date:20160301

hhs.gov resolvers broken, or BIND misconfigured?

2016-03-01 Thread James Ralston

We have a mystery.

We're running a recursive resolver on RHEL6, using the latest
RHEL-provided BIND package, bind-9.8.2-0.37.rc1.el6_7.6.  The
recursive resolver only has an IPv4 interface; it does not have an
IPv6 interface.  DNSSEC is enabled (by default).

Our recursive resolver periodically returns SERVFAIL for lookups for
hhs.gov records, which are served by these nameservers:

rh202ns1.355.dhhs.gov.  168 IN  A   158.74.30.98
rh202ns1.355.dhhs.gov.  14260   IN  2607:f220:0:1::2a
rh202ns2.355.dhhs.gov.  168 IN  A   158.74.30.99
rh202ns2.355.dhhs.gov.  14260   IN  2607:f220:0:1::2b
rh120ns2.368.dhhs.gov.  81  IN  A   158.74.30.103
rh120ns2.368.dhhs.gov.  81  IN  2607:f220:0:1::2d
rh120ns1.368.dhhs.gov.  168 IN  A   158.74.30.102
rh120ns1.368.dhhs.gov.  14260   IN  2607:f220:0:1::2c

When this happens, BIND logs the following:

01-Mar-2016 09:10:02.064 lame-servers: info: error (network
unreachable) resolving 'hhs.gov/MX/IN': 2607:f220:0:1::2c#53
01-Mar-2016 09:10:02.064 lame-servers: info: error (network
unreachable) resolving 'hhs.gov/MX/IN': 2607:f220:0:1::2a#53
01-Mar-2016 09:10:02.064 lame-servers: info: error (network
unreachable) resolving 'hhs.gov/MX/IN': 2607:f220:0:1::2d#53
01-Mar-2016 09:10:02.065 lame-servers: info: error (network
unreachable) resolving 'hhs.gov/MX/IN': 2607:f220:0:1::2b#53
01-Mar-2016 09:10:02.065 lame-servers: info: error (network
unreachable) resolving 'rh120ns2.368.dhhs.gov/A/IN':
2607:f220:0:1::2c#53
01-Mar-2016 09:10:02.065 lame-servers: info: error (network
unreachable) resolving 'rh120ns1.368.dhhs.gov/A/IN':
2607:f220:0:1::2c#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh202ns1.355.dhhs.gov/A/IN':
2607:f220:0:1::2c#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh120ns2.368.dhhs.gov/A/IN':
2607:f220:0:1::2a#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh202ns2.355.dhhs.gov/A/IN':
2607:f220:0:1::2c#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh202ns1.355.dhhs.gov/A/IN':
2607:f220:0:1::2a#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh120ns1.368.dhhs.gov/A/IN':
2607:f220:0:1::2a#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh202ns2.355.dhhs.gov/A/IN':
2607:f220:0:1::2a#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh120ns2.368.dhhs.gov/A/IN':
2607:f220:0:1::2d#53
01-Mar-2016 09:10:02.066 lame-servers: info: error (network
unreachable) resolving 'rh202ns2.355.dhhs.gov/A/IN':
2607:f220:0:1::2d#53
01-Mar-2016 09:10:02.067 lame-servers: info: error (network
unreachable) resolving 'rh202ns1.355.dhhs.gov/A/IN':
2607:f220:0:1::2d#53
01-Mar-2016 09:10:02.067 lame-servers: info: error (network
unreachable) resolving 'rh120ns2.368.dhhs.gov/A/IN':
2607:f220:0:1::2b#53
01-Mar-2016 09:10:02.067 lame-servers: info: error (network
unreachable) resolving 'rh120ns1.368.dhhs.gov/A/IN':
2607:f220:0:1::2d#53
01-Mar-2016 09:10:02.067 lame-servers: info: error (network
unreachable) resolving 'rh202ns2.355.dhhs.gov/A/IN':
2607:f220:0:1::2b#53
01-Mar-2016 09:10:02.067 lame-servers: info: error (network
unreachable) resolving 'rh202ns1.355.dhhs.gov/A/IN':
2607:f220:0:1::2b#53
01-Mar-2016 09:10:02.067 lame-servers: info: error (network
unreachable) resolving 'rh120ns1.368.dhhs.gov/A/IN':
2607:f220:0:1::2b#53

If I dump the cache, the only information in the cache for the
nameservers in question are the  records:

rh202ns1.355.dhhs.gov.  56878   2607:f220:0:1::2a
rh202ns2.355.dhhs.gov.  56878   2607:f220:0:1::2b
rh120ns1.368.dhhs.gov.  56878   2607:f220:0:1::2c
rh120ns2.368.dhhs.gov.  56878   2607:f220:0:1::2d

If I look at the queries the recursive resolver issued at the same
time as this failure (which I captured via ngrep), I see it attempt to
refresh the A records for the dhhs.gov nameservers by performing
recursive resolution from the root servers.  Based on the capture,
everything appears to be legitimate.  And indeed, I can successfully
recursively resolve the A records for all 4 nameservers with
"dig +trace +dnssec".

If I flush these records from the cache, then retry the hhs.gov query,
it succeeds, and then the cache contains:

rh202ns1.355.dhhs.gov.  86114   A   158.74.30.98
86114   2607:f220:0:1::2a
rh202ns2.355.dhhs.gov.  86114   A   158.74.30.99
86114   2607:f220:0:1::2b
rh120ns1.368.dhhs.gov.  86114   A   158.74.30.102
86356   2607:f220:0:1::2c
rh120ns2.368.dhhs.gov.  86114   A   158.74.30.103
86114   2607:f220:0:1::2d

So: it seems like something goes wrong when BIND attempts to refresh
the A records for the above nam

what does "max-ncache-ttl 0;" mean?

2016-03-01 Thread blrmaani

man pages for named.conf says "max-ncache-ttl " and only talks about 
default values and max values - no mention of minimum-value. 

Does "max-ncache-ttl 0;" mean never cache negative queries (queries resulting 
in NXDOMAIN) or does it mean cache negative queries forever?

Too lazy to test this option or look bind code :), hence posting here - 
apologies in advance..!!

Blr
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: what does "max-ncache-ttl 0;" mean?

2016-03-01 Thread John W. Blue

http://www.google.com/search?q=max-ncache-ttl+0

John

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of blrmaani
Sent: Wednesday, March 02, 2016 1:13 AM
To: comp-protocols-dns-b...@isc.org
Subject: what does "max-ncache-ttl 0;" mean?

man pages for named.conf says "max-ncache-ttl " and only talks about 
default values and max values - no mention of minimum-value. 

Does "max-ncache-ttl 0;" mean never cache negative queries (queries resulting 
in NXDOMAIN) or does it mean cache negative queries forever?

Too lazy to test this option or look bind code :), hence posting here - 
apologies in advance..!!

Blr
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what does "max-ncache-ttl 0;" mean?

2016-03-01 Thread A. Renald Niswady

max-ncache-ttl sets the maximum time (in seconds) for which the server will 
cache negative (NXDOMAIN) answers (positives are defined by max-cache-ttl ). 
The default max-ncache-ttl is 10800 seconds (3 hours). max-ncache-ttl cannot 
exceed 7 days and will be silently truncated to 7 days if set to a greater 
value. This statement may be used in view or a global options clause. 

Regards, 
A. Renald Niswady 
[NOC-System] Orion Cyber Internet 

PT Orion Cyber Internet 
Gedung Cyber Lt. 1 Jl. Kuningan Barat No. 8, Jakarta Selatan 12710 
Telp: 021 5265566 - Fax: 021 6280883 
Homepage: http://www.orion.net.id 
Internet Access, Webhosting, Colocation, Games and More. 

- Original Message -

From: "blrmaani"  
To: comp-protocols-dns-b...@isc.org 
Sent: Wednesday, March 2, 2016 2:13:29 PM 
Subject: what does "max-ncache-ttl 0;" mean? 

man pages for named.conf says "max-ncache-ttl " and only talks about 
default values and max values - no mention of minimum-value. 

Does "max-ncache-ttl 0;" mean never cache negative queries (queries resulting 
in NXDOMAIN) or does it mean cache negative queries forever? 

Too lazy to test this option or look bind code :), hence posting here - 
apologies in advance..!! 

Blr 
___ 
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list 

bind-users mailing list 
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: what does "max-ncache-ttl 0;" mean?

2016-03-01 Thread John W. Blue

Now quote your source.

;)

From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of A. Renald Niswady
Sent: Wednesday, March 02, 2016 1:23 AM
To: blrmaani
Cc: comp-protocols-dns-b...@isc.org
Subject: Re: what does "max-ncache-ttl 0;" mean?

max-ncache-ttl sets the maximum time (in seconds) for which the server will 
cache negative (NXDOMAIN) answers (positives are defined by 
max-cache-ttl). 
The default max-ncache-ttl is 10800 seconds (3 hours). max-ncache-ttl cannot 
exceed 7 days and will be silently truncated to 7 days if set to a greater 
value. This statement may be used in 
view or a global 
options clause.

Regards,
A. Renald Niswady
[NOC-System] Orion Cyber Internet

PT Orion Cyber Internet
Gedung Cyber Lt. 1 Jl. Kuningan Barat No. 8, Jakarta Selatan 12710
Telp: 021 5265566 - Fax: 021 6280883
Homepage: http://www.orion.net.id
Internet Access, Webhosting, Colocation, Games and More.

From: "blrmaani" mailto:blrma...@gmail.com>>
To: comp-protocols-dns-b...@isc.org
Sent: Wednesday, March 2, 2016 2:13:29 PM
Subject: what does "max-ncache-ttl 0;" mean?

man pages for named.conf says "max-ncache-ttl " and only talks about 
default values and max values - no mention of minimum-value.

Does "max-ncache-ttl 0;" mean never cache negative queries (queries resulting 
in NXDOMAIN) or does it mean cache negative queries forever?

Too lazy to test this option or look bind code :), hence posting here - 
apologies in advance..!!

Blr
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what does "max-ncache-ttl 0;" mean?

2016-03-01 Thread A. Renald Niswady

hehehe, 

http://www.zytrax.com/books/dns/ch7/hkpng.html#max-ncache-ttl 

i found zytrax site is really helpful 


Regards 
-Renald- 

- Original Message -

From: "John W. Blue"  
To: "A. Renald Niswady" , "blrmaani" 
 
Cc: comp-protocols-dns-b...@isc.org 
Sent: Wednesday, March 2, 2016 2:27:49 PM 
Subject: RE: what does "max-ncache-ttl 0;" mean? 



Now quote your source. 



;) 




From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of A. Renald Niswady 
Sent: Wednesday, March 02, 2016 1:23 AM 
To: blrmaani 
Cc: comp-protocols-dns-b...@isc.org 
Subject: Re: what does "max-ncache-ttl 0;" mean? 





max-ncache-ttl sets the maximum time (in seconds) for which the server will 
cache negative (NXDOMAIN) answers (positives are defined by max-cache-ttl ). 
The default max-ncache-ttl is 10800 seconds (3 hours). max-ncache-ttl cannot 
exceed 7 days and will be silently truncated to 7 days if set to a greater 
value. This statement may be used in view or a global options clause. 





Regards, 
A. Renald Niswady 
[NOC-System] Orion Cyber Internet 



PT Orion Cyber Internet 
Gedung Cyber Lt. 1 Jl. Kuningan Barat No. 8, Jakarta Selatan 12710 
Telp: 021 5265566 - Fax: 021 6280883 
Homepage: http://www.orion.net.id 
Internet Access, Webhosting, Colocation, Games and More. 



- Original Message -



From: "blrmaani" < blrma...@gmail.com > 
To: comp-protocols-dns-b...@isc.org 
Sent: Wednesday, March 2, 2016 2:13:29 PM 
Subject: what does "max-ncache-ttl 0;" mean? 





man pages for named.conf says "max-ncache-ttl " and only talks about 
default values and max values - no mention of minimum-value. 





Does "max-ncache-ttl 0;" mean never cache negative queries (queries resulting 
in NXDOMAIN) or does it mean cache negative queries forever? 





Too lazy to test this option or look bind code :), hence posting here - 
apologies in advance..!! 





Blr 
___ 
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list 





bind-users mailing list 
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users 




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

hhs.gov resolvers broken, or BIND misconfigured?

what does "max-ncache-ttl 0;" mean?

RE: what does "max-ncache-ttl 0;" mean?

Re: what does "max-ncache-ttl 0;" mean?

RE: what does "max-ncache-ttl 0;" mean?

Re: what does "max-ncache-ttl 0;" mean?

6 matches

Site Navigation

Mail list logo

Footer information