In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin" writes: > Mark, > > Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I > can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from > b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like > 9.3. I don't know if the problem is with the authoritative nameservers for > gov or the nameservers for nyc.gov or with the BIND I am using. I noticed > the following:
Just fix your firewalls to allow EDNS responses through. While this is a bug in the authoritative servers / interpretation of RFC 1034, its only a issue because your firewall configuration is a decade out of date that it is a problem. > 1). a.gov-servers.net or b.gov-servers.net does provide A records in the > additional records of their responses for other subdomain under gov like > treas.gov, just not nyc.gov. So the problem seems with nameservers for > nyc.gov. The problem is relatively new and there might be some recent > changes on nyc.gov. The gov servers will return glue if you let bigger answers than 512 bytes through your firewall. ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;vwall4a.nyc.gov. IN A ;; AUTHORITY SECTION: nyc.gov. 86400 IN NS vwall1a.nyc.gov. nyc.gov. 86400 IN NS vwall2a.nyc.gov. nyc.gov. 86400 IN NS vwall3a.nyc.gov. nyc.gov. 86400 IN NS vwall4a.nyc.gov. rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 20110222210022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg== ;; ADDITIONAL SECTION: vwall1a.nyc.gov. 86400 IN A 161.185.1.3 vwall2a.nyc.gov. 86400 IN A 161.185.1.12 vwall3a.nyc.gov. 86400 IN A 167.153.130.12 vwall4a.nyc.gov. 86400 IN A 167.153.130.13 ;; Query time: 187 msec ;; SERVER: 209.112.123.30#53(209.112.123.30) ;; WHEN: Wed Feb 23 11:54:06 2011 ;; MSG SIZE rcvd: 574 > 2) Older version of Binds (like 9.3) seems able to resolve vwall4a.nyc.gov > as shown the packets I captured in my previous e-mail. > > What options in named.conf I can use to set "tc"? > > Thank you. > > Shaoquan Lin -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users