Replicas. This is happening since more than 1
> year. Meanwhile, many vulnerability patch versions upgraded and
> currently running with the latest BIND 9.9.9.P5. Temporary Fix: A
> script is running to check and restart the named process if stopped or
> hung.
Without logs it might be very hard to help you...
Johannes
Hi Johannes,
Thanks for you response.
Please let me know what logs you need.
Sudharanjan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 244 bytes
Desc: OpenPGP digital signature
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20170209/d9b44df6/attachment-0001.bin>
------------------------------
Message: 2
Date: Thu, 09 Feb 2017 20:00:17 +1100
From: Mark Andrews <ma...@isc.org>
To: "Ejaz" <me...@cyberia.net.sa>
Cc: prxjedadmi...@abudawood.com, "'bind-users'" <bind-us...@isc.org>
Subject: Re: domain-unable-resolve
Message-ID: <20170209090017.19c1c6362...@rock.dv.isc.org>
In message <9adb101d282a6$ac1699b0$0443cd10$@cyberia.net.sa>, "Ejaz" writes:
>
> Helo,
>
> Time to time we are having problem in resolving some domains, one of
> them is "abudawood.com" we unable to resolve through our DNS servers
> of "ns10.cyberia.net.sa" where I have latest bind version and all,
> what could be the issue and what is the best way to trouble shoot.
The nameservers for abudawood.com are broken.
ns1.abudawood.com incorrectly returns FORMERR to queries which contain a DNS
COOKIE irrespective of the EDNS version field. This behaviour in not compliant
with either the initial EDNS specification nor the revised EDNS specification.
ns2.abudawood.com appears to be a old Microsoft DNS server which fails to
respond to EDNS queries after the first one. Failure to respond to
consistently to DNS queries breaks recovery from packet loss.
Both these servers need to be replaced with ones that are RFC compliant.
EDNS Compliance Tester
Checking: 'abudawood.com.' as at 2017-02-09T08:37:05Z
abudawood.com. @212.118.102.2 (ns1.abudawood.com.): edns=ok edns1=ok
edns@512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,badversion,echoed
do=ok ednsflags=ok docookie=formerr,nosoa,echoed edns@512tcp=ok
optlist=formerr,nosoa,subnet
abudawood.com. @212.118.102.3 (ns2.abudawood.com.): edns=timeout edns1=timeout
edns@512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout
docookie=timeout edns@512tcp=status,noopt optlist=timeout The Following Tests
Failed
Warning: test failures may indicate that some DNS clients cannot resolve the
zone or will get a unintended answer or resolution will be slower than
necessary.
Warning: failure to address issues identified here may make future DNS
extensions that you want to use ineffective. In particular echoing back unknown
EDNS options and unknown EDNS flags will break future signaling between DNS
client and DNS server. We already have examples of this were you cannot depend
on the AD flag bit meaning anything in replies because too many DNS servers
just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be
sent to everyone in part because of servers just echoing it back.
Plain EDNS (edns)
This is the style of the initial query that BIND 9.0.x sends.
dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891
EDNS - Unknown Version Handling (edns1)
dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use
EDNS - Truncated Response (edns@512)
dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes See RFC6891,
7. Transport Considerations
EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response See RFC6891, 6.1.2 Wire
Format
EDNS - Unknown Version with Unknown Option Handling (edns1opt)
dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response See RFC6891
EDNS - DNSSEC (do)
This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x sends.
dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response See RFC3225
EDNS - Unknown Flag Handling (ednsflags)
dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags
EDNS - DNSSEC with DNS COOKIE Option (docookie)
This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4 Windows
onwards send.
dig +cookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response See RFC3225,
RFC6891, and RFC7873.
EDNS - over TCP Response (edns@512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0 See RFC5966 and See RFC6891
EDNS - Supported Options Probe (optlist)
dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0 See RFC6891
Codes
ok - test passed.
subnet - EDNS Client Subnet supported [RFC7871].
noopt - OPT record not found when expected.
nosoa - SOA record not found when expected.
echoed - EDNS option echoed back.
status - expected rcode status code not found.
formerr - rcode FORMERR returned.
badversion - expected EDNS version not found.
timeout - lookup timed out.
To retrieve this report in the future:
https://ednscomp.isc.org/ednscomp/f60adf3942
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
------------------------------
Message: 3
Date: Thu, 9 Feb 2017 10:19:36 +0100
From: Reindl Harald <h.rei...@thelounge.net>
To: bind-users@lists.isc.org
Subject: Re: domain-unable-resolve
Message-ID: <3fbbafdf-0d69-55da-203f-eb498a252...@thelounge.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Am 09.02.2017 um 08:32 schrieb Ejaz:
> Time to time we are having problem in resolving some domains, one of
> them is ?*abudawood.com*? we unable to resolve through our DNS servers
> of ?ns10.cyberia.net.sa? where I have latest bind version and all, what
> could be the issue and what is the best way to trouble shoot.
well, that domain is maintained by incompetent admins and violates
several rules - a single point of failre combined with a SOA expire of
15 minutes - i better don't speak out what i think
https://intodns.com/abudawood.com
I could use the nameservers listed below to performe recursive queries.
It may be that I am wrong but the chances of that are low. You should
not have nameservers that allow recursive queries as this will allow
almost anyone to use your nameservers and can cause problems. Problem
record(s) are:
212.118.102.2
ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
212.118.102.3
WARNING: Not all of your nameservers are in different subnets
WARNING: Single point of failure
WARNING: Your SOA REFRESH interval is: 900. That is not so ok
Your SOA EXPIRE number is: 86400. That is NOT OK
------------------------------
Message: 4
Date: Thu, 9 Feb 2017 12:34:19 +0300
From: "Ejaz" <me...@cyberia.net.sa>
To: "'Abdul Khader'" <akha...@ies.etisalat.ae>,
<bind-users@lists.isc.org>
Subject: RE: domain-unable-resolve
Message-ID: <9ae3101d282b7$b2633d80$1729b880$@cyberia.net.sa>
Content-Type: text/plain; charset="us-ascii"
Thank you all, for the detailed explanation, I understood as sys admin but
our client will comparing with Google open DNS server.
No, I can't use his DNS server. From ns10.cyberia.net.sa, connection
timed out..
It is one of our VIP customer and complaining that if "I have problem in my
"name servers" when we use open DNS server such as google and several
others, they don't have any issue to resolve their records. Satisfying
customer is become tough.
Only they have problem to resolve the queries when they start using our DNS
ns10.cyberia.net.sa
Ejaz
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Abdul Khader
Sent: Thursday, February 9, 2017 11:31 AM
To: bind-users@lists.isc.org
Subject: Re: domain-unable-resolve
Is your DNS server(ns10.cyberia.net.sa) able to connect NS servers of of
abudawood.com ?
On 2/9/2017 11:32 AM, Ejaz wrote:
Helo,
Time to time we are having problem in resolving some domains, one of them is
"abudawood.com" we unable to resolve through our DNS servers of
"ns10.cyberia.net.sa" where I have latest bind version and all, what could
be the issue and what is the best way to trouble shoot.
My bind version
[root@ns10 ~]# named -v
BIND 9.11.0 <id:1477c19>
The below is trace result, it reached to their DNS server, but could not
able to get query results.
[root@ns10 ~]# dig ns SAMANet.gov.sa
\
; <<>> DiG 9.11.0 <<>> ns SAMANet.gov.sa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31831
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b7510c2058b91a7d3bc824e8589c0f68772d7bfd43357c41 (good)
;; QUESTION SECTION:
;SAMANet.gov.sa. IN NS
;; ANSWER SECTION:
SAMANet.gov.sa. 3587 IN NS ns2.bluvalt.sa.
SAMANet.gov.sa. 3587 IN NS ns1.bluvalt.sa.
;; ADDITIONAL SECTION:
ns1.bluvalt.sa. 23003 IN A 46.49.128.130
ns2.bluvalt.sa. 23003 IN A 46.49.140.146
;; Query time: 5 msec
;; SERVER: 212.119.64.2#53(212.119.64.2)
;; WHEN: Thu Feb 09 09:42:48 AST 2017
;; MSG SIZE rcvd: 147
[root@ns10 ~]# dig ns sama.org.sa
; <<>> DiG 9.11.0 <<>> ns sama.org.sa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11980
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2bebca3cf5e2d6f3cad9e21b589c0f726413bf957d972607 (good)
;; QUESTION SECTION:
;sama.org.sa. IN NS
;; ANSWER SECTION:
sama.org.sa. 3600 IN NS ns1.bluvalt.sa.
sama.org.sa. 3600 IN NS ns2.bluvalt.sa.
;; ADDITIONAL SECTION:
ns1.bluvalt.sa. 22993 IN A 46.49.128.130
ns2.bluvalt.sa. 22993 IN A 46.49.140.146
;; Query time: 9 msec
;; SERVER: 212.119.64.2#53(212.119.64.2)
;; WHEN: Thu Feb 09 09:42:58 AST 2017
;; MSG SIZE rcvd: 144
[root@ns10 ~]# sama.org.sa. 3600 IN NS
ns1.bluvalt.sa.
bash: sama.org.sa.: command not found...
[root@ns10 ~]# sama.org.sa. 3600 IN NS
ns2.bluvalt.sa.sa ma.org.sa.
3600 IN NS ns1.bluvalt.sa.
bash: sama.org.sa.: command not found...
[root@ns10 ~]# sama.org.sa. 3600 IN NS
ns2.bluvalt.sa.^C
[root@ns10 ~]# named -v
BIND 9.11.0 <id:1477c19>
[root@ns10 ~]# vi /etc/named.conf
[root@ns10 ~]# dig abudawood.com +trace
; <<>> DiG 9.11.0 <<>> abudawood.com +trace
;; global options: +cmd
. 106794 IN NS a.root-servers.net.
. 106794 IN NS c.root-servers.net.
. 106794 IN NS k.root-servers.net.
. 106794 IN NS l.root-servers.net.
. 106794 IN NS f.root-servers.net.
. 106794 IN NS b.root-servers.net.
. 106794 IN NS h.root-servers.net.
. 106794 IN NS m.root-servers.net.
. 106794 IN NS j.root-servers.net.
. 106794 IN NS d.root-servers.net.
. 106794 IN NS i.root-servers.net.
. 106794 IN NS g.root-servers.net.
. 106794 IN NS e.root-servers.net.
. 107999 IN RRSIG NS 8 0 518400 20170222050000
201 70209040000 61045 .
TMv9X94Rxe6LPkPDaUB4KgOOP80SX5cNBXSawftLwIofkZWLDB1H9BUk EP8
P+7OobV6BxU/prHrNaReq4V7GY5GyOIBkvH7N6QqbrTpaYyAuWlWz
gdtF9DthsLfsKSqUMqB50NGBDR
V3erxuenHmX5f2VkLK/Dor3eUMdSBN
wwUN4NPPst9PaORSqmTzSIirRfm7oglOvjKMtIrTu4+cOofHs
XO0bi7j fXu+TT/+6SlFu2x3NXxOZStGSmeWOf6xmkIUNUShjP0HDFz0KxrxOYPj
Y8agXhxchni2js4
92pY6/oFeb4txcps6tk28WdSeYljCCUTsQ39tQTBO PjrnvA==
;; Received 1125 bytes from 212.119.64.2#53(212.119.64.2) in 0 ms
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8
268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20170222050000
2017 0209040000 61045 .
eGzt3EVcYZunW/znWV1jjFpc1UeFZBJOjlAiOHBCD+C8nlKS1pRROSfb atrO
ncICysdXdHedwIV+mhc/3HB6IEzjNcOjJffdX6N3dTEyf2YZmRpO
IekQlr7FWRr9jdsHZmnTyKuhhkc
26Wjd3H3opDdRwn0HvVN+8ny/QAHC
bB+o6piOgjnlNuXxBlLZjF40BrelYfBbPAoLQsdAVUPbvkrEd4
1s/qQk 41jJqJVJ7LzxgyjExhWPoisuFxlcyXQ5nDdPpGxO/IGF3+3RtaUMWGX9
uGuDTsNgk+JmH1nI
72CgQ2c3cVDRrr3DuqWXwMqThdVES1BpOVBHHmCW HrPR5g==
;; Received 865 bytes from 202.12.27.33#53(m.root-servers.net) in 308 ms
abudawood.com. 172800 IN NS ns1.abudawood.com.
abudawood.com. 172800 IN NS ns2.abudawood.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK0Q1GIN43N1ARRC9OS
M6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
20170214054 849 20170207043849
31697 com. rw5pqNm81QqDlCKMB00rpSdoEWHqen1FB/db/7LvS6qozh5wU9
ioVT1T 4NxbTyhK+H5liA9QkCMf2DFbfOqfkfv+hv2gFT3o52wCF+wL5dg+xlC8
BTlcHXfUBUF9Wy8w
QV7geGT3olYyeWJ7F7UfwA5CvR/EII1zRN0VA3ov 0iE=
QH38TLUV3A97CDLH37G57O72CR6PV2TH.com. 86400 IN NSEC3 1 1 0 -
QH3ADNNOO9Q6LEL6VRU
4M8PQU2I56IUP NS DS RRSIG
QH38TLUV3A97CDLH37G57O72CR6PV2TH.com. 86400 IN RRSIG NSEC3 8 2 86400
20170215054 922 20170208043922
31697 com. k6FE6tYUXXZrZHrHZK/s1npMpvp/aj5o1o00Ght0jfnndM0bFK
roR7lh Fz6X0mJKHaAZw10oGT3LPDElABqywAgtbTKoa5usaOsc4g+2BhUXS+t3
E2s3CL9S1myP+DtQ
DRlNMfBpD2NoR4pcPTwlnbiF9VCScLNFWvla6LcV AeQ=
;; Received 595 bytes from 192.54.112.30#53(h.gtld-servers.net) in 138 ms
;; Received 70 bytes from 212.118.102.2#53(ns1.abudawood.com) in 18 ms
Thanks,
Mohammed Ejaz
Asst. Operation Director of Systems.
Cyberia SAUDI ARABIA
P.O.Box: 301079, Riyadh 11372
Phone: (+966) 11 464 7114 Ext. 140
Mobile: (+966) 562311787
Fax: (+966) 11 465 4735
Website: http://www.cyberia.net.sa
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20170209/0e66a777/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
------------------------------
End of bind-users Digest, Vol 2599, Issue 3
*******************************************
============================================================================================================================
Disclaimer: This message and the information contained herein is proprietary
and confidential and subject to the Tech Mahindra policy statement, you may
review the policy at http://www.techmahindra.com/Disclaimer.html
<http://www.techmahindra.com/Disclaimer.html> externally
http://tim.techmahindra.com/tim/disclaimer.html
<http://tim.techmahindra.com/tim/disclaimer.html> internally within
TechMahindra.
============================================================================================================================
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
