John, We have not moved to PDNS as yet.
I am not sure about DNSSEC for SSA will check on that. Thanks Sandeep From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of John W. Blue via bind-users Sent: Thursday, September 1, 2022 5:03 PM To: bind-users@lists.isc.org Subject: Re: Issue with dns resolution for www.ssa.gov CAUTION: This email originated from outside of BLS. DO NOT click links or open attachments unless you recognize the sender and know the content is safe. Please send suspicious emails as an attachment to sec...@bls.gov<mailto:sec...@bls.gov>. Sandeep, Are you all using CISA's Protective DNS? If so, there might be a ruleset that is causing problems. If not, and I have not checked, but is DNSSEC for SSA working correctly? John Sent from Nine<http://www.9folders.com/> ________________________________ From: "Bhangui, Sandeep - BLS CTR via bind-users" <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> Sent: Thursday, September 1, 2022 3:11 PM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Issue with dns resolution for www.ssa.gov<http://www.ssa.gov> Hi We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working fine in general. Having issue with DNS resolution for www.ssa.gov<http://www.ssa.gov> no other DNS issues reported at this time. Our DNS server cannot seem to resolve www.ssa.gov<http://www.ssa.gov> using nslookup ( know this is an old utility and cannot be used much for troubleshooting), dig seems to respond properly. Just curious what could be the issue is this on our DNS server as nslookup seems to work fine for lot of other sites that I used just to check if it responds correctly. The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems to respond to nslookup just fine. I am not sure what more information I could include which could be helpful if anything else is needed please let me know and I will post it. Thanks in advance. Sandeep # nslookup www.ssa.gov<http://www.ssa.gov> ;; Got SERVFAIL reply from 127.0.0.1, trying next server Server: 198.6.1.1 Address: 198.6.1.1#53 Non-authoritative answer: www.ssa.gov<http://www.ssa.gov> canonical name = www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>. www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net> canonical name = e82396.dsca.akamaiedge.net. Name: e82396.dsca.akamaiedge.net Address: 23.222.241.54 Name: e82396.dsca.akamaiedge.net Address: 23.222.241.58 Name: e82396.dsca.akamaiedge.net Address: 2600:1404:d400::687d:293 Name: e82396.dsca.akamaiedge.net Address: 2600:1404:d400::687d:289 Dig output from the same DNS server seems to give a response. # dig www.ssa.gov<http://www.ssa.gov> ; <<>> DiG 9.16.31 <<>> www.ssa.gov<http://www.ssa.gov> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.ssa.gov. IN A ;; ANSWER SECTION: www.ssa.gov<http://www.ssa.gov>. 300 IN CNAME www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>. www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>. 9625 IN CNAME e82396.dsca.akamaiedge.net. e82396.dsca.akamaiedge.net. 20 IN A 23.222.241.58 e82396.dsca.akamaiedge.net. 20 IN A 23.222.241.51 ;; Query time: 171 msec ;; SERVER: 198.6.1.1#53(198.6.1.1) ;; WHEN: Thu Sep 01 16:03:21 EDT 2022 ;; MSG SIZE rcvd: 146
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
