On Jun 23, 2010, at 2:41 PM, Torsten wrote:
Am Wed, 23 Jun 2010 11:01:29 +0200
schrieb Erwin Lansing <er...@freebsd.org>:
On Wed, Jun 23, 2010 at 05:51:24PM +1000, Mark Andrews wrote:
In message
<aanlktinjqorplnyqj5tso2tdwlt_ropzdmrymoiph...@mail.gmail.com>,
Piff writes:
Mark,
more than once you have blamed firewal but I have tested without
firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig
+dnssec".
Wrong. The nameserver DO answer these queries.
Right, unfortunately. All is fine on a freshly reloaded bind, but
after a while no answers are seen. This is on Bind 9.4, 9.5 and 9.6.
# dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com.
replacementservices.com. ; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41760
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;replacementservices.com. IN A
;; ANSWER SECTION:
replacementservices.com. 3600 IN A 72.32.12.235
;; AUTHORITY SECTION:
replacementservices.com. 3600 IN NS
ns33.domaincontrol.com. replacementservices.com. 3600 IN
NS ns34.domaincontrol.com.
;; Query time: 346 msec
;; SERVER: 216.69.185.17#53(216.69.185.17)
;; WHEN: Wed Jun 23 17:39:43 2010
;; MSG SIZE rcvd: 109
#
# dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
; <<>> DiG 9.6.1-P3 <<>> +dnssec @ns33.domaincontrol.com.
replacementservices.com.
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Since you are not getting answers then there is a problem between
you and the nameservers in question and as just about every one
else is getting answers as well this puts the problem close to you.
i.e. Your network or your ISP's network. Something on the path is
doing DPI tests and is rejecting the response. Do you have a NAT
that does DPI?
No firewall, DPI, NAT or any form of filtering involved on our side,
direct peering with GLBX.
-erwin
Since it's working quite okay for several locations on here, the
problem may be found somewhere in between sites.
I personally don't get any failures with the dig statement from above
no matter how often I try.
<aol>
Me neither! Me neither!
</aol>
I also goes through AboveNet.
W
Looking at a tracepath the last hop I see seems to be an edge router
of
AboveNet Communications.
tracepath ns33.domaincontrol.com
1: eve.the-damian.de (195.180.9.245) 0.132ms
pmtu 1500
1: vl100.cr20.isham.de.easynet.net (195.180.9.252) 0.888ms
1: vl100.cr20.isham.de.easynet.net (195.180.9.252) 0.830ms
2: ge1-1.br2.isham.de.easynet.net (212.224.4.90) 0.857ms
3: ge3-0-2.gr10.isham.de.easynet.net (87.86.71.244) 0.762ms
4: te0-0-0-0.er10.ixfra.de.easynet.net (87.86.77.247) 10.931ms
asymm 7
5: xe-1-2-0.mpr1.fra4.de.above.net (80.81.194.26) 10.407ms
asymm 7
6: xe-1-1-0.mpr1.cdg12.fr.above.net (64.125.24.6) 22.851ms
7: xe-4-0-0.mpr1.lhr3.uk.above.net (64.125.31.249) 28.677ms
asymm 9
8: so-0-1-0.mpr2.dca2.us.above.net (64.125.27.165) 98.858ms
asymm 9
9: xe-0-3-0.cr2.dca2.us.above.net (64.125.29.25) 102.567ms
asymm 10
10: xe-0-1-0.er2.dca2.us.above.net (64.125.27.29) 98.730ms
asymm 11
11: xe-1-1-0.er2.iad10.above.net (64.125.26.242) 99.116ms
asymm 13
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500
Ciao
Torsten
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
