Re: tcp versus udp

On Wed, 2009-05-06 at 07:59 +0200, Stephane Bortzmeyer wrote: > On Wed, May 06, 2009 at 12:00:12AM -0400, > Danny Mayer wrote > a message of 39 lines which said: > > > That's nonsense. > > That's Peter Dambier. If you try to fix every mistake he makes, you're > not over soon... Some people a

Re: tcp versus udp

On Wed, May 06, 2009 at 12:00:12AM -0400, Danny Mayer wrote a message of 39 lines which said: > That's nonsense. That's Peter Dambier. If you try to fix every mistake he makes, you're not over soon... http://xkcd.com/386/ ___ bind-users mailing lis

Re: DNS Resolution Failure - FORMERR

I suspect my problem has to do with the fact that imap.gmail.com is a CNAME for gmail-imap.l.google.com. When queries fail (with the FORMERRs), the responses I see coming back to my DNS server include a CNAME record and two A records. When I do the little hack with a manual query, which makes the

Re: tcp versus udp

Peter Dambier wrote: > Hello Martin, > > since a major outage at my provider, dtag.de or Deutsche Telecom AG, I have > trouble > with f.root-servers.net. Sometimes "dig ... +vc" does help me to see > f.root-servers.net. > > The real problem is anycast. With udp it behaves different than with tc

Re: DNS Resolution Failure - FORMERR

In message <4a00c706.5060...@chrysler.com>, Kevin Darcy writes: > > Eric Swenson wrote: > > I apologize for the multiple posts. I didn't think my post was making > > it to the list since I never received my own post, but have been > > receiving those of others. And yes, I'm configured to see m

Re: Delegation or PEBKAC problems?

In message <1d8c9a4471119a40bd574f9d8d464ae304bd4...@xch60ykf.rim.net>, "Todd S nyder" writes: > With help of a list member, we got this figured out. > > The problem is that, outside of the config I showed you, I had a > forwarder setup. > > zone "foo.example" IN { > type forward; >

Re: DNS Resolution Failure - FORMERR

Eric Swenson wrote: I apologize for the multiple posts. I didn't think my post was making it to the list since I never received my own post, but have been receiving those of others. And yes, I'm configured to see my own posts. A couple people have suggested I look at the trace output of bind

Re: success resolving after reducing the advertised EDNS UDP packet size to 512 octets

On Tue, May 5, 2009 at 5:56 PM, Jeremy C. Reed wrote: > On Tue, 5 May 2009, alexus wrote: > >> the other problem im having is these: >> >> May  5 20:44:57 dd named[21037]: success resolving >> '92.68.83.189.zen.spamhaus.org/TXT' (in 'zen.spamhaus.org'?) after >> reducing the advertised EDNS UDP pa

Re: success resolving after reducing the advertised EDNS UDP packet size to 512 octets

On Tue, 5 May 2009, alexus wrote: > the other problem im having is these: > > May 5 20:44:57 dd named[21037]: success resolving > '92.68.83.189.zen.spamhaus.org/TXT' (in 'zen.spamhaus.org'?) after > reducing the advertised EDNS UDP packet size to 512 octets > > i have followings in my named.con

Re: host unreachable resolving

On Tue, May 5, 2009 at 5:41 PM, Jeremy C. Reed wrote: > On Tue, 5 May 2009, alexus wrote: > >> i just deployed new bind-9.6.0-p1 >> >> and I'm getting a lot of these: >> >> May  5 20:18:41 dd named[21037]: host unreachable resolving >> '128.235.241.88.zen.spamhaus.org/TXT/IN': 2001:7b8:3:1f:0:2:53

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

On Tue, May 05, 2009 at 11:18:05PM +0200, Benedikt Gollatz wrote a message of 15 lines which said: > It has. Well, most people do not track XXX-proposed-updates which is supposed to be a bit... untested. I just had lenny and security.debian.org/updates in my sources.list (this is Debian's de

Re: host unreachable resolving

On Tue, 5 May 2009, alexus wrote: > i just deployed new bind-9.6.0-p1 > > and I'm getting a lot of these: > > May 5 20:18:41 dd named[21037]: host unreachable resolving > '128.235.241.88.zen.spamhaus.org/TXT/IN': 2001:7b8:3:1f:0:2:53:1#53 If you have IPv6 but don't use IPv6, see the named swit

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

On Tuesday 05 May 2009, 23:06 Stephane Bortzmeyer wrote: > On Tue, May 05, 2009 at 01:45:40PM -0500, > Jeremy C. Reed wrote > > https://www.isc.org/node/437 > > I was aware of this bug, but not that it apparently has not been > addressed in Debian It has. An update

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

On Tue, May 05, 2009 at 01:45:40PM -0500, Jeremy C. Reed wrote a message of 6 lines which said: > > This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's > > DLV: > > https://www.isc.org/node/437 I was aware of this bug, but not that it apparently has not been addressed in D

success resolving after reducing the advertised EDNS UDP packet size to 512 octets

the other problem im having is these: May 5 20:44:57 dd named[21037]: success resolving '92.68.83.189.zen.spamhaus.org/TXT' (in 'zen.spamhaus.org'?) after reducing the advertised EDNS UDP packet size to 512 octets i have followings in my named.conf edns-udp-size 512; max-udp-siz

host unreachable resolving

i just deployed new bind-9.6.0-p1 and I'm getting a lot of these: May 5 20:18:41 dd named[21037]: host unreachable resolving '128.235.241.88.zen.spamhaus.org/TXT/IN': 2001:7b8:3:1f:0:2:53:1#53 ___ bind-users mailing list bind-users@lists.isc.org https

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

Does work with bind 9.6.0 - as NSEC3 is available... ; <<>> DiG 9.6.0-P1 <<>> +dnssec @127.0.0.1 SOA gov. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41388 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 1 ;; O

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

On Tue, May 5, 2009 at 2:34 PM, Stephane Bortzmeyer wrote: > I get a SERVFAIL when trying to resolve ".gov": I get: ; <<>> DiG 9.4.3-P2 <<>> +dnssec SOA gov. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32204 ;; flags: qr rd ra; QUERY: 1, ANSWER

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

On Tue, 5 May 2009, Stephane Bortzmeyer wrote: > This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's > DLV: https://www.isc.org/node/437 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-

[DNSSEC] SERVFAIL when resolving ".gov" through DLV

I get a SERVFAIL when trying to resolve ".gov": % dig +dnssec @127.0.0.1 SOA gov. ; <<>> DiG 9.5.1-P1 <<>> +dnssec @127.0.0.1 SOA gov. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54920 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0,

Re: DNS Resolution Failure - FORMERR

I apologize for the multiple posts. I didn't think my post was making it to the list since I never received my own post, but have been receiving those of others. And yes, I'm configured to see my own posts. A couple people have suggested I look at the trace output of bind to see what server is sen

DNS resolution failure - FORMERR

I'm seeing lots of DNS resolution failures on my router (running Utuntu 8.10, bind 9.3.4). While most succeed, I get quite a few FORMERR errors similar to: May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 66.151.140.2#53 May 4 20:25:25 localhost named[19579]: FORM

Re: Bind Statistics questions

At Tue, 5 May 2009 11:11:13 +0100, Nuno Ribeiro wrote: > I have some doubts and I would like clarify them: > - Bind ( version 9.5) provides lots of statistics information and provides > two interfaces for users to get access to it (file dump and HTTP access). > For what I see and read the counter

RE: Delegation or PEBKAC problems?

With help of a list member, we got this figured out. The problem is that, outside of the config I showed you, I had a forwarder setup. zone "foo.example" IN { type forward; forward only; forwarders { x; y }; }; My understanding of things was that BIND would answer most s

DNS Resolution Failure - FORMERR

I'm seeing lots of DNS resolution failures on my router (running Utuntu 8.10, bind 9.3.4). While most succeed, I get quite a few FORMERR errors similar to: May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 66.151.140.2#53 May 4 20:25:25 localhost named[19579]: FORM

Re: Bind Statistics questions

As I have received numerous request for my script, I've attached it here. Hopefully it is helpful. * Please note that I have removed our email address and domain at the end of the script during the mailx statement. mailx -s "TOTAL Queries on `uname -n` are running $NUM/min" -r "d...@`

RE: Delegation or PEBKAC problems?

it's been pointed out that I made a mistake cleaning up my example data below .. my dig should read: [10:43:08 r...@ns01.lab.foo.example:~ ()]# dig @ns01.lab.foo.example record.group.lab.foo.example any -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@l

RE: Delegation or PEBKAC problems?

>It works that way, sometimes. > >If recursion is enabled on your server, it will query the other servers in >the NS records on behalf of the resolver and return what it finds. If >recursion is off, it will just return the NS records and the resolver is >expected to follow them (and some really

Re: Delegation or PEBKAC problems?

> My understanding of delegation is that the resolver goes out to it's > configured nameserver. That nameserver returns the NS records for the > delegated namespace, then the resolver goes to the delegated server to > ask the next question. Am I incorrect in that? It works that way, sometimes

Delegation or PEBKAC problems?

Good day, (BIND 9.6.0-P1) Although, to me, delegation seems like a fairly simple configuration, I seem to be having problems. What I am trying to do is very simple - I have a lab, and I want to delegate part of the namespace to someone else in the lab. My configuration looks like this: (zone l

Re: Bind Statistics questions

Hello Nuno, I don't know if you can reset the stats, but in my environment I had the need to check statistics to alert us to attacks and high abnormally high query numbers. In order to do this, I wrote shell scripts that check the current count and writes that value to a file. This is a rotati

FORMERR during DNS queries

I'm seeing lots of DNS resolution failures on my router (running Utuntu 8.10, bind 9.3.4). While most succeed, I get quite a few FORMERR errors similar to: May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 66.151.140.2#53 May 4 20:25:25 localhost named[19579]: FORM

Bind Statistics questions

Hi all, I have some doubts and I would like clarify them: - Bind ( version 9.5) provides lots of statistics information and provides two interfaces for users to get access to it (file dump and HTTP access). For what I see and read the counters are cumulative during the time the service is running.

Re: tcp versus udp

EDNS would be nice if it was working, but the same guy who disabled tcp in the firewall somehow has shot EDNS too. There are so many broken firewalls around nameservers that tcp is a must. It is not an EDNS or bind problem. It is the firewalls in between. Expect the worst but try to give your bes

Re: tcp versus udp

Please explain: With DNSSEC tcp is almost a must. Same with IPv6.Is EDNS0 not sufficient? Thanks,Ken Ken TraynhamNetwork Engineer, ITS-EPA CLIN9CSC79 TW Alexander Drive, Building 4201, Durham NC 27709ITIS | p: 919.767.7059 | f: 919.767.7506 | traynham@epa.gov | www.csc.com--

Re: tcp versus udp

Hello Martin, since a major outage at my provider, dtag.de or Deutsche Telecom AG, I have trouble with f.root-servers.net. Sometimes "dig ... +vc" does help me to see f.root-servers.net. The real problem is anycast. With udp it behaves different than with tcp. When querying servers that are di

Re: Postgres v MySQL v Berkely backend for BIND

Are there performance increases/decreases involved with using a db in place of bind's normal zone files? Is there a sqlite3 backend to bind? Regards, Chris. -- http://www.finalcog.com/ 2009/5/4 David Ford : > I use the DLZ/PG backend and it's rock solid.  I use Ant with a few > modifications