Hi Sami. If you can, I would set up a new BIND (test) server running the current code - 9.18.27 - next to your current production system and compare how they behave: current code uses NS queries for qmin rather than _... A queries. There may still be failures, but this would allow you to pinpoint better which domains are the problematic ones. Packet captures are always good for showing exactly what servers send and what they get back. There's no hiding in Wireshark!
Cheers, Greg On Wed, 26 Jun 2024 at 07:45, <sami.ra...@sofrecom.com> wrote: > Hello > Thank you for your response. I have configured qname to disabled for now. > Once the issue is resolved, I will set it to relaxed. I have provided a > download link for the log files and a dig +trace test for more details on > this issue, which I do not think is related to BIND or its configuration. I > suspected that a firewall was blocking the DNS traffic, so I bypassed the > firewall, but the result is the same. How can we ensure that this is a > network-level issue? > > download link: > > https://we.tl/t-M77os84duE > > Regards > > Sami > > -----Message d'origine----- > De : bind-users <bind-users-boun...@lists.isc.org> De la part de > bind-users-requ...@lists.isc.org > Envoyé : mardi 25 juin 2024 13:00 > À : bind-users@lists.isc.org > Objet : bind-users Digest, Vol 4495, Issue 2 > > > -------------------------------------------------------------------------------------------------------------- > CAUTION : This email originated outside the company. Do not click on any > links or open attachments unless you are expecting them from the sender. > > ATTENTION : Cet e-mail provient de l'extérieur de l'entreprise. Ne cliquez > pas sur les liens ou n'ouvrez pas les pièces jointes à moins de connaitre > l'expéditeur. > > -------------------------------------------------------------------------------------------------------------- > > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of bind-users digest..." > > > Today's Topics: > > 1. Re: SERVFAIL error during the evening (Michael Batchelder) > 2. Re: qname minimization: me too :( (Stephane Bortzmeyer) > 3. Re: can I provide invalid HTTPS values for testing? > (Stephane Bortzmeyer) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 25 Jun 2024 06:34:42 +0000 (UTC) > From: Michael Batchelder <mich...@isc.org> > To: bind-users <bind-users@lists.isc.org> > Cc: sami rahal <sami.ra...@sofrecom.com> > Subject: Re: SERVFAIL error during the evening > Message-ID: <646819319.2383375.1719297282567.javamail.zim...@isc.org> > Content-Type: text/plain; charset=utf-8 > > >> Hello Michael > >> Thank you for your response. Here is a pcap file and some logs. > > > > Hello Sami, > > > > Your pcap shows your resolver making thousands of queries that get no > > responses (or at least the pcap does not contain them). There's not > > much I can say, beyond that this does not appear to be a > problem > > related to BIND. > > Sami, > > My co-worker helpfully pointed out something I missed when reviewing your > packet capture. A large number of your resolution failures are because your > BIND is configured to use QNAME minimization (a.k.a. "qmin") and the > queries are to zones whose configuration is done incorrectly and breaks > qmin. > > The pcap indicates you have the 'qname-minimization strict' setting in > your BIND configuration file. See the "qname-minimization" statement in the > Options section of the BIND ARM ( > https://bind9.readthedocs.io/en/v9.16.25/reference.html#options-statement-definition-and-usage). > For the general background on qmin, read RFCs 7816 and 9156. > > I don't know of a reason why you would experience more qmin failures in > the evening, other than the requests that fail are only made at that time. > Regardless, if you want to stop the failures completely, you can change the > 'qname-minimization strict' setting to 'qname-minimization disabled'. The > drawback is that your queries will no longer be minimized, so all > authoritative servers will see the full query name during recursion. > > As a compromise between doing nothing and fully disabling qmin, you can > use the 'qname-minimization relaxed' setting which will try qmin and if > BIND encounters a zone which breaks qmin, then BIND will switch to not > doing qmin and do normal recursion (equivalent to 'qname-minimization > disabled') for that query. > > Also, you should upgrade your version of BIND, as we can see that the qmin > queries are those used in older versions of BIND. > > Michael > > > ------------------------------ > > Message: 2 > Date: Tue, 25 Jun 2024 10:59:19 +0200 > From: Stephane Bortzmeyer <bortzme...@nic.fr> > To: Peter <p...@citylink.dinoex.sub.org> > Cc: Stephane Bortzmeyer <bortzme...@nic.fr>, Michael Batchelder > <mich...@isc.org>, bind-users <bind-users@lists.isc.org> > Subject: Re: qname minimization: me too :( > Message-ID: <znqg5yjjtqidj...@nic.fr> > Content-Type: text/plain; charset=us-ascii > > On Mon, Jun 24, 2024 at 10:32:37PM +0200, Peter < > p...@citylink.dinoex.sub.org> wrote a message of 40 lines which said: > > > In other words: why do You guys no longer talk to each other? > > We do but talking is one thing, convincing is another one, and making > people act is a third :-( > > > ------------------------------ > > Message: 3 > Date: Tue, 25 Jun 2024 11:03:22 +0200 > From: Stephane Bortzmeyer <bortzme...@nic.fr> > To: Stephen Farrell <stephen.farr...@cs.tcd.ie> > Cc: bind-users@lists.isc.org > Subject: Re: can I provide invalid HTTPS values for testing? > Message-ID: <znqh2ldya_yt3...@nic.fr> > Content-Type: text/plain; charset=us-ascii > > On Thu, Jun 20, 2024 at 02:29:13PM +0100, Stephen Farrell < > stephen.farr...@cs.tcd.ie> wrote a message of 100 lines which said: > > > Actually, it may well be that bind allows me sufficient leeway to do > > most of the tests I want, so this is just to check that there's no > > imminent plan to have bind disallow the kind of rubbish HTTPS RRs > > below. > > A related issue: does anyone know a software / service which tests HTTPS > records and actually connects to the HTTPS server to see if it indeed > supports what it claims to support. (Testing all ALPNs, all IP hints, etc.) > > "Error, HTTP record says alpn=h3 but HTTP/3 setup failed" > > Bonus if I can integrate it in Nagios/Icinga/Zabbix/etc. > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > ------------------------------ > > End of bind-users Digest, Vol 4495, Issue 2 > ******************************************* > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
