Thanks for the explanation of “ANY” The strange thing is this server previously answered this correctly. We changed the ip address ( on the same network segment) of it to replace one of our existing servers. That is when it no longer resolved extranet.aro.army.mil. It otherwise is resolving names without issue.
So following your suggestion I tried to resolve the first cname in the chain and it failed. But dig +trace resolved. How does dig +trace work when dig doesn’t? dig +trace aro.army.mil.apps.gcds.disa.mil @ns2.service.uci.edu ; <<>> DiG 9.10.6 <<>> +trace aro.army.mil.apps.gcds.disa.mil @ns2.service.uci.edu ;; global options: +cmd . 495781 IN NS i.root-servers.net. . 495781 IN NS e.root-servers.net. . 495781 IN NS b.root-servers.net. . 495781 IN NS m.root-servers.net. . 495781 IN NS f.root-servers.net. . 495781 IN NS a.root-servers.net. . 495781 IN NS h.root-servers.net. . 495781 IN NS l.root-servers.net. . 495781 IN NS j.root-servers.net. . 495781 IN NS d.root-servers.net. . 495781 IN NS c.root-servers.net. . 495781 IN NS g.root-servers.net. . 495781 IN NS k.root-servers.net. . 495781 IN RRSIG NS 8 0 518400 20180613140000 20180531130000 39570 . KymbweT83qDcnulFtNOnem4Lg3jHaFAXmN3CKLgD6ixycW1zxPrt64JX vbeIsRAnthemN6rO2buqRzEJhyOcUyHSEmlRzoLEx/vDVuARJ7uFyVEW ChQAYiWzY3t+5rPIQK+10v9pvvYaQ/yu1oiPcbYydln32L4vwblkeO2A K3zbhTsTkzW++01lU5nhL3Kq7koxTenGMoFuAjsA7cEF4NyrOdDPDCjJ 2G8DRFd4xDaBvrLtP17EphnKl0+txlKnHyC6ggc0jCNa6kioEJHQejR6 mrugHkN3BEVnk6REv2mI0kIa2OGWf76J9zjG6L9X3YkZdESbyOs7Y6JN gfKayw== ;; Received 1097 bytes from 128.200.192.202#53(ns2.service.uci.edu) in 0 ms mil. 172800 IN NS con1.nipr.mil. mil. 172800 IN NS con2.nipr.mil. mil. 172800 IN NS eur1.nipr.mil. mil. 172800 IN NS eur2.nipr.mil. mil. 172800 IN NS pac1.nipr.mil. mil. 172800 IN NS pac2.nipr.mil. mil. 86400 IN DS 27319 8 2 98332FC2B22D453BD47ACDF73C0150A4DAB54751450ED679411EC972 577CAD47 mil. 86400 IN DS 27319 8 1 B090CA5F985BE47393497300F887EF8466E86C8C mil. 86400 IN RRSIG DS 8 1 86400 20180613170000 20180531160000 39570 . evM0FK22HOjAFlyL+ZNutDiVquVpmB6X2f7z3rXxKJqB7t2/zXKxWK5S Hitt7Yqu70iqSPyL1mpJBI9eAfsZ7Jo9E77hGxM27AZLGQC1Ph+v52IY rVWu2/l/uygtTKO+jjd1s1KkiKbmyLxU170Zu6xXUxLoy3bGhPy8dpCh A+VLqH3OzhzbITVcFpvIGqDt/hVZ0bTaIY5bdk3v5lBPsACLQ2OFpoWw 5iRMIPAS5rAMARpSaK1ShIN+w5ITa1Sg/iWIr59wCEcsqGsCdcmqauSx 9QWU4PlCSJOgHmG/BGhksjwIAxn06kuoY9K0t9Vh1gxH+DXAJ+IMu4SI FUykUw== ;; Received 646 bytes from 193.0.14.129#53(k.root-servers.net) in 150 ms DISA.mil. 21600 IN NS NS.JTFGNO.MIL. DISA.mil. 21600 IN NS NS1.CSD.DISA.MIL. DISA.mil. 21600 IN NS NS.CYBERCOM.MIL. DISA.mil. 10800 IN DS 8665 8 1 2C75259E1FEE495705846DB5326486A82BF8BA0F DISA.mil. 10800 IN DS 8665 8 2 7052D1A8F7862D35616BF5B0B53BB8CBDB87FBF54AC4C7954CB1BA88 A84FF32D DISA.mil. 10800 IN RRSIG DS 8 2 10800 20180607161146 20180531161146 14394 mil. SCwIsUwwx7D3Xopiig4ZEXhvImsID4rLUe3c75ZNx4kCOd1aAyGGbin7 yVHqh6+Dul4moh53xZiywt7dqN/EXSBiub4X6MwDSrh+W4jbnUU7OVBN 24aurdj32KPGHwcaAGy/TCwtMr35lh/2A/PwZ6h4lRQY/ACqGiIAQRZS Pn8= ;; Received 470 bytes from 199.252.143.234#53(eur2.nipr.mil) in 164 ms aro.army.mil.apps.gcds.disa.mil. 893 IN CNAME aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. aro.army.mil.apps.gcds.disa.mil. 893 IN RRSIG CNAME 8 7 3600 20180621160052 20180522160052 57303 apps.gcds.disa.mil. IIM8AqFASfo56yYWBoA1MX4M8zUEQdSuULGmymruFbzajcHkdHBv1FnV 1IHtC6DHZQwVYsfYKpf0XcTrldWdpC5V70hcBrHrEId3yhun74RG5D9t DMUIWAxJuxVGY9e0FAjJ7e8W82udQwJ1AwXACYto1qlTEpsU0mdBNjfR qm4= aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. 96 IN CNAME e1008.d.akamaiedge.akamai.csd.disa.mil. e1008.d.akamaiedge.akamai.csd.disa.mil. 20 IN A 214.48.248.31 ;; Received 337 bytes from 152.229.110.235#53(NS1.CSD.DISA.MIL) in 65 ms Con Wieland Office of Information Technology University of California at Irvine > On May 31, 2018, at 4:29 PM, Mark Andrews <ma...@isc.org> wrote: > > >> On 1 Jun 2018, at 5:09 am, Con Wieland <cwiel...@uci.edu> wrote: >> >> I have a nameserver that can not resolve extranet.aro.army.mil. >> >> dig extranet.aro.army.mil >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> extranet.aro.army.mil >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56491 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;extranet.aro.army.mil. IN A >> >> ;; Query time: 4004 msec >> ;; SERVER: 128.200.1.201#53(128.200.1.201) >> ;; WHEN: Thu May 31 11:58:23 PDT 2018 >> ;; MSG SIZE rcvd: 50 >> >> >> dig any works though >> >> dig any extranet.aro.army.mil >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> any extranet.aro.army.mil >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36259 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;extranet.aro.army.mil. IN ANY >> >> ;; ANSWER SECTION: >> extranet.aro.ARMY.mil. 5 IN CNAME >> aro.army.mil.apps.gcds.disa.mil. >> extranet.aro.ARMY.mil. 5 IN RRSIG CNAME 8 4 3600 >> 20180603234628 20180530232344 17853 aro.army.mil. >> FWADxA2KjVZGnMJMrqCeQaaIhYdyf/pgu5OkBkCk/BAVyRnRaksGbNhx >> WP15FIQpfXHZXpuV7ChQoGxGXbmpFZc6khlBgOHxhhOSykiJeVB53QR6 >> 8uvu1cRQ6gy7yeaGHvVUFsYyPlSyitY4kWS1v5RS70RhNVviVaSmaEBu >> JAkACgMdQs8FG6y8E5Uhsazsl3fX6p2b5wX8ohwCYaFygHoIZqq+TBJX >> HxcX6MOdPfyyP0UeM+aC1x/58HQXekRlpY8VXujBSjDbVIWZKI/EdA0o >> Z6eXuGBExkzl4IctnwGSGTyQgtWRovDoJEiRi/jyss/Z4BlMBvpbDBJi AC0b9g== >> >> ;; AUTHORITY SECTION: >> aro.ARMY.mil. 2921 IN NS ns03.army.mil. >> aro.ARMY.mil. 2921 IN NS ns02.army.mil. >> aro.ARMY.mil. 2921 IN NS ns01.army.mil. >> >> ;; ADDITIONAL SECTION: >> NS01.ARMY.mil. 582 IN A 140.153.43.44 >> NS02.ARMY.mil. 20920 IN A 192.82.113.7 >> NS03.ARMY.mil. 279 IN A 130.114.200.6 >> >> ;; Query time: 0 msec >> ;; SERVER: 128.200.1.201#53(128.200.1.201) >> ;; WHEN: Thu May 31 12:00:39 PDT 2018 >> ;; MSG SIZE rcvd: 530 > > ANY (*) queries DO NOT FOLLOW CNAMEs. This is why this query resolved. > > Your problem is with one of the targets in the CNAME chain. You now need to > workout if the server can resolve aro.army.mil.apps.gcds.disa.mil. Then you > need to workout if it can resolve > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. Then you need to workout if it > can resolve e1008.d.akamaiedge.akamai.csd.disa.mil. > > Don’t forget to check the firewall settings for the new server. Firewall > vendors have STUPID defaults for DNS. > >> and to further confuse the issue, resolution from a nameserver that does >> resolve this shows different nameservers listed for the default query and >> the “any” query >> >> >> dig extranet.aro.army.mil >> >> ; <<>> DiG 9.3.4-P1 <<>> extranet.aro.army.mil >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 359 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 3 >> >> ;; QUESTION SECTION: >> ;extranet.aro.army.mil. IN A >> >> ;; ANSWER SECTION: >> extranet.aro.ARMY.mil. 801 IN CNAME >> aro.army.mil.apps.gcds.disa.mil. >> aro.army.mil.apps.gcds.DISA.mil. 247 IN CNAME >> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. >> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. 180 IN CNAME >> e1008.d.akamaiedge.akamai.csd.disa.mil. >> e1008.d.akamaiedge.akamai.csd.disa.mil. 20 IN A 214.48.248.31 >> >> ;; AUTHORITY SECTION: >> DISA.mil. 17124 IN NS NS1.CSD.DISA.MIL. >> DISA.mil. 17124 IN NS NS.CYBERCOM.MIL. >> DISA.mil. 17124 IN NS NS.JTFGNO.MIL. >> >> ;; ADDITIONAL SECTION: >> NS.JTFGNO.mil. 17124 IN A 214.3.125.231 >> NS.CYBERCOM.mil. 17124 IN A 131.77.60.235 >> NS1.CSD.DISA.mil. 17124 IN A 152.229.110.235 >> >> ;; Query time: 161 msec >> ;; SERVER: 128.200.192.203#53(128.200.192.203) >> ;; WHEN: Thu May 31 12:03:21 2018 >> ;; MSG SIZE rcvd: 384 >> >> >> and “any” include the RRSIG record and different nameservers >> >> dig any extranet.aro.army.mil >> >> ; <<>> DiG 9.3.4-P1 <<>> any extranet.aro.army.mil >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 763 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 2 >> >> ;; QUESTION SECTION: >> ;extranet.aro.army.mil. IN ANY >> >> ;; ANSWER SECTION: >> extranet.aro.ARMY.mil. 732 IN RRSIG CNAME 8 4 3600 >> 20180603234628 20180530232344 17853 aro.army.mil. >> FWADxA2KjVZGnMJMrqCeQaaIhYdyf/pgu5OkBkCk/BAVyRnRaksGbNhx >> WP15FIQpfXHZXpuV7ChQoGxGXbmpFZc6khlBgOHxhhOSykiJeVB53QR6 >> 8uvu1cRQ6gy7yeaGHvVUFsYyPlSyitY4kWS1v5RS70RhNVviVaSmaEBu >> JAkACgMdQs8FG6y8E5Uhsazsl3fX6p2b5wX8ohwCYaFygHoIZqq+TBJX >> HxcX6MOdPfyyP0UeM+aC1x/58HQXekRlpY8VXujBSjDbVIWZKI/EdA0o >> Z6eXuGBExkzl4IctnwGSGTyQgtWRovDoJEiRi/jyss/Z4BlMBvpbDBJi AC0b9g== >> extranet.aro.ARMY.mil. 732 IN CNAME >> aro.army.mil.apps.gcds.disa.mil. >> >> ;; AUTHORITY SECTION: >> ARMY.mil. 17055 IN NS NS01.ARMY.MIL. >> ARMY.mil. 17055 IN NS NS02.ARMY.MIL. >> ARMY.mil. 17055 IN NS NS03.ARMY.MIL. >> >> ;; ADDITIONAL SECTION: >> NS01.ARMY.mil. 17055 IN A 140.153.43.44 >> NS02.ARMY.mil. 17055 IN A 192.82.113.7 >> >> ;; Query time: 2 msec >> ;; SERVER: 128.200.192.203#53(128.200.192.203) >> ;; WHEN: Thu May 31 12:04:29 2018 >> ;; MSG SIZE rcvd: 506 >> >> To further confuse this, this server worked until it’s IP address changed >> when it replace an existing server. There were no configuration changes only >> the ip address and it is otherwise fully functioning.. >> any leads on where to start looking or further trouble shooting ideas would >> really be appreciated. >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
