Hello,
please see answer in-line:
On 27. 10. 22 14:28, Veronique Lefebure wrote:
(*) On an external DNS server you can try with the following similar case:
Running DiG 9.11.21 on a linux client
ext-dns-1 (192.65.187.5) runs BIND9.16:
dig @ext-dns-1 foundservices.cern.ch | grep flags | grep ANSWER
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
dig @ext-dns-1 foundservices.cern.ch *+norecurse* | grep flags | grep
ANSWER
;; flags: qr aa ra; QUERY: 1, ANSWER: *1*, AUTHORITY: 0, ADDITIONAL: 1
Full output:
dig @192.65.187.5 foundservices.cern.ch +norecurse
; <<>> DiG 9.11.21 <<>> @192.65.187.5 foundservices.cern.ch +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9899
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
Please note that your output above contains "ra" flag - Recursion
Available. That one should be set only when talking to a resolver which
can chase down indirection as needed.
I'm getting different answer when I ask from my machine:
$ dig @192.65.187.5 foundservices.cern.ch | grep flags | grep ANSWER
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
Most importantly, no "ra" flag is listed here.
This can be either a configuration thing (an ACL which allows recursion
for your source address but not mine), or something messing with packets
on network level.
It's hard to say what is going on when we can't see configs and can't
access the servers.
In case sharing real configs & zones on this mailing list is not an
option then there are two possible ways forward:
1. Reproduce the problem by recreating minimal working configuration &
zone data to demonstrate the exact behavior using only the data which
can be shared.
2. Get commercial support with NDA in place. With that in place we could
hopefully be allowed to see everything we need. Please see
https://www.isc.org/support/ for more details.
Greg, can I send you a pcap file in a private email ?
I'm not Greg, but please don't e-mail us privately.
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
applies here as well.
--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users