Mark, more than once you have blamed firewal but I have tested without firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig +dnssec". The real problem is bind. Freshly reloaded bind will do a query with OPT EDNS0 set and after a timeout retry the query without OPT EDNS0 but after some time the queries are only with OPT EDNS0 set. Why? Why no fallback? My machines are running version 9.6-ESV-R1 and 9.4-ESV-R2.
-Sai In message <201006220016.o5M0G7J4024038 at drugs.dv.isc.org>, Mark Andrews writes: > > Mark Andrews writes: > > > > In message <4C1F85EF.5070901 at rula.net>, =?UTF-8?B?Um9rIFBvdG/EjW5paw==?= > > wr > it > > es > > : > > > Anyway.. I found out what the problem is... they don't reply to dnssec > > > enabled requests... > > > > > > $ dig +short @ns33.domaincontrol.com. replacementservices.com. > > > 72.32.12.235 > > > > > > $ dig +short +dnssec @ns33.domaincontrol.com. replacementservices.com. > > > ;; connection timed out; no servers could be reached > > > > > > wanna boycott godaddy? > > > > > > -- > > > LP, Rok > > > > They DO respond. Look at your firewall. > > > > % dig +short @ns33.domaincontrol.com. replacementservices.com. > > 72.32.12.235 > > % dig +short +dnssec @ns33.domaincontrol.com. replacementservices.com. > > 72.32.12.235 > > % > > > > Mark > > I suspect that your firewall is dropping replies to EDNS queries > that *don't* include the OPT record (i.e. they are plain DNS not > EDNS responses). Note that there was no OPT record in the reply. > > ; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com. replacementservices > .com. > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36916 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;replacementservices.com. IN A > > ;; ANSWER SECTION: > replacementservices.com. 3600 IN A 72.32.12.235 > > ;; AUTHORITY SECTION: > replacementservices.com. 3600 IN NS ns33.domaincontrol.com. > replacementservices.com. 3600 IN NS ns34.domaincontrol.com. > > ;; Query time: 184 msec > ;; SERVER: 216.69.185.17#53(216.69.185.17) > ;; WHEN: Tue Jun 22 10:12:45 2010 > ;; MSG SIZE rcvd: 109 > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > _______________________________________________ > bind-users mailing list > bind-users at lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users You can stop named making EDNS queries to these servers using the server statement while you fix your firewall. e.g. server 216.69.185.17 { edns no; }; Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users