Re: Bind 9.11 serving up false answers for a single domain.
Thank you all for responding. One final query about this. I'm seeing this issue on my production servers at work. Yet, when I run the same queries at home, I don't see those failed queries. I actually flushed DNS cache, cleared Linux O/S cache, and even bounced my personal DNS server trying to reproduce the issue. But I could not. TIA On Wed, Feb 10, 2021 at 12:09 AM Mark Andrews wrote: > Run ‘dig +trace +all internet-dns1.state.ma.us’ which will show you the > glue > records then try ‘dig +dnssec +norec internet-dns1.state.ma.us > @’ for > all the addresses in the glue records. > > e.g. > dig +dnssec +norec internet-dns1.state.ma.us @146.243.122.17 > > Mark > > > On 10 Feb 2021, at 14:50, sami's strat wrote: > > > > Thanks Mark. > > > > However, the traceroute to the hostnamed failed for the same reason. > Please note: > > > > [root@myhost data]# dig internet-dns1.state.ma.us > > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> > internet-dns1.state.ma.us > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61641 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;internet-dns1.state.ma.us. IN A > > > > ;; Query time: 1263 msec > > ;; SERVER: 192.168.33.12#53(192.168.33.12) > > ;; WHEN: Tue Feb 09 22:34:15 EST 2021 > > ;; MSG SIZE rcvd: 54 > > > > [root@myhost data]# dig internet-dns1.state.ma.us +trace > > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> > internet-dns1.state.ma.us +trace > > ;; global options: +cmd > > . 516485 IN NS c.root-servers.net. > > . 516485 IN NS e.root-servers.net. > > . 516485 IN NS f.root-servers.net. > > . 516485 IN NS l.root-servers.net. > > . 516485 IN NS m.root-servers.net. > > . 516485 IN NS d.root-servers.net. > > . 516485 IN NS g.root-servers.net. > > . 516485 IN NS k.root-servers.net. > > . 516485 IN NS b.root-servers.net. > > . 516485 IN NS h.root-servers.net. > > . 516485 IN NS a.root-servers.net. > > . 516485 IN NS i.root-servers.net. > > . 516485 IN NS j.root-servers.net. > > . 516485 IN RRSIG NS 8 0 518400 > 202103 2021020922 42351 . > QCzDH8eHlHVbx4SxIIwk8xnk6ky/q+zRh8KAUfI98lqHcIP4NLxzCe6f > mC2sNX1VcthEy6Lwnobm8OyJCRpNEHedYrS01aMhAVzUfM+/PJ9MWn0w > SkmXxyZMJZXF/kl4GDNX0x/GW3+DkeTeZI9+B540Yvj47qJv2bD9nIQG > NtE7bDze7bgMJkIuBlEzPfwp7YW5ud8qdC6HdUoEMqygwZcWAiQu8gpb > q21z8W5hcdci1OouDFytNWrXAvfSsuR635+GzSj+RZjYo+447uP7lKsK > N5aeVQ/BPh5jM32xVO+zwyp7v9Nky1vSP/BchMQ/3cqg3Ee7zobl8OQd CSd/SA== > > ;; Received 1097 bytes from 192.168.33.12#53(192.168.33.12) in 0 ms > > > > us. 172800 IN NS a.cctld.us. > > us. 172800 IN NS b.cctld.us. > > us. 172800 IN NS c.cctld.us. > > us. 172800 IN NS e.cctld.us. > > us. 172800 IN NS f.cctld.us. > > us. 172800 IN NS k.cctld.us. > > us. 86400 IN DS 21364 8 1 > 260D0461242BCF8F05473A08B05ED01E6FA59B9C > > us. 86400 IN DS 21364 8 2 > B499CFA7B54D25FDE1E6FE93076FB013DAA664DA1F26585324740A1E 6EBDAB26 > > us. 86400 IN RRSIG DS 8 1 86400 > 202103 2021020922 42351 . > rujvGB0s2bsqzBuzRliH6QK9vH84ETZV7gZMEhJyzMFofWhj9ZZaNWE/ > VvdA9rC16IOEocvARv2rOqk7G3KTzdkHHZcwcZSQyVqsOIaIywGFuEgd > viSXF6+M5MocUgEMp5dtt6SBLHG+lE/FV/3HylKSHsxdO/F6PeWKgcBZ > D4lZQ6w5asmlbdKJKMhlWPp6UaxBE7ACaxndBQixoNqXQuPrXpXi1Fnj > ntFtTfn57hMyrdTojIJ8X7/HKjCrbm3CL/WJ+VZR051OGCdZVjpUaDXR > x7G9lDhu3K5clar9PGYyUJM7+RBKzrQJep7HrjL2nZdoTyfY4i33S+EZ sTlTOA== > > ;; Received 707 bytes from 199.7.91.13#53(d.root-servers.net) in 4 ms > > > > state.ma.us.7200IN NS > internet-dns3.state.ma.us. > > state.ma.us.7200IN NS > internet-dns1.state.ma.us. > > state.ma.us.
Re: Bind 9.11 serving up false answers for a single domain.
Thanks Mark. However, the traceroute to the hostnamed failed for the same reason. Please note: [root@myhost data]# dig internet-dns1.state.ma.us ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> internet-dns1.state.ma.us ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61641 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;internet-dns1.state.ma.us. IN A ;; Query time: 1263 msec ;; SERVER: 192.168.33.12#53(192.168.33.12) ;; WHEN: Tue Feb 09 22:34:15 EST 2021 ;; MSG SIZE rcvd: 54 [root@myhost data]# dig internet-dns1.state.ma.us +trace ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> internet-dns1.state.ma.us +trace ;; global options: +cmd . 516485 IN NS c.root-servers.net. . 516485 IN NS e.root-servers.net. . 516485 IN NS f.root-servers.net. . 516485 IN NS l.root-servers.net. . 516485 IN NS m.root-servers.net. . 516485 IN NS d.root-servers.net. . 516485 IN NS g.root-servers.net. . 516485 IN NS k.root-servers.net. . 516485 IN NS b.root-servers.net. . 516485 IN NS h.root-servers.net. . 516485 IN NS a.root-servers.net. . 516485 IN NS i.root-servers.net. . 516485 IN NS j.root-servers.net. . 516485 IN RRSIG NS 8 0 518400 202103 2021020922 42351 . QCzDH8eHlHVbx4SxIIwk8xnk6ky/q+zRh8KAUfI98lqHcIP4NLxzCe6f mC2sNX1VcthEy6Lwnobm8OyJCRpNEHedYrS01aMhAVzUfM+/PJ9MWn0w SkmXxyZMJZXF/kl4GDNX0x/GW3+DkeTeZI9+B540Yvj47qJv2bD9nIQG NtE7bDze7bgMJkIuBlEzPfwp7YW5ud8qdC6HdUoEMqygwZcWAiQu8gpb q21z8W5hcdci1OouDFytNWrXAvfSsuR635+GzSj+RZjYo+447uP7lKsK N5aeVQ/BPh5jM32xVO+zwyp7v9Nky1vSP/BchMQ/3cqg3Ee7zobl8OQd CSd/SA== ;; Received 1097 bytes from 192.168.33.12#53(192.168.33.12) in 0 ms us. 172800 IN NS a.cctld.us. us. 172800 IN NS b.cctld.us. us. 172800 IN NS c.cctld.us. us. 172800 IN NS e.cctld.us. us. 172800 IN NS f.cctld.us. us. 172800 IN NS k.cctld.us. us. 86400 IN DS 21364 8 1 260D0461242BCF8F05473A08B05ED01E6FA59B9C us. 86400 IN DS 21364 8 2 B499CFA7B54D25FDE1E6FE93076FB013DAA664DA1F26585324740A1E 6EBDAB26 us. 86400 IN RRSIG DS 8 1 86400 202103 2021020922 42351 . rujvGB0s2bsqzBuzRliH6QK9vH84ETZV7gZMEhJyzMFofWhj9ZZaNWE/ VvdA9rC16IOEocvARv2rOqk7G3KTzdkHHZcwcZSQyVqsOIaIywGFuEgd viSXF6+M5MocUgEMp5dtt6SBLHG+lE/FV/3HylKSHsxdO/F6PeWKgcBZ D4lZQ6w5asmlbdKJKMhlWPp6UaxBE7ACaxndBQixoNqXQuPrXpXi1Fnj ntFtTfn57hMyrdTojIJ8X7/HKjCrbm3CL/WJ+VZR051OGCdZVjpUaDXR x7G9lDhu3K5clar9PGYyUJM7+RBKzrQJep7HrjL2nZdoTyfY4i33S+EZ sTlTOA== ;; Received 707 bytes from 199.7.91.13#53(d.root-servers.net) in 4 ms state.ma.us.7200IN NS internet-dns3.state.ma.us. state.ma.us.7200IN NS internet-dns1.state.ma.us. state.ma.us.7200IN NS internet-dns2.state.ma.us. state.ma.us.3600IN DS 47628 7 2 5379F9F747214E5A63416775396BCFF98FA4867AE66E09BCBEBE0DCC 1682C369 state.ma.us.3600IN DS 41388 7 1 36D899932AF794EADD671161515E48FE829BB7FE state.ma.us.3600IN DS 41388 7 2 BBAB433D3853571F42516E70659AF1F85FA4FBA0FDFCEAD4D092592A 00C78769 state.ma.us.3600IN DS 47628 7 1 485E0EE2F7C08FCE51D1E284321242930274833A state.ma.us.3600IN RRSIG DS 8 3 3600 20210307200856 20210205191212 53985 us. O8KqBHzlZsDqrZi0NQO4JEiN0b8j04/Lb8W2uVz5PyrAat1VgZKQ3Ws6 6PNtbZDMv6YX6QA8fWFLxNmeJ1/4L3wLu8EKYXaThA9Zxll7mKFj1iPf nqiVq5hOo8Ul3inmfM/tjCQ21IHc/v0JZygZNd/h0SxXWlQXi+W3G9LN +4z/qxtl9dGD1ka54Ln3MAVxB1Tp4pt0ri4qPLmfGKf/HA== couldn't get address for 'internet-dns3.state.ma.us': not found couldn't get address for 'internet-dns1.state.ma.us': not found couldn't get address for 'internet-dns2.state.ma.us': not found dig: couldn't get address for 'internet-dns3.state.ma.us': no more [root@myhost data]# On Tue, Feb 9, 2021 at 10:10 PM Mark Andrews wrote: > Well you could try tracing the addresses of the nameservers for which > there where errors reported. It could be as simple as a routing issue > between you and thes
Bind 9.11 serving up false answers for a single domain.
I'm running BIND 9.11 on a CentOS 7 VM/ BIND is giving me the wrong answer for a single domain. I've cleared cache, restarted BIND, restarted the server, and ensured that I don't have the referenced domain anywhere in my configuration hardcoded. Please note the following query: [root@myhost ~]# dig dor.state.ma.us mx ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> dor.state.ma.us mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41519 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dor.state.ma.us. IN MX ;; Query time: 17 msec ;; SERVER: 192.168.33.12#53(192.168.33.12) ;; WHEN: Tue Feb 09 21:01:28 EST 2021 ;; MSG SIZE rcvd: 44 [root@myhost ~]# dig dor.state.ma.us mx +trace ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> dor.state.ma.us mx +trace ;; global options: +cmd . 517726 IN NS d.root-servers.net. . 517726 IN NS i.root-servers.net. . 517726 IN NS l.root-servers.net. . 517726 IN NS g.root-servers.net. . 517726 IN NS h.root-servers.net. . 517726 IN NS e.root-servers.net. . 517726 IN NS b.root-servers.net. . 517726 IN NS a.root-servers.net. . 517726 IN NS j.root-servers.net. . 517726 IN NS m.root-servers.net. . 517726 IN NS c.root-servers.net. . 517726 IN NS f.root-servers.net. . 517726 IN NS k.root-servers.net. . 517726 IN RRSIG NS 8 0 518400 202103 2021020922 42351 . QCzDH8eHlHVbx4SxIIwk8xnk6ky/q+zRh8KAUfI98lqHcIP4NLxzCe6f mC2sNX1VcthEy6Lwnobm8OyJCRpNEHedYrS01aMhAVzUfM+/PJ9MWn0w SkmXxyZMJZXF/kl4GDNX0x/GW3+DkeTeZI9+B540Yvj47qJv2bD9nIQG NtE7bDze7bgMJkIuBlEzPfwp7YW5ud8qdC6HdUoEMqygwZcWAiQu8gpb q21z8W5hcdci1OouDFytNWrXAvfSsuR635+GzSj+RZjYo+447uP7lKsK N5aeVQ/BPh5jM32xVO+zwyp7v9Nky1vSP/BchMQ/3cqg3Ee7zobl8OQd CSd/SA== ;; Received 1097 bytes from 192.168.33.12#53(192.168.33.12) in 0 ms us. 172800 IN NS a.cctld.us. us. 172800 IN NS b.cctld.us. us. 172800 IN NS c.cctld.us. us. 172800 IN NS e.cctld.us. us. 172800 IN NS f.cctld.us. us. 172800 IN NS k.cctld.us. us. 86400 IN DS 21364 8 1 260D0461242BCF8F05473A08B05ED01E6FA59B9C us. 86400 IN DS 21364 8 2 B499CFA7B54D25FDE1E6FE93076FB013DAA664DA1F26585324740A1E 6EBDAB26 us. 86400 IN RRSIG DS 8 1 86400 202103 2021020922 42351 . rujvGB0s2bsqzBuzRliH6QK9vH84ETZV7gZMEhJyzMFofWhj9ZZaNWE/ VvdA9rC16IOEocvARv2rOqk7G3KTzdkHHZcwcZSQyVqsOIaIywGFuEgd viSXF6+M5MocUgEMp5dtt6SBLHG+lE/FV/3HylKSHsxdO/F6PeWKgcBZ D4lZQ6w5asmlbdKJKMhlWPp6UaxBE7ACaxndBQixoNqXQuPrXpXi1Fnj ntFtTfn57hMyrdTojIJ8X7/HKjCrbm3CL/WJ+VZR051OGCdZVjpUaDXR x7G9lDhu3K5clar9PGYyUJM7+RBKzrQJep7HrjL2nZdoTyfY4i33S+EZ sTlTOA== ;; Received 697 bytes from 199.9.14.201#53(b.root-servers.net) in 3 ms state.ma.us.7200IN NS internet-dns1.state.ma.us. state.ma.us.7200IN NS internet-dns3.state.ma.us. state.ma.us.7200IN NS internet-dns2.state.ma.us. state.ma.us.3600IN DS 41388 7 1 36D899932AF794EADD671161515E48FE829BB7FE state.ma.us.3600IN DS 41388 7 2 BBAB433D3853571F42516E70659AF1F85FA4FBA0FDFCEAD4D092592A 00C78769 state.ma.us.3600IN DS 47628 7 1 485E0EE2F7C08FCE51D1E284321242930274833A state.ma.us.3600IN DS 47628 7 2 5379F9F747214E5A63416775396BCFF98FA4867AE66E09BCBEBE0DCC 1682C369 state.ma.us.3600IN RRSIG DS 8 3 3600 20210307200856 20210205191212 53985 us. O8KqBHzlZsDqrZi0NQO4JEiN0b8j04/Lb8W2uVz5PyrAat1VgZKQ3Ws6 6PNtbZDMv6YX6QA8fWFLxNmeJ1/4L3wLu8EKYXaThA9Zxll7mKFj1iPf nqiVq5hOo8Ul3inmfM/tjCQ21IHc/v0JZygZNd/h0SxXWlQXi+W3G9LN +4z/qxtl9dGD1ka54Ln3MAVxB1Tp4pt0ri4qPLmfGKf/HA== couldn't get address for 'internet-dns1.state.ma.us': not found couldn't get address for 'internet-dns3.state.ma.us': not found couldn't get address for 'internet-dns2.state.ma.us': not found dig: couldn't get address for 'internet-dns1.state.ma.us': no more It fails on my production DNS system, yet if I run that query on another host, it works fine, with no issues. Any idea why BIND would do this? TIA ___ Please visit https://
Re: DNSSEC DS Record
What about the child zone? Do I need a DS record for the child zone as well? I see a good number of big DNS players in DNS (no names) that do have DS records in there zones. Does zbc.com (for example) need DS, or is just passed by the TLD? TIA On Fri, Jul 14, 2017 at 5:20 AM, Steven Carr wrote: > On 14 July 2017 at 01:52, sami's strat wrote: > > However, the zone is missing the DS record, completely. That being said, > > what is the offset, or result? I don't see an AD flag when querying the > > zone. Other then that, are there any other ramifications? > > Without the DS record in the parent the zone is treat as being > unsigned (hence why you don't see the AD flag). > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC DS Record
The following zone is dnssec signed: ns2cloud.com However, the zone is missing the DS record, completely. That being said, what is the offset, or result? I don't see an AD flag when querying the zone. Other then that, are there any other ramifications? thanks in advance. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
isc trust anchor
If I have two domains, say a.us and b.com a.us is (dnssec) signed and the parent domain has a copy of the DS keys. Is there a way to have host.b.com run dnssec aware queries against a.us? I was thinking of setting up and using the ISC trust anchor with both domains. Would that work? Are there better ways to have a .com domain query a fully signed and operational .us domain? Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users