I've been reading RFC2915 and have a couple of questions about NAPTR
records. I'm trying to do *basic* validation of data from a database
being processed into the DNS.
1: Can the Flags field be empty? It seems to me that it can be under
some circumstances.
2: Can the Replacement field be empty? I
In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer writes:
> I've been reading RFC2915 and have a couple of questions about NAPTR
> records. I'm trying to do *basic* validation of data from a database
> being processed into the DNS.
>
> 1: Can the Flags field be empty? It seems to me
On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote:
> In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer
> writes:
> > 2: Can the Replacement field be empty? It looks from the text and
> > examples as if it should always contain a complete domain name BUT
> > that if the Regexp fiel
Good day,
I've been having an interesting issue with BIND and wondering if anyone has had
this before or knows how to fix it.
The issue is,
I have 2 recursive/caching DNS servers running BIND 9.9.4-RedHat-9.9.4-51.el7,
which are slow to query for this particular domain.
Noaa.gov (as well as its
Mark Elkins wrote:
>
> On my side, I can 'import' the KSK from the properly signed zone,
> Generate the DS record and EPP it up to the Registry. That all works
> fine, currently with the push of one (web) button. Will change/add this
> to something RESTful. Then, for full automation (KSK Rollover'
Hi Ricky,
Try running a "dig +trace www.nhc.noaa.gov," then query each record in
the chain and see which one's slow to respond. I don't see anything
crazy in your named.conf. Something you didn't mention: does clearing
cache make a difference?
John
--
John Miller
Systems Engineer
Brandeis Univ
Thank you for your reply,
When I notice too many failed queries from this domain name (www.nhc.noaa.gov)
restarting the service or clearing the cache (rndc reload), seems to allow
queries to work. But still latent (in the 3500ms range)
This is what I get from a DIG +trace... the connection time
On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB)
wrote:
> Thank you for your reply,
> When I notice too many failed queries from this domain name
> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc
> reload), seems to allow queries to work. But still latent (in the 350
Hi Ricky,
Sounds like if things are timing out at the noaa.gov nameservers, then
that's where you need to start looking. Try each nameserver that the
.gov nameservers give for noaa.gov and see if all of them are
unreachable, if just one's unreachable, if they're traceroute-able,
etc. A lot of ti
Thanks Warren,
I can query all the noaa.gov name servers without issues, and the replies are
fast (sub 100ms)
-Original Message-
From: Warren Kumari [mailto:war...@kumari.net]
Sent: September 18, 2017 12:06 PM
To: Levesque, Ricky (SNB)
Cc: John Miller ; bind-users@lists.isc.org
Subject:
The noaa.gov name servers also have ipv6 addresses but I don't get a
reply from that address.
You may want to trace whether your name server is using that address
when you see the problem.
On 18/09/2017 17:17, Levesque, Ricky (SNB) wrote:
> Thanks Warren,
> I can query all the noaa.gov name serv
I actually expect that you problem is your firewall in that it is
dropping fragmented UDP responses. The UDP responses for
www.nhc.noaa.gov are large. They do not fit in a single ethernet
frame.
Compare the following two queries.
dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237
In message <36f8dd297fd5504aa37968ada5ba93eb01178c2...@gnbexmb8pb.gnb.ca>,
"Levesque, Ricky (SNB)" writes:
> Thanks Warren,
> I can query all the noaa.gov name servers without issues, and the replies
> are fast (sub 100ms)
Remember nameservers ask questions with different options set to
DiG's de
Hi all,
We used bind to do the DNSSEC , DYNAMIC ZONES , AND AUTOMATIC SIGNING.
But at last week we found that there is just one 'RRSIGNSEC3' record is
illegality(No correct RSASHA256 signature) signed by bind.
dnssec-verify -o XXX -E pkcs11 XXX.txt.signed
Loading zone 'X
In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer writes:
> On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote:
> > In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer
> > writes:
> > > 2: Can the Replacement field be empty? It looks from the text and
> > > examples as
On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote:
> In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer
> writes:
> > And is it true that "if the Regexp field is not empty, the
> > Replacement field will not be used"?
> With the current flags no but who know what will happen in the
In message <1505796688.2518.99.ca...@biplane.com.au>, Karl Auer writes:
> On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote:
> > In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer
> > writes:
> > > And is it true that "if the Regexp field is not empty, the
> > > Replacement field
In message
, John
Miller writes:
> Hi Ricky,
>
> Try running a "dig +trace www.nhc.noaa.gov," then query each record in
> the chain and see which one's slow to respond. I don't see anything
> crazy in your named.conf. Something you didn't mention: does clearing
> cache make a difference?
W
18 matches
Mail list logo
