Am Wed, 23 Jun 2010 11:01:29 +0200 schrieb Erwin Lansing <er...@freebsd.org>:
> On Wed, Jun 23, 2010 at 05:51:24PM +1000, Mark Andrews wrote: > > > > In message > > <aanlktinjqorplnyqj5tso2tdwlt_ropzdmrymoiph...@mail.gmail.com>, > > Piff writes: > > > Mark, > > > > > > more than once you have blamed firewal but I have tested without > > > firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig > > > +dnssec". > > > > Wrong. The nameserver DO answer these queries. > > Right, unfortunately. All is fine on a freshly reloaded bind, but > after a while no answers are seen. This is on Bind 9.4, 9.5 and 9.6. > > > > # dig +dnssec @ns33.domaincontrol.com. replacementservices.com. > > > > ; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com. > > replacementservices.com. ; (1 server found) > > ;; global options: printcmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41760 > > ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;replacementservices.com. IN A > > > > ;; ANSWER SECTION: > > replacementservices.com. 3600 IN A 72.32.12.235 > > > > ;; AUTHORITY SECTION: > > replacementservices.com. 3600 IN NS > > ns33.domaincontrol.com. replacementservices.com. 3600 IN > > NS ns34.domaincontrol.com. > > > > ;; Query time: 346 msec > > ;; SERVER: 216.69.185.17#53(216.69.185.17) > > ;; WHEN: Wed Jun 23 17:39:43 2010 > > ;; MSG SIZE rcvd: 109 > > > > # > > # dig +dnssec @ns33.domaincontrol.com. replacementservices.com. > > ; <<>> DiG 9.6.1-P3 <<>> +dnssec @ns33.domaincontrol.com. > replacementservices.com. > ; (1 server found) > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > > > > Since you are not getting answers then there is a problem between > > you and the nameservers in question and as just about every one > > else is getting answers as well this puts the problem close to you. > > i.e. Your network or your ISP's network. Something on the path is > > doing DPI tests and is rejecting the response. Do you have a NAT > > that does DPI? > > No firewall, DPI, NAT or any form of filtering involved on our side, > direct peering with GLBX. > > -erwin > Since it's working quite okay for several locations on here, the problem may be found somewhere in between sites. I personally don't get any failures with the dig statement from above no matter how often I try. Looking at a tracepath the last hop I see seems to be an edge router of AboveNet Communications. tracepath ns33.domaincontrol.com 1: eve.the-damian.de (195.180.9.245) 0.132ms pmtu 1500 1: vl100.cr20.isham.de.easynet.net (195.180.9.252) 0.888ms 1: vl100.cr20.isham.de.easynet.net (195.180.9.252) 0.830ms 2: ge1-1.br2.isham.de.easynet.net (212.224.4.90) 0.857ms 3: ge3-0-2.gr10.isham.de.easynet.net (87.86.71.244) 0.762ms 4: te0-0-0-0.er10.ixfra.de.easynet.net (87.86.77.247) 10.931ms asymm 7 5: xe-1-2-0.mpr1.fra4.de.above.net (80.81.194.26) 10.407ms asymm 7 6: xe-1-1-0.mpr1.cdg12.fr.above.net (64.125.24.6) 22.851ms 7: xe-4-0-0.mpr1.lhr3.uk.above.net (64.125.31.249) 28.677ms asymm 9 8: so-0-1-0.mpr2.dca2.us.above.net (64.125.27.165) 98.858ms asymm 9 9: xe-0-3-0.cr2.dca2.us.above.net (64.125.29.25) 102.567ms asymm 10 10: xe-0-1-0.er2.dca2.us.above.net (64.125.27.29) 98.730ms asymm 11 11: xe-1-1-0.er2.iad10.above.net (64.125.26.242) 99.116ms asymm 13 12: no reply 13: no reply 14: no reply 15: no reply 16: no reply 17: no reply 18: no reply 19: no reply 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply 31: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 Ciao Torsten _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users