Problem with .org domain resolution
Juan RodrÃguez
Content-Type: multipart/alternative;
boundary="_32731565-65d8-4246-97d1-de1350138036_"
--_32731565-65d8-4246-97d1-de1350138036_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello.
In my company we have a name server BIND 9.6 running on RedHat 4.7 ES. We'v=
e realized it don't resolve any=20
.org domain. For example:
[root@dnsint ~]# nslookup www.mirrorservice.org 10.20.29.22
=3B=3B connection timed out=3B no servers could be reached
[root@dnsint ~]# nslookup www.madrid.org 10.20.29.22
=3B=3B connection timed out=3B no servers could be reached
[root@dnsint ~]# nslookup www.wikipedia.org 10.20.29.22
=3B=3B connection timed out=3B no servers could be reached
[root@dnsint ~]# nslookup www.marca.es 10.20.29.22
Server: 10.20.29.22
Address: 10.20.29.22#53
Non-authoritative answer:
Name: www.marca.es
Address: 193.110.128.199
[root@dnsint ~]# nslookup www.elpais.com 10.20.29.22
Server: 10.20.29.22
Address: 10.20.29.22#53
Non-authoritative answer:
www.elpais.com canonical name =3D elpais.es.edgesuite.net.
elpais.es.edgesuite.net canonical name =3D a1749.g.akamai.net.
Name: a1749.g.akamai.net
Address: 77.67.20.195
Name: a1749.g.akamai.net
Address: 77.67.20.178
[root@dnsint ~]# nslookup www.telefonica.net 10.20.29.22
Server: 10.20.29.22
Address: 10.20.29.22#53
Non-authoritative answer:
Name: www.telefonica.net
Address: 213.4.130.95
[root@dnsint ~]# nslookup www.intermonoxfam.org 10.20.29.22
=3B=3B connection timed out=3B no servers could be reached
[root@dnsint ~]#
This is a piece of the configuration:
options {
directory "/zonas"=3B // Working directory
pid-file "/var/run/named.pid"=3B
statistics-file "/logs/named.stats"=3B
memstatistics-file "/logs/named.mem"=3B
dump-file "/logs/named.dump"=3B
version none=3B
hostname none=3B
server-id none=3B
listen-on-v6 { none=3B }=3B
zone-statistics yes=3B
recursive-clients 2000=3B
cleaning-interval 300=3B
max-cache-size 768M=3B
notify explicit=3B
allow-transfer { XXXXXXXXXXXXXX}=3B
also-notify { XXXXXXXXXXXXXXX}=3B
allow-query { XXXXXXXXXXXXXXXX}=3B
}=3B
zone "." {
type hint=3B
file "named.ca"=3B
}=3B
zone "0.0.127.in-addr.arpa" {
type master=3B
file "named.local"=3B
}=3B
and various zones declared...........
The file named.ca is the last updated one.
Please=2C could you help me with this?
Thank you very much.
_________________________________________________________________
=BFQuieres ver los mejores videos de MSN? Enciende Messenger TV
http://messengertv.msn.com/mkt/es-es/default.htm=
--_32731565-65d8-4246-97d1-de1350138036_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style>
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
</style>
</head>
<body class=3D'hmmessage'>
Hello.<br>In my company we have a name server BIND 9.6 running on RedHat 4.=
7 ES. We've realized it don't resolve any <br>.org domain. For example:<br>=
<br><br>[root@dnsint ~]# nslookup www.mirrorservice.org 10.20.29.22<br>=3B=
=3B connection timed out=3B no servers could be reached<br><br>[root@dnsint=
~]# nslookup www.madrid.org 10.20.29.22<br>=3B=3B connection timed out=3B =
no servers could be reached<br><br>[root@dnsint ~]# nslookup www.wikipedia.=
org 10.20.29.22<br>=3B=3B connection timed out=3B no servers could be reach=
ed<br><br>[root@dnsint ~]# nslookup www.marca.es 10.20.29.22<br>Server:&nbs=
p=3B =3B =3B =3B =3B =3B =3B =3B 10.20.29.22<br=
>Address: =3B =3B =3B =3B =3B =3B =3B 10.20.29.=
22#53<br><br>Non-authoritative answer:<br>Name: =3B =3B www.marca.e=
s<br>Address: 193.110.128.199<br><br>[root@dnsint ~]# nslookup www.elpais.c=
om 10.20.29.22<br>Server: =3B =3B =3B =3B =3B =3B&n=
bsp=3B =3B 10.20.29.22<br>Address: =3B =3B =3B =3B =
=3B =3B =3B 10.20.29.22#53<br><br>Non-authoritative answer:<br>www.=
elpais.com =3B canonical name =3D elpais.es.edgesuite.net.<br>elpais.es=
.edgesuite.net canonical name =3D a1749.g.akamai.net.<br>Name: =3B =
=3B a1749.g.akamai.net<br>Address: 77.67.20.195<br>Name: =3B =3B a1=
749.g.akamai.net<br>Address: 77.67.20.178<br><br>[root@dnsint ~]# nslookup =
www.telefonica.net 10.20.29.22<br>Server: =3B =3B =3B =3B&n=
bsp=3B =3B =3B =3B 10.20.29.22<br>Address: =3B =3B =
=3B =3B =3B =3B =3B 10.20.29.22#53<br><br>Non-authoritative=
answer:<br>Name: =3B =3B www.telefonica.net<br>Address: 213.4.130.=
95<br><br>[root@dnsint ~]# nslookup www.intermonoxfam.org 10.20.29.22<br>=
=3B=3B connection timed out=3B no servers could be reached<br><br>[root@dns=
int ~]#<br><br><br>This is a piece of the configuration:<br>options {<br>&n=
bsp=3B =3B =3B =3B =3B =3B =3B directory "/zonas"=
=3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=
 =3B // Working directory<br> =3B =3B =3B =3B =3B&n=
bsp=3B =3B pid-file "/var/run/named.pid"=3B<br> =3B =3B =3B=
 =3B =3B =3B =3B statistics-file "/logs/named.stats"=3B<br>=
 =3B =3B =3B =3B =3B =3B =3B memstatistics-file=
"/logs/named.mem"=3B<br> =3B =3B =3B =3B =3B =3B&n=
bsp=3B dump-file "/logs/named.dump"=3B<br><br> =3B =3B =3B =
=3B =3B =3B =3B version =3B =3B =3B =3B =3B=
 =3B =3B =3B none=3B<br> =3B =3B =3B =3B =
=3B =3B =3B hostname =3B =3B =3B =3B =3B =
=3B =3B none=3B<br> =3B =3B =3B =3B =3B =3B&nbs=
p=3B server-id =3B =3B =3B =3B =3B =3B none=3B<br><=
br> =3B =3B =3B =3B =3B =3B =3B listen-on-v6 { =
none=3B }=3B<br> =3B =3B =3B =3B =3B =3B =3B zo=
ne-statistics yes=3B<br> =3B =3B =3B =3B =3B =3B&nb=
sp=3B recursive-clients 2000=3B<br> =3B =3B =3B =3B =3B=
 =3B =3B cleaning-interval 300=3B<br> =3B =3B =3B =
=3B =3B =3B =3B max-cache-size 768M=3B<br> =3B =3B =
=3B =3B =3B =3B =3B notify explicit=3B<br> =3B =3B&=
nbsp=3B =3B =3B =3B =3B allow-transfer { XXXXXXXXXXXXXX}=3B=
<br> =3B =3B =3B =3B =3B =3B =3B also-notify { =
XXXXXXXXXXXXXXX}=3B<br> =3B =3B =3B =3B =3B =3B&nbs=
p=3B allow-query { XXXXXXXXXXXXXXXX}=3B<br>}=3B<br><br>zone "." {<br> =
=3B =3B =3B =3B =3B =3B =3B type hint=3B<br> =
=3B =3B =3B =3B =3B =3B =3B file "named.ca"=3B<br>}=
=3B<br><br>zone "0.0.127.in-addr.arpa" {<br> =3B =3B =3B =
=3B =3B =3B =3B type master=3B<br> =3B =3B =3B =
=3B =3B =3B =3B file "named.local"=3B<br>}=3B<br><br>and variou=
s zones declared...........<br><br>The file named.ca is the last updated on=
e.<br><br>Please=2C could you help me with this?<br>Thank you very much.<br=
/><hr />Comparte tus fotos con tus amigos. M=E1s f=E1cil con <a href=3D'ht=
tp://download.live.com' target=3D'_new'>Windows Live</a></body>
</html>=
--_32731565-65d8-4246-97d1-de1350138036_--
--===============3348706806151753292==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===============3348706806151753292==--
Kevin Darcy
(http://www.afilias.info/afilias+signs+org+zone), my guess would be that =
you have a firewall, an intrusion-prevention device, or somesuch, that =
is dropping the packets because it doesn't understand the DNSSEC records =
contained in them.
=
- Kevin
Juan Rodr=EDguez wrote:
> Hello.
> In my company we have a name server BIND 9.6 running on RedHat 4.7 ES. =
> We've realized it don't resolve any
> .org domain. For example:
>
>
> [root@dnsint ~]# nslookup www.mirrorservice.org 10.20.29.22
> ;; connection timed out; no servers could be reached
>
> [root@dnsint ~]# nslookup www.madrid.org 10.20.29.22
> ;; connection timed out; no servers could be reached
>
> [root@dnsint ~]# nslookup www.wikipedia.org 10.20.29.22
> ;; connection timed out; no servers could be reached
>
> [root@dnsint ~]# nslookup www.marca.es 10.20.29.22
> Server: 10.20.29.22
> Address: 10.20.29.22#53
>
> Non-authoritative answer:
> Name: www.marca.es
> Address: 193.110.128.199
>
> [root@dnsint ~]# nslookup www.elpais.com 10.20.29.22
> Server: 10.20.29.22
> Address: 10.20.29.22#53
>
> Non-authoritative answer:
> www.elpais.com canonical name =3D elpais.es.edgesuite.net.
> elpais.es.edgesuite.net canonical name =3D a1749.g.akamai.net.
> Name: a1749.g.akamai.net
> Address: 77.67.20.195
> Name: a1749.g.akamai.net
> Address: 77.67.20.178
>
> [root@dnsint ~]# nslookup www.telefonica.net 10.20.29.22
> Server: 10.20.29.22
> Address: 10.20.29.22#53
>
> Non-authoritative answer:
> Name: www.telefonica.net
> Address: 213.4.130.95
>
> [root@dnsint ~]# nslookup www.intermonoxfam.org 10.20.29.22
> ;; connection timed out; no servers could be reached
>
> [root@dnsint ~]#
>
>
> This is a piece of the configuration:
> options {
> directory "/zonas"; // Working directory
> pid-file "/var/run/named.pid";
> statistics-file "/logs/named.stats";
> memstatistics-file "/logs/named.mem";
> dump-file "/logs/named.dump";
>
> version none;
> hostname none;
> server-id none;
>
> listen-on-v6 { none; };
> zone-statistics yes;
> recursive-clients 2000;
> cleaning-interval 300;
> max-cache-size 768M;
> notify explicit;
> allow-transfer { XXXXXXXXXXXXXX};
> also-notify { XXXXXXXXXXXXXXX};
> allow-query { XXXXXXXXXXXXXXXX};
> };
>
> zone "." {
> type hint;
> file "named.ca";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "named.local";
> };
>
> and various zones declared...........
>
> The file named.ca is the last updated one.
>
> Please, could you help me with this?
> Thank you very much.
> ------------------------------------------------------------------------
> Comparte tus fotos con tus amigos. M=E1s f=E1cil con Windows Live =
> <http://download.live.com>
> ------------------------------------------------------------------------
Kevin Darcy
they're in a _limited_ testing phase right now. Shouldn't affect you =
directly.
Possibly they're having problems with their testing that might have =
indirect effect on resolvability.
=
- Kevin
Kevin Darcy wrote:
> Since .org was recently DNSSEC-signed =
> (http://www.afilias.info/afilias+signs+org+zone), my guess would be =
> that you have a firewall, an intrusion-prevention device, or somesuch, =
> that is dropping the packets because it doesn't understand the DNSSEC =
> records contained in them.
>
> =
> - Kevin
>
> Juan Rodr=EDguez wrote:
>> Hello.
>> In my company we have a name server BIND 9.6 running on RedHat 4.7 =
>> ES. We've realized it don't resolve any
Jeremy C. Reed
> Kevin Darcy wrote:
> > Since .org was recently DNSSEC-signed
> > (http://www.afilias.info/afilias+signs+org+zone), my guess would be that you
> > have a firewall, an intrusion-prevention device, or somesuch, that is
> > dropping the packets because it doesn't understand the DNSSEC records
> > contained in them.
(Ignoring the "never mind" ...)
That might be the case. 9.6 has DNSSEC validation enabled by default so
the corresponding DNSSEC records and signatures may be sent back
regardless if the label requested is signed or not. Such as the NSEC3
(TYPE50) and RRSIGs in the AUTHORITY section.
Juan:
Please use dig instead.
Please try with DNSSEC checking disabled, for example:
dig +cd www.mirrorservice.org @10.20.29.22
dig +cd www.madrid.org @10.20.29.22
dig +cd www.wikipedia.org @10.20.29.22
Please look at your BIND logging. (Maybe search for "error".)
Juan RodrÃguez
Content-Type: multipart/alternative;
boundary="_248c6f53-9e2e-465a-80b5-8bda7cbb0b88_"
--_248c6f53-9e2e-465a-80b5-8bda7cbb0b88_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thank both of you.
Kevin=2C you're right. We have a Checkpoint firewall which is configured to=
do some kind of DNS=20
protections using SmartDefense=3B it is called protocol enforcement and can=
be UDP or TCP. We have=20
UDP protection enabled=3B its description is the following one (Copy&paste =
from checkpoint):
-------------------------
Attack Description: =20
DNS protocol is used to identify servers according to their IP addresses an=
d aliases. DNS protocol messages can be transported over TCP or UDP.=20
To infect a network with malicious content=2C attackers attempt to change t=
he content of a DNS packet sent over TCP or UDP with the hope that it will =
enter the network undetected.=20
=20
SmartDefense Protection: =20
SmartDefense is able to recognize a DNS packet that has been altered. This =
ability enables SmartDefense to catch potentially harmful packets before th=
ey enter the network.=20
SmartDefense enables a system administrator to enforce TCP and UDP protocol=
s. Only pure DNS packets sent over TCP or UDP will be able to enter the net=
work. In this case=2C all DNS port connections over UDP and TCP will be mon=
itored to verify that every DNS packet attempting to enter the network has =
not been altered.=20
With the enforcement of the UDP and TCP protocols the potential for malicio=
usly altered DNS packets to enter the system is decreased.=20
A monitor-only mode makes it possible to track unauthorized traffic without=
blocking it.=20
-----------------------
If I disable this protection the .org resolution works fine!! So=2C that is=
the case=2C firewall is=20
dropping the packets with these DNSSEC staff in them.
Jeremy=2C I've enabled DNS protection in our firewall and I've carried out =
the tests you say:
With dnssec enabled:
[root@dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22
=3B <<>> DiG 9.6.0-P1 <<>> +cd www.madrid.org @10.20.29.22
=3B=3B global options: +cmd
=3B=3B connection timed out=3B no servers could be reached
[root@dnsint bin]#
and in named.logs:
03-Jun-2009 20:03:03.826 network unreachable resolving 'www.madrid.org/A/IN=
': 2001:500:c::1#53
03-Jun-2009 20:03:13.875 unexpected RCODE (SERVFAIL) resolving 'www.madrid.=
org/A/IN': 199.249.112.1#53
After using command "dnssec-enable no=3B" in option section in named.conf:
[root@dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22
=3B <<>> DiG 9.6.0-P1 <<>> +cd www.madrid.org @10.20.29.22
=3B=3B global options: +cmd
=3B=3B Got answer:
=3B=3B ->>HEADER<<- opcode: QUERY=2C status: NOERROR=2C id: 17343
=3B=3B flags: qr rd ra=3B QUERY: 1=2C ANSWER: 5=2C AUTHORITY: 9=2C ADDITION=
AL: 0
=3B=3B QUESTION SECTION:
=3Bwww.madrid.org. IN A
=3B=3B ANSWER SECTION:
www.madrid.org. 1800 IN CNAME www.madrid.org.edgesuite.ne=
t.
www.madrid.org.edgesuite.net. 21600 IN CNAME a621.b.akamai.net.
a621.b.akamai.net. 20 IN CNAME a621.b.akamai.net.0.1.cn.ak=
amait =
ech.net.
a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.10
a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.19
=3B=3B AUTHORITY SECTION:
cn.akamaitech.net. 1799 IN NS n4cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n1cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n0cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n2cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n7cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n6cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n5cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n8cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n3cn.akamaitech.net.
=3B=3B Query time: 4079 msec
=3B=3B SERVER: 10.20.29.22#53(10.20.29.22)
=3B=3B WHEN: Wed Jun 3 20:08:36 2009
=3B=3B MSG SIZE rcvd: 355
[root@dnsint01 bin]#
and in named.log:
03-Jun-2009 20:04:17.251 network unreachable resolving 'www.madrid.org/A/IN=
': 2001:500:40::1#53
03-Jun-2009 20:04:18.494 network unreachable resolving 'www.madrid.org/A/IN=
': 2001:500:b::1#53
03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN=
': 2001:500:48::1#53
03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN=
': 2001:500:f::1#53
03-Jun-2009 20:04:21.344 network unreachable resolving 'www.madrid.org/A/IN=
': 2001:500:e::1#53
03-Jun-2009 20:04:22.704 network unreachable resolving 'www.madrid.org/A/IN=
': 2001:500:c::1#53
03-Jun-2009 20:04:22.776 success resolving 'www.madrid.org/A' (in 'madrid.o=
rg'?) after disabling EDNS
Note: I've realized that the kind of messages "network unreachable resolvin=
g" are very usual in the named logs.
Note: The same behaviour with other .org domains.
Thank you.
> Date: Wed=2C 3 Jun 2009 12:18:28 -0500
> From: jr...@isc.org
> To: cut...@hotmail.com
> CC: bind-...@lists.isc.org
> Subject: Re: Problem with .org domain resolution
>=20
> On Wed=2C 3 Jun 2009=2C Kevin Darcy wrote:
>=20
> > Kevin Darcy wrote:
> > > Since .org was recently DNSSEC-signed
> > > (http://www.afilias.info/afilias+signs+org+zone)=2C my guess would be=
that you
> > > have a firewall=2C an intrusion-prevention device=2C or somesuch=2C t=
hat is
> > > dropping the packets because it doesn't understand the DNSSEC records
> > > contained in them.
>=20
> (Ignoring the "never mind" ...)
>=20
> That might be the case. 9.6 has DNSSEC validation enabled by default so=20
> the corresponding DNSSEC records and signatures may be sent back=20
> regardless if the label requested is signed or not. Such as the NSEC3=20
> (TYPE50) and RRSIGs in the AUTHORITY section.
>=20
> Juan:
>=20
> Please use dig instead.
>=20
> Please try with DNSSEC checking disabled=2C for example:
>=20
> dig +cd www.mirrorservice.org @10.20.29.22
>=20
> dig +cd www.madrid.org @10.20.29.22
>=20
> dig +cd www.wikipedia.org @10.20.29.22
>=20
> Please look at your BIND logging. (Maybe search for "error".)
_________________________________________________________________
Nuevo Windows Live=2C un mundo lleno de posibilidades. Desc=FAbrelo.
http://www.microsoft.com/windows/windowslive/default.aspx=
--_248c6f53-9e2e-465a-80b5-8bda7cbb0b88_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style>
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
</style>
</head>
<body class=3D'hmmessage'>
Thank both of you.<br><br>Kevin=2C you're right. We have a Checkpoint firew=
all which is configured to do some kind of DNS <br>protections using SmartD=
efense=3B it is called protocol enforcement and can be UDP or TCP. We have =
<br>UDP protection enabled=3B its description is the following one (Copy&am=
p=3Bpaste from checkpoint):<br><br>-------------------------<br>Attack Desc=
ription: =3B <br>DNS protocol is used to identify servers according to =
their IP addresses and aliases. DNS protocol messages can be transported ov=
er TCP or UDP. <br><br>To infect a network with malicious content=2C attack=
ers attempt to change the content of a DNS packet sent over TCP or UDP with=
the hope that it will enter the network undetected. <br> =3B<br>SmartD=
efense Protection: =3B <br>SmartDefense is able to recognize a DNS pack=
et that has been altered. This ability enables SmartDefense to catch potent=
ially harmful packets before they enter the network. <br><br>SmartDefense e=
nables a system administrator to enforce TCP and UDP protocols. Only pure D=
NS packets sent over TCP or UDP will be able to enter the network. In this =
case=2C all DNS port connections over UDP and TCP will be monitored to veri=
fy that every DNS packet attempting to enter the network has not been alter=
ed. <br><br>With the enforcement of the UDP and TCP protocols the potential=
for maliciously altered DNS packets to enter the system is decreased. <br>=
<br>A monitor-only mode makes it possible to track unauthorized traffic wit=
hout blocking it. <br>-----------------------<br><br>If I disable this prot=
ection the .org resolution works fine!! So=2C that is the case=2C firewall =
is <br>dropping the packets with these DNSSEC staff in them.<br><br>Jeremy=
=2C I've enabled DNS protection in our firewall and I've carried out the te=
sts you say:<br><br>With dnssec enabled:<br><br>[root@dnsint01 bin]# ./dig =
+cd www.madrid.org @10.20.29.22<br><br>=3B <=3B<=3B>=3B>=3B DiG 9.6=
.0-P1 <=3B<=3B>=3B>=3B +cd www.madrid.org @10.20.29.22<br>=3B=3B gl=
obal options: +cmd<br>=3B=3B connection timed out=3B no servers could be re=
ached<br>[root@dnsint bin]#<br><br>and in named.logs:<br><br>03-Jun-2009 20=
:03:03.826 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:c:=
:1#53<br>03-Jun-2009 20:03:13.875 unexpected RCODE (SERVFAIL) resolving 'ww=
w.madrid.org/A/IN': 199.249.112.1#53<br><br><br>After using command "dnssec=
-enable no=3B" in option section in named.conf:<br><br>[root@dnsint01 bin]#=
./dig +cd www.madrid.org @10.20.29.22<br><br>=3B <=3B<=3B>=3B>=3B =
DiG 9.6.0-P1 <=3B<=3B>=3B>=3B +cd www.madrid.org @10.20.29.22<br>=
=3B=3B global options: +cmd<br>=3B=3B Got answer:<br>=3B=3B ->=3B>=3BHE=
ADER<=3B<=3B- opcode: QUERY=2C status: NOERROR=2C id: 17343<br>=3B=3B f=
lags: qr rd ra=3B QUERY: 1=2C ANSWER: 5=2C AUTHORITY: 9=2C ADDITIONAL: 0<br=
><br>=3B=3B QUESTION SECTION:<br>=3Bwww.madrid.org. =3B =3B =3B=
 =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb=
sp=3B =3B =3B =3B =3B =3B =3B =3B =3B =
=3B =3B IN =3B =3B =3B =3B =3B A<br><br>=3B=3B ANSW=
ER SECTION:<br>www.madrid.org. =3B =3B =3B =3B =3B =
=3B =3B =3B 1800 =3B =3B =3B IN =3B =3B =3B=
 =3B =3B CNAME =3B =3B www.madrid.org.edgesuite.net.<br>www=
.madrid.org.edgesuite.net. 21600 IN =3B CNAME =3B =3B a621.b.ak=
amai.net.<br>a621.b.akamai.net. =3B =3B =3B =3B =3B 20&=
nbsp=3B =3B =3B =3B =3B IN =3B =3B =3B =3B&=
nbsp=3B CNAME =3B =3B a621.b.akamai.net.0.1.cn.akamait =3B =
=3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=
 =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb=
sp=3B =3B =3B =3B =3B =3B =3B =3B =3B =
=3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=
 =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb=
sp=3B =3B =3B =3B =3B =3B =3B =3B =3B =
=3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=
 =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb=
sp=3B ech.net.<br>a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.1=
69.10<br>a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.19<br>=
<br>=3B=3B AUTHORITY SECTION:<br>cn.akamaitech.net. =3B =3B =3B=
 =3B =3B 1799 =3B =3B =3B IN =3B =3B =3B&nb=
sp=3B =3B NS =3B =3B =3B =3B =3B n4cn.akamaitech.ne=
t.<br>cn.akamaitech.net. =3B =3B =3B =3B =3B 1799 =
=3B =3B =3B IN =3B =3B =3B =3B =3B NS =3B&n=
bsp=3B =3B =3B =3B n1cn.akamaitech.net.<br>cn.akamaitech.net.&n=
bsp=3B =3B =3B =3B =3B 1799 =3B =3B =3B IN =
=3B =3B =3B =3B =3B NS =3B =3B =3B =3B =
=3B n0cn.akamaitech.net.<br>cn.akamaitech.net. =3B =3B =3B =
=3B =3B 1799 =3B =3B =3B IN =3B =3B =3B =3B=
 =3B NS =3B =3B =3B =3B =3B n2cn.akamaitech.net.<br=
>cn.akamaitech.net. =3B =3B =3B =3B =3B 1799 =3B&nb=
sp=3B =3B IN =3B =3B =3B =3B =3B NS =3B =3B=
 =3B =3B =3B n7cn.akamaitech.net.<br>cn.akamaitech.net. =3B=
 =3B =3B =3B =3B 1799 =3B =3B =3B IN =3B&nb=
sp=3B =3B =3B =3B NS =3B =3B =3B =3B =3B n6=
cn.akamaitech.net.<br>cn.akamaitech.net. =3B =3B =3B =3B&nb=
sp=3B 1799 =3B =3B =3B IN =3B =3B =3B =3B =
=3B NS =3B =3B =3B =3B =3B n5cn.akamaitech.net.<br>cn.a=
kamaitech.net. =3B =3B =3B =3B =3B 1799 =3B =3B=
 =3B IN =3B =3B =3B =3B =3B NS =3B =3B =
=3B =3B =3B n8cn.akamaitech.net.<br>cn.akamaitech.net. =3B =
=3B =3B =3B =3B 1799 =3B =3B =3B IN =3B =3B=
 =3B =3B =3B NS =3B =3B =3B =3B =3B n3cn.ak=
amaitech.net.<br><br>=3B=3B Query time: 4079 msec<br>=3B=3B SERVER: 10.20.2=
9.22#53(10.20.29.22)<br>=3B=3B WHEN: Wed Jun =3B 3 20:08:36 2009<br>=3B=
=3B MSG SIZE =3B rcvd: 355<br><br>[root@dnsint01 bin]#<br><br>and in na=
med.log:<br><br>03-Jun-2009 20:04:17.251 network unreachable resolving 'www=
.madrid.org/A/IN': 2001:500:40::1#53<br>03-Jun-2009 20:04:18.494 network un=
reachable resolving 'www.madrid.org/A/IN': 2001:500:b::1#53<br>03-Jun-2009 =
20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:=
48::1#53<br>03-Jun-2009 20:04:19.805 network unreachable resolving 'www.mad=
rid.org/A/IN': 2001:500:f::1#53<br>03-Jun-2009 20:04:21.344 network unreach=
able resolving 'www.madrid.org/A/IN': 2001:500:e::1#53<br>03-Jun-2009 20:04=
:22.704 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:c::1#=
53<br>03-Jun-2009 20:04:22.776 success resolving 'www.madrid.org/A' (in 'ma=
drid.org'?) after disabling EDNS<br><br><br><br>Note: I've realized that th=
e kind of messages "network unreachable resolving" are very usual in the na=
med logs.<br><br>Note: The same behaviour with other .org domains.<br><br>T=
hank you.<br><br><br>>=3B Date: Wed=2C 3 Jun 2009 12:18:28 -0500<br>>=
=3B From: jr...@isc.org<br>>=3B To: cut...@hotmail.com<br>>=3B CC: bind=
-us...@lists.isc.org<br>>=3B Subject: Re: Problem with .org domain resolu=
tion<br>>=3B <br>>=3B On Wed=2C 3 Jun 2009=2C Kevin Darcy wrote:<br>>=
=3B <br>>=3B >=3B Kevin Darcy wrote:<br>>=3B >=3B >=3B Since .org=
was recently DNSSEC-signed<br>>=3B >=3B >=3B (http://www.afilias.inf=
o/afilias+signs+org+zone)=2C my guess would be that you<br>>=3B >=3B &g=
t=3B have a firewall=2C an intrusion-prevention device=2C or somesuch=2C th=
at is<br>>=3B >=3B >=3B dropping the packets because it doesn't under=
stand the DNSSEC records<br>>=3B >=3B >=3B contained in them.<br>>=
=3B <br>>=3B (Ignoring the "never mind" ...)<br>>=3B <br>>=3B That mi=
ght be the case. 9.6 has DNSSEC validation enabled by default so <br>>=3B=
the corresponding DNSSEC records and signatures may be sent back <br>>=
=3B regardless if the label requested is signed or not. Such as the NSEC3 <=
br>>=3B (TYPE50) and RRSIGs in the AUTHORITY section.<br>>=3B <br>>=
=3B Juan:<br>>=3B <br>>=3B Please use dig instead.<br>>=3B <br>>=3B=
Please try with DNSSEC checking disabled=2C for example:<br>>=3B <br>>=
=3B dig +cd www.mirrorservice.org @10.20.29.22<br>>=3B <br>>=3B dig +cd=
www.madrid.org @10.20.29.22<br>>=3B <br>>=3B dig +cd www.wikipedia.org=
@10.20.29.22<br>>=3B <br>>=3B Please look at your BIND logging. (Maybe=
search for "error".)<br><br /><hr />Nuevo Windows Live=2C un mundo lleno d=
e posibilidades <a href=3D'http://www.microsoft.com/windows/windowslive/def=
ault.aspx' target=3D'_new'>Desc=FAbrelo.</a></body>
</html>=
--_248c6f53-9e2e-465a-80b5-8bda7cbb0b88_--
--===============7521967899098286191==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===============7521967899098286191==--
Mark Andrews
ORG uses NSEC3 rather than NSEC. It would be interesting
to see if you can get responses from .SE or not with the
setting enabled. SE uses NSEC which has been around years
longer than NSEC3.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org