NOAA.GOV domain not working

2017-09-18 Thread Levesque, Ricky (SNB) 
Good day,
I've been having an interesting issue with BIND and wondering if anyone has had 
this before or knows how to fix it.

The issue is,
I have 2 recursive/caching DNS servers running BIND 9.9.4-RedHat-9.9.4-51.el7, 
which are slow to query for this particular domain.
Noaa.gov (as well as its sub domains. Specifically - 
www.nhc.noaa.gov )
By slow I mean, it takes approximately 3500ms to query while most other domains 
take less than 100ms to query.
What's worst, the domains (noaa.gov) becomes unqueriable after a few hours or a 
day and I need to clear the DNS servers cache to allow it to work again.

The domains have very very low TTL's (30s) and use DNSsec

Error:
##dig www.nhc.noaa.gov
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.nhc.noaa.gov.  IN  A


Fixes I have attempted so far:
Reboot servers (2 centos servers running on vmware)
Update system
Try a default config file
Updated vmware tools
Clear DNS cache (temporary fix)
Checked firewall for abnormal data
Updated root hints

Config:

acl internal {
*removed*;
   localhost;
};

options {
listen-on port 53 { *removed*;
127.0.0.1;
;
   };
listen-on-v6 port 53 { none;
   #::1;
  };
directory   "/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;

// Conform to RFC1035
auth-nxdomain no;

// Allowed Port Ranges
use-v4-udp-ports { range 32768 65535; };
use-v6-udp-ports { range 32768 65535; };
recursive-clients 15000;
server-id none;
version none;
interface-interval 0;
allow-query { internal;
  };
  allow-recursion { internal;
  };
 max-ncache-ttl 3600;
 allow-query-cache { internal;
};
};

logging {
channel default_debug {
  syslog local4;
  severity debug;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about NAPTR

2017-09-18 Thread Karl Auer 
On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote:
> In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer
> writes:
> > 2: Can the Replacement field be empty? It looks from the text and
> > examples as if it should always contain a complete domain name BUT
> > that if the Regexp field is not empty, the Replacement field will
> > not be used.
> No.  Use '.' as a place holder.

Er - isn't "." a complete domain name?

And is it true that "if the Regexp field is not empty, the Replacement
field will not be used"?

Thanks for the info.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about NAPTR

2017-09-18 Thread Mark Andrews 

In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer writes:
> I've been reading RFC2915 and have a couple of questions about NAPTR
> records. I'm trying to do *basic* validation of data from a database
> being processed into the DNS.
>
> 1: Can the Flags field be empty? It seems to me that it can be under
> some circumstances.

Yes, use '""'.

> 2: Can the Replacement field be empty? It looks from the text and
> examples as if it should always contain a complete domain name BUT that
> if the Regexp field is not empty, the Replacement field will not be
> used.

No.  Use '.' as a place holder.

> 3: Can the Regexp field be empty? It seems to me that it can be, in
> which case the Replacement field will be used without alteration.

Yes, use '""'.

> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: A52E F6B9 708B 51C4 85E61634 0571 ADF9 3C1C 6A3A
> Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOAA.GOV domain not working

2017-09-18 Thread John Miller 
Hi Ricky,

Sounds like if things are timing out at the noaa.gov nameservers, then
that's where you need to start looking.  Try each nameserver that the
.gov nameservers give for noaa.gov and see if all of them are
unreachable, if just one's unreachable, if they're traceroute-able,
etc.  A lot of times, the problem isn't with DNS, per se, but with
general network connectivity between your nameservers and theirs.

FWIW, specifying @ with dig +trace really doesn't do much:
your machine is still going to follow the delegation records itself.

John

On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB)
 wrote:
> Thank you for your reply,
> When I notice too many failed queries from this domain name 
> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc 
> reload), seems to allow queries to work. But still latent (in the 3500ms 
> range)
>
> This is what I get from a DIG +trace...  the connection times out every time.
> #dig +trace www.nhc.noaa.gov
>
> But if I try another domain, example: "cisco.com" it completes properly
> #dig +trace cisco.com
>
> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers 
> (8.8.8.8) and the query seems to time out as well.
> # dig +trace www.nhc.noaa.gov @8.8.8.8
>
>
> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  +trace
> ;; global options: +cmd
> .   434277  IN  NS  e.root-servers.net.
> .   434277  IN  NS  d.root-servers.net.
> .   434277  IN  NS  f.root-servers.net.
> .   434277  IN  NS  a.root-servers.net.
> .   434277  IN  NS  i.root-servers.net.
> .   434277  IN  NS  h.root-servers.net.
> .   434277  IN  NS  g.root-servers.net.
> .   434277  IN  NS  l.root-servers.net.
> .   434277  IN  NS  b.root-servers.net.
> .   434277  IN  NS  k.root-servers.net.
> .   434277  IN  NS  j.root-servers.net.
> .   434277  IN  NS  c.root-servers.net.
> .   434277  IN  NS  m.root-servers.net.
> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed DNS-SRV-IP*) in 
> 4 ms
>
> gov.172800  IN  NS  a.gov-servers.net.
> gov.172800  IN  NS  b.gov-servers.net.
> gov.172800  IN  NS  c.gov-servers.net.
> gov.172800  IN  NS  d.gov-servers.net.
> gov.86400   IN  DS  7698 8 1 
> 6F109B46A80CEA9613DC86D5A3E065520505AAFE
> gov.86400   IN  DS  7698 8 2 
> 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
> gov.86400   IN  RRSIG   DS 8 1 86400 2017100105 
> 2017091804 15768 . 
> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg 
> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 
> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 
> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ 
> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo 
> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
> ;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 ms
>
> noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
> noaa.gov.   3600IN  DS  13774 5 1 
> 4823D2F9C36F98D586ECCD779731F813218BD875
> noaa.gov.   3600IN  DS  13774 5 2 
> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
> noaa.gov.   3600IN  RRSIG   DS 8 2 3600 20170925101007 
> 20170918101007 21428 gov. 
> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 
> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 
> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
> ;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>
> ;; connection timed out; no servers could be reached
>
>
>
>
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John 
> Miller
> Sent: September 18, 2017 11:03 AM
> Cc: bind-users@lists.isc.org
> Subject: Re: NOAA.GOV domain not working
>
> Hi Ricky,
>
> Try running a "dig +trace www.nhc.noaa.gov," then query each record in the 
> chain and see which one's slow to respond.  I don't see anything crazy in 
> your named.conf.  Something you didn't mention: does clearing cache make a 
> difference?
>
> John
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
>
>
> On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB)
>  wrote:
>> Good day,
>>
>> I’ve

RE: NOAA.GOV domain not working

2017-09-18 Thread Levesque, Ricky (SNB) 
Thank you for your reply,
When I notice too many failed queries from this domain name (www.nhc.noaa.gov) 
restarting the service or clearing the cache (rndc reload), seems to allow 
queries to work. But still latent (in the 3500ms range)

This is what I get from a DIG +trace...  the connection times out every time.
#dig +trace www.nhc.noaa.gov

But if I try another domain, example: "cisco.com" it completes properly
#dig +trace cisco.com

As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers 
(8.8.8.8) and the query seems to time out as well.
# dig +trace www.nhc.noaa.gov @8.8.8.8


; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  +trace
;; global options: +cmd
.   434277  IN  NS  e.root-servers.net.
.   434277  IN  NS  d.root-servers.net.
.   434277  IN  NS  f.root-servers.net.
.   434277  IN  NS  a.root-servers.net.
.   434277  IN  NS  i.root-servers.net.
.   434277  IN  NS  h.root-servers.net.
.   434277  IN  NS  g.root-servers.net.
.   434277  IN  NS  l.root-servers.net.
.   434277  IN  NS  b.root-servers.net.
.   434277  IN  NS  k.root-servers.net.
.   434277  IN  NS  j.root-servers.net.
.   434277  IN  NS  c.root-servers.net.
.   434277  IN  NS  m.root-servers.net.
;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed DNS-SRV-IP*) in 4 
ms

gov.172800  IN  NS  a.gov-servers.net.
gov.172800  IN  NS  b.gov-servers.net.
gov.172800  IN  NS  c.gov-servers.net.
gov.172800  IN  NS  d.gov-servers.net.
gov.86400   IN  DS  7698 8 1 
6F109B46A80CEA9613DC86D5A3E065520505AAFE
gov.86400   IN  DS  7698 8 2 
6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
gov.86400   IN  RRSIG   DS 8 1 86400 2017100105 
2017091804 15768 . TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg 
/7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 
4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 
0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ 
BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo 
QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 ms

noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
noaa.gov.   3600IN  DS  13774 5 1 
4823D2F9C36F98D586ECCD779731F813218BD875
noaa.gov.   3600IN  DS  13774 5 2 
C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
noaa.gov.   3600IN  RRSIG   DS 8 2 3600 20170925101007 
20170918101007 21428 gov. 
UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 
0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 
oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms

;; connection timed out; no servers could be reached




-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John 
Miller
Sent: September 18, 2017 11:03 AM
Cc: bind-users@lists.isc.org
Subject: Re: NOAA.GOV domain not working

Hi Ricky,

Try running a "dig +trace www.nhc.noaa.gov," then query each record in the 
chain and see which one's slow to respond.  I don't see anything crazy in your 
named.conf.  Something you didn't mention: does clearing cache make a 
difference?

John
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu


On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB)
 wrote:
> Good day,
>
> I’ve been having an interesting issue with BIND and wondering if anyone has
> had this before or knows how to fix it.
>
>
>
> The issue is,
>
> I have 2 recursive/caching DNS servers running BIND
> 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this particular
> domain.
>
> Noaa.gov (as well as its sub domains. Specifically – www.nhc.noaa.gov )
>
> By slow I mean, it takes approximately 3500ms to query while most other
> domains take less than 100ms to query.
>
> What’s worst, the domains (noaa.gov) becomes unqueriable after a few hours
> or a day and I need to clear the DNS servers cache to allow it to work
> again.
>
>
>
> The domains have very very low TTL’s (30s) and use DNSsec
>
>
>
> Error:
>
> ##dig www.nhc.noaa.gov
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
>
>

RE: NOAA.GOV domain not working

2017-09-18 Thread Levesque, Ricky (SNB) 
Thanks Warren,
I can query all the noaa.gov name servers without issues, and the replies are 
fast (sub 100ms)

-Original Message-
From: Warren Kumari [mailto:war...@kumari.net] 
Sent: September 18, 2017 12:06 PM
To: Levesque, Ricky (SNB) 
Cc: John Miller ; bind-users@lists.isc.org
Subject: Re: NOAA.GOV domain not working

On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB)  
wrote:
> Thank you for your reply,
> When I notice too many failed queries from this domain name 
> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc 
> reload), seems to allow queries to work. But still latent (in the 
> 3500ms range)
>
> This is what I get from a DIG +trace...  the connection times out every time.
> #dig +trace www.nhc.noaa.gov
>
> But if I try another domain, example: "cisco.com" it completes 
> properly #dig +trace cisco.com
>
> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers 
> (8.8.8.8) and the query seems to time out as well.
> # dig +trace www.nhc.noaa.gov @8.8.8.8
>
>
> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  
> +trace ;; global options: +cmd
> .   434277  IN  NS  e.root-servers.net.
> .   434277  IN  NS  d.root-servers.net.
> .   434277  IN  NS  f.root-servers.net.
> .   434277  IN  NS  a.root-servers.net.
> .   434277  IN  NS  i.root-servers.net.
> .   434277  IN  NS  h.root-servers.net.
> .   434277  IN  NS  g.root-servers.net.
> .   434277  IN  NS  l.root-servers.net.
> .   434277  IN  NS  b.root-servers.net.
> .   434277  IN  NS  k.root-servers.net.
> .   434277  IN  NS  j.root-servers.net.
> .   434277  IN  NS  c.root-servers.net.
> .   434277  IN  NS  m.root-servers.net.
> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed 
> DNS-SRV-IP*) in 4 ms
>
> gov.172800  IN  NS  a.gov-servers.net.
> gov.172800  IN  NS  b.gov-servers.net.
> gov.172800  IN  NS  c.gov-servers.net.
> gov.172800  IN  NS  d.gov-servers.net.
> gov.86400   IN  DS  7698 8 1 
> 6F109B46A80CEA9613DC86D5A3E065520505AAFE
> gov.86400   IN  DS  7698 8 2 
> 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
> gov.86400   IN  RRSIG   DS 8 1 86400 2017100105 
> 2017091804 15768 . 
> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg 
> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 
> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 
> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ 
> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo 
> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
> ;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 
> ms
>
> noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
> noaa.gov.   3600IN  DS  13774 5 1 
> 4823D2F9C36F98D586ECCD779731F813218BD875
> noaa.gov.   3600IN  DS  13774 5 2 
> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
> noaa.gov.   3600IN  RRSIG   DS 8 2 3600 20170925101007 
> 20170918101007 21428 gov. 
> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 
> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 
> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
> ;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>
> ;; connection timed out; no servers could be reached
>

Huh. Weird.

Try:
dig  www.nhc.noaa.gov @ns-e.noaa.gov.
dig  www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  www.nhc.noaa.gov @ns-nw.noaa.gov.

and:
dig  -4 www.nhc.noaa.gov @ns-e.noaa.gov.
dig  -4 www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  -4 www.nhc.noaa.gov @ns-nw.noaa.gov.

and
dig  +tcp www.nhc.noaa.gov @ns-e.noaa.gov.
dig  +tcp www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  +tcp www.nhc.noaa.gov @ns-nw.noaa.gov.


and also:
traceroute ns-e.noaa.gov.
traceroute ns-mw.noaa.gov.
traceroute ns-nw.noaa.gov.


What address range are you coming from? It sounds like you cannot reach the 
noaa.gov nameservers (or they cannot reach you!)

W

>
>
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf 
> Of John Miller
> Sent: September 18, 2017 11:03 AM
> Cc: bind-users@lists.isc.org
> Subject: Re: NOAA.GOV domain not working
>
> Hi Ricky,
>
>

Re: NOAA.GOV domain not working

2017-09-18 Thread Sten Carlsen 
The noaa.gov name servers also have ipv6 addresses but I don't get a
reply from that address.

You may want to trace whether your name server is using that address
when you see the problem.


On 18/09/2017 17:17, Levesque, Ricky (SNB) wrote:
> Thanks Warren,
> I can query all the noaa.gov name servers without issues, and the replies are 
> fast (sub 100ms)
>
> -Original Message-
> From: Warren Kumari [mailto:war...@kumari.net] 
> Sent: September 18, 2017 12:06 PM
> To: Levesque, Ricky (SNB) 
> Cc: John Miller ; bind-users@lists.isc.org
> Subject: Re: NOAA.GOV domain not working
>
> On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB) 
>  wrote:
>> Thank you for your reply,
>> When I notice too many failed queries from this domain name 
>> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc 
>> reload), seems to allow queries to work. But still latent (in the 
>> 3500ms range)
>>
>> This is what I get from a DIG +trace...  the connection times out every time.
>> #dig +trace www.nhc.noaa.gov
>>
>> But if I try another domain, example: "cisco.com" it completes 
>> properly #dig +trace cisco.com
>>
>> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers 
>> (8.8.8.8) and the query seems to time out as well.
>> # dig +trace www.nhc.noaa.gov @8.8.8.8
>>
>>
>> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  
>> +trace ;; global options: +cmd
>> .   434277  IN  NS  e.root-servers.net.
>> .   434277  IN  NS  d.root-servers.net.
>> .   434277  IN  NS  f.root-servers.net.
>> .   434277  IN  NS  a.root-servers.net.
>> .   434277  IN  NS  i.root-servers.net.
>> .   434277  IN  NS  h.root-servers.net.
>> .   434277  IN  NS  g.root-servers.net.
>> .   434277  IN  NS  l.root-servers.net.
>> .   434277  IN  NS  b.root-servers.net.
>> .   434277  IN  NS  k.root-servers.net.
>> .   434277  IN  NS  j.root-servers.net.
>> .   434277  IN  NS  c.root-servers.net.
>> .   434277  IN  NS  m.root-servers.net.
>> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed 
>> DNS-SRV-IP*) in 4 ms
>>
>> gov.172800  IN  NS  a.gov-servers.net.
>> gov.172800  IN  NS  b.gov-servers.net.
>> gov.172800  IN  NS  c.gov-servers.net.
>> gov.172800  IN  NS  d.gov-servers.net.
>> gov.86400   IN  DS  7698 8 1 
>> 6F109B46A80CEA9613DC86D5A3E065520505AAFE
>> gov.86400   IN  DS  7698 8 2 
>> 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
>> gov.86400   IN  RRSIG   DS 8 1 86400 2017100105 
>> 2017091804 15768 . 
>> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg 
>> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 
>> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 
>> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ 
>> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo 
>> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
>> ;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 
>> ms
>>
>> noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
>> noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
>> noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
>> noaa.gov.   3600IN  DS  13774 5 1 
>> 4823D2F9C36F98D586ECCD779731F813218BD875
>> noaa.gov.   3600IN  DS  13774 5 2 
>> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
>> noaa.gov.   3600IN  RRSIG   DS 8 2 3600 20170925101007 
>> 20170918101007 21428 gov. 
>> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 
>> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 
>> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
>> ;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>>
>> ;; connection timed out; no servers could be reached
>>
> Huh. Weird.
>
> Try:
> dig  www.nhc.noaa.gov @ns-e.noaa.gov.
> dig  www.nhc.noaa.gov @ns-mw.noaa.gov.
> dig  www.nhc.noaa.gov @ns-nw.noaa.gov.
>
> and:
> dig  -4 www.nhc.noaa.gov @ns-e.noaa.gov.
> dig  -4 www.nhc.noaa.gov @ns-mw.noaa.gov.
> dig  -4 www.nhc.noaa.gov @ns-nw.noaa.gov.
>
> and
> dig  +tcp www.nhc.noaa.gov @ns-e.noaa.gov.
> dig  +tcp www.nhc.noaa.gov @ns-mw.noaa.gov.
> dig  +tcp www.nhc.noaa.gov @ns-nw.noaa.gov.
>
>
> and also:
> traceroute ns-e.noaa.gov.
> traceroute ns-mw.noaa.gov.
> traceroute ns-nw.noaa.gov.
>
>
>

Re: Automatic Key Management

2017-09-18 Thread Tony Finch 
Mark Elkins  wrote:
>
> On my side, I can 'import' the KSK from the properly signed zone,
> Generate the DS record and EPP it up to the Registry. That all works
> fine, currently with the push of one (web) button. Will change/add this
> to something RESTful. Then, for full automation (KSK Rollover's) - I'd
> need dnssec-keymgr to call an external script when its time to trigger
> some sort of "Sync" action.

Sounds nice! Yes, there's definitely a missing hook or two in
dnssec-keymgr: as you say, it needs to be able to call a script to update
the parent, and also, it is crucial that it checks that the parent has
actually deployed the new DS records because that's often asynchronous,
sometimes with long delays. Any KSK roll must stop at the DS update point
until the update has been confirmed, otherwise you have a footgun.

In its current state I don't think dnssec-keymgr is safe for KSK rolls
unless you wrap it in lots of protective scripting.

> Didn't spot anything to auto-generate CDS records although BIND 9.11 is
> apparently capable.

This is still a work in progress.

dnssec-settime has -P sync and -D sync options to specify when CDS and
CDNSKEY records are added and removed. CDS/CDNSKEY publication is
implemented by named's built-in signer but not by dnssec-signzone.

dnssec-keymgr does not yet know about -P sync or -D sync, as its man page
mentions.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Bailey: South 4 or 5, increasing 6 at times. Moderate. Rain. Moderate or good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOAA.GOV domain not working

2017-09-18 Thread John Miller 
Hi Ricky,

Try running a "dig +trace www.nhc.noaa.gov," then query each record in
the chain and see which one's slow to respond.  I don't see anything
crazy in your named.conf.  Something you didn't mention: does clearing
cache make a difference?

John
-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu


On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB)
 wrote:
> Good day,
>
> I’ve been having an interesting issue with BIND and wondering if anyone has
> had this before or knows how to fix it.
>
>
>
> The issue is,
>
> I have 2 recursive/caching DNS servers running BIND
> 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this particular
> domain.
>
> Noaa.gov (as well as its sub domains. Specifically – www.nhc.noaa.gov )
>
> By slow I mean, it takes approximately 3500ms to query while most other
> domains take less than 100ms to query.
>
> What’s worst, the domains (noaa.gov) becomes unqueriable after a few hours
> or a day and I need to clear the DNS servers cache to allow it to work
> again.
>
>
>
> The domains have very very low TTL’s (30s) and use DNSsec
>
>
>
> Error:
>
> ##dig www.nhc.noaa.gov
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 7
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;www.nhc.noaa.gov.  IN  A
>
>
>
>
>
> Fixes I have attempted so far:
>
> Reboot servers (2 centos servers running on vmware)
>
> Update system
>
> Try a default config file
>
> Updated vmware tools
>
> Clear DNS cache (temporary fix)
>
> Checked firewall for abnormal data
>
> Updated root hints
>
>
>
> Config:
>
>
>
> acl internal {
>
> *removed*;
>
>localhost;
>
> };
>
>
>
> options {
>
> listen-on port 53 { *removed*;
>
> 127.0.0.1;
>
> ;
>
>};
>
> listen-on-v6 port 53 { none;
>
>#::1;
>
>   };
>
> directory   "/var/named";
>
> dump-file   "/var/named/data/cache_dump.db";
>
> statistics-file "/var/named/data/named_stats.txt";
>
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
>
>
> dnssec-enable no;
>
> dnssec-validation no;
>
> dnssec-lookaside auto;
>
>
>
> // Conform to RFC1035
>
> auth-nxdomain no;
>
>
>
> // Allowed Port Ranges
>
> use-v4-udp-ports { range 32768 65535; };
>
> use-v6-udp-ports { range 32768 65535; };
>
> recursive-clients 15000;
>
> server-id none;
>
> version none;
>
> interface-interval 0;
>
> allow-query { internal;
>
>   };
>
>   allow-recursion { internal;
>
>   };
>
>  max-ncache-ttl 3600;
>
>  allow-query-cache { internal;
>
> };
>
> };
>
>
>
> logging {
>
> channel default_debug {
>
>   syslog local4;
>
>   severity debug;
>
> };
>
> };
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOAA.GOV domain not working

2017-09-18 Thread Warren Kumari 
On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB)
 wrote:
> Thank you for your reply,
> When I notice too many failed queries from this domain name 
> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc 
> reload), seems to allow queries to work. But still latent (in the 3500ms 
> range)
>
> This is what I get from a DIG +trace...  the connection times out every time.
> #dig +trace www.nhc.noaa.gov
>
> But if I try another domain, example: "cisco.com" it completes properly
> #dig +trace cisco.com
>
> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers 
> (8.8.8.8) and the query seems to time out as well.
> # dig +trace www.nhc.noaa.gov @8.8.8.8
>
>
> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  +trace
> ;; global options: +cmd
> .   434277  IN  NS  e.root-servers.net.
> .   434277  IN  NS  d.root-servers.net.
> .   434277  IN  NS  f.root-servers.net.
> .   434277  IN  NS  a.root-servers.net.
> .   434277  IN  NS  i.root-servers.net.
> .   434277  IN  NS  h.root-servers.net.
> .   434277  IN  NS  g.root-servers.net.
> .   434277  IN  NS  l.root-servers.net.
> .   434277  IN  NS  b.root-servers.net.
> .   434277  IN  NS  k.root-servers.net.
> .   434277  IN  NS  j.root-servers.net.
> .   434277  IN  NS  c.root-servers.net.
> .   434277  IN  NS  m.root-servers.net.
> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed DNS-SRV-IP*) in 
> 4 ms
>
> gov.172800  IN  NS  a.gov-servers.net.
> gov.172800  IN  NS  b.gov-servers.net.
> gov.172800  IN  NS  c.gov-servers.net.
> gov.172800  IN  NS  d.gov-servers.net.
> gov.86400   IN  DS  7698 8 1 
> 6F109B46A80CEA9613DC86D5A3E065520505AAFE
> gov.86400   IN  DS  7698 8 2 
> 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
> gov.86400   IN  RRSIG   DS 8 1 86400 2017100105 
> 2017091804 15768 . 
> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg 
> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 
> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 
> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ 
> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo 
> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
> ;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 ms
>
> noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
> noaa.gov.   3600IN  DS  13774 5 1 
> 4823D2F9C36F98D586ECCD779731F813218BD875
> noaa.gov.   3600IN  DS  13774 5 2 
> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
> noaa.gov.   3600IN  RRSIG   DS 8 2 3600 20170925101007 
> 20170918101007 21428 gov. 
> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 
> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 
> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
> ;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>
> ;; connection timed out; no servers could be reached
>

Huh. Weird.

Try:
dig  www.nhc.noaa.gov @ns-e.noaa.gov.
dig  www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  www.nhc.noaa.gov @ns-nw.noaa.gov.

and:
dig  -4 www.nhc.noaa.gov @ns-e.noaa.gov.
dig  -4 www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  -4 www.nhc.noaa.gov @ns-nw.noaa.gov.

and
dig  +tcp www.nhc.noaa.gov @ns-e.noaa.gov.
dig  +tcp www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  +tcp www.nhc.noaa.gov @ns-nw.noaa.gov.


and also:
traceroute ns-e.noaa.gov.
traceroute ns-mw.noaa.gov.
traceroute ns-nw.noaa.gov.


What address range are you coming from? It sounds like you cannot
reach the noaa.gov nameservers (or they cannot reach you!)

W

>
>
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John 
> Miller
> Sent: September 18, 2017 11:03 AM
> Cc: bind-users@lists.isc.org
> Subject: Re: NOAA.GOV domain not working
>
> Hi Ricky,
>
> Try running a "dig +trace www.nhc.noaa.gov," then query each record in the 
> chain and see which one's slow to respond.  I don't see anything crazy in 
> your named.conf.  Something you didn't mention: does clearing cache make a 
> difference?
>
> John
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
>
>
> On Mon, Sep 18, 2017 at 8:03 AM, Levesque,

Re: NOAA.GOV domain not working

2017-09-18 Thread Mark Andrews 

I actually expect that you problem is your firewall in that it is
dropping fragmented UDP responses.  The UDP responses for
www.nhc.noaa.gov are large.  They do not fit in a single ethernet
frame.

Compare the following two queries.

 dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237

 dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237 +bufsize=1432

The expected response should be something like below.

; <<>> DiG 9.12.0a1+hotspot+add-prefetch+marka <<>> www.nhc.noaa.gov +dnssec 
+norec @140.90.33.237
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28389
;; flags: qr aa; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.nhc.noaa.gov.  IN  A

;; ANSWER SECTION:
www.nhc.noaa.gov.   300 IN  CNAME   edge-nws.woc.noaa.gov.
www.nhc.noaa.gov.   300 IN  RRSIG   CNAME 5 4 300 20170924022618 
20170917022618 50970 nhc.noaa.gov. 
FX7pysSEix2BfkZ6YCyU2XIVKpsX0KaKszHLoCaGlXGbvdFg/frUrk8i 
UyxJd5ivHivccxKym1p/v5jzmrap6HqdW0OT1Y34jZWB4UTXxroxQNkb 
YDhJfeVEbi4tqTV9oR38U6SBw8O5CCEm1/JI4PstsE5ztGpjgjreL9Ck 
zkLibSQq+czKeCBiGcXYOL5Ax9Ix4pSvgz3nt9P4wWn/vp28LaYkA46P 
ua53NoWA/CA5F1iqjIuiAPEVWvaQfQXJ8lOBraN01lty8pKvnHuhj4IM 
P2ED48Db9lWi035WHacKBI+RMIYuxY6jUqduAms9Pel61vGvErGq19+2 6zeitw==
edge-nws.woc.noaa.gov.  300 IN  CNAME   edge-p1.l.noaa.gov.
edge-nws.woc.noaa.gov.  300 IN  RRSIG   CNAME 5 4 300 20170925184757 
20170918184757 57630 woc.noaa.gov. 
icSUkvRI1f9/+PuCTsJUiWV1fAnHMYc1yK0SqQ8s7zUMA42s8c7GR6sX 
+EQpkdoyWURftRgwL+vWiwt4fPnIrcP3QP19ogwORdO8SAevCoPGELGN 
3YEdKFaztiJLT5Ct35P69p5p1QrBjKkg6eYuPPBJa/sgZ1A2DThxGA0D 
GLflYZ8wzrrs/epM4d4UcL3hoVAj6Jq9l9vRu69yb1dTxeXVDovu/5v1 
XfPIfuBVX29zmB1DMKMPZHBQRvKJ3HuzQG7565kCeRZEn1zv5X/+xjob 
X5ynhA9G0sOeC7hoo0aVNkKOpROBik34pLDwezdHzuHkSD/fy3d4nL9P lkDAfg==
edge-p1.l.noaa.gov. 30  IN  A   140.90.33.11
edge-p1.l.noaa.gov. 30  IN  A   140.90.33.21
edge-p1.l.noaa.gov. 30  IN  A   140.90.200.11
edge-p1.l.noaa.gov. 30  IN  A   140.90.200.21
edge-p1.l.noaa.gov. 30  IN  A   140.172.17.11
edge-p1.l.noaa.gov. 30  IN  A   140.172.17.21
edge-p1.l.noaa.gov. 30  IN  A   216.38.80.71
edge-p1.l.noaa.gov. 30  IN  A   216.38.80.81
edge-p1.l.noaa.gov. 30  IN  A   129.15.96.11
edge-p1.l.noaa.gov. 30  IN  A   129.15.96.21
edge-p1.l.noaa.gov. 30  IN  RRSIG   A 5 4 30 20170925203819 
20170918203819 54795 l.noaa.gov. 
0uBOAopfYETEoFKbFTSSbKg9eOCtFtsO/74P+xB6UnOumPV2iZlIygBk 
Kd9J6aktlSzAbzc6jgnkLqqOgHFwBn+zsPTcIgqcXqWGfTz/J08IjhBs 
AJLdooU3uvxwyXhBee/8opkU4DLholpch9PcdAb3LWOh/Zi0OfRMlq9s 
n+fUAza7/UZDaBYv2mCUvzpVpC6VJ0KXm8ebqj9zprogZRHNfRk3KzNW 
CiXzjeECOL7u/uLsT8xPT4OJtkOCqgxH7TuGaTauCrNO7J88lp9SZq/C 
DkbQuS6algvPY4dRisCr9Fq+9qQn2uem4PZpDw3PYkArH4NuJ/CaVawo dLCKtw==

;; AUTHORITY SECTION:
l.noaa.gov. 86400   IN  NS  ns-e.noaa.gov.
l.noaa.gov. 86400   IN  NS  ns-mw.noaa.gov.
l.noaa.gov. 86400   IN  NS  ns-nw.noaa.gov.
l.noaa.gov. 86400   IN  RRSIG   NS 5 3 86400 20170925203819 
20170918203819 54795 l.noaa.gov. 
wKRr26TPsABD3AjMWtt/dnRRVeAe3H6ua9vp0R/W3ngQlo3H+0FJpCOV 
5DVU3gcpr9f5NmLETi53g2MB+jkgKz/7RIor0YdbsEropBDY3cqWFO6O 
Az1Ol0Eh9YokVF8XB6sejDkIBZgfSjj7m1OM7uPk2mmom/KZO1wh/bX+ 
ey5Qhezfq2ZFarXJn6SrWRNQa4juJ8SmtTsBivsVmuDNelyNd1gJ94Kp 
JdmNMUeyGAkvKNw3mIz06IPDEXF/wLlR0KCQWAPTOrJ2oacnMkEhm5+M 
iEhnF7jId54xFzuDeuPhRcVH9zK9QFsIzcPsr3aEjSaN1aSCqzXwn6cr h+XELQ==

;; ADDITIONAL SECTION:
ns-e.noaa.gov.  86400   IN  A   140.90.33.237
ns-e.noaa.gov.  86400   IN  2610:20:8000:8c00::237
ns-mw.noaa.gov. 86400   IN  A   140.172.17.237
ns-mw.noaa.gov. 86400   IN  2610:20:8800:8c00::237
ns-nw.noaa.gov. 86400   IN  A   161.55.32.2
ns-nw.noaa.gov. 86400   IN  2610:20:8c00:8c00::2
ns-e.noaa.gov.  86400   IN  RRSIG   A 5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
XoEks1NUvLsy9FCxlG6MqXFFDPy3nwaXC4EFapyFHaN8iJYTEarNcvJE 
a7tJ2V51ST+VjbexXk7ULvyCtiW28jOma8TkJTrPV/jvMStdvwQdbJ2X 
Sj4ueFZSvNKXgdQPz/IgZFl2q8r93JVp2EKboTJXda8IPXlHcppkiwKX 
DUp/pxcoKH98gqT4pFRty4yN2AcfG0fZDNk1DuFSrkOePFO9u1u5PRBp 
MS8yG9ASEBNRC+XYdJmPGS0HS7lYgVLQvq3mBjEYHl7iTbZtMj99EADz 
5/ZRGLF8UXh7q6P1Ke3VSdvwxuYKJipyoo7AVlSa/qZQGa7YBpuUxu9D KfRhdg==
ns-e.noaa.gov.  86400   IN  RRSIG    5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
egIUANThKKUqTZWD5/xYtn3zjdiD2mNz4KY/I3vLi+DH4TLtUJakEUU2 
Dzllq0DpvIxCi0L+0PUYkr7qD0GYb1a4dz8b51GwuLTrG+t60ylyBAwK 
o7wSyTHepdyRzYU+WGrmsyRoItCwU5K4HP5dgy8yhheK1jTCtjXUOOUd 
7e15rk3O5FHBM/V1AV3Jb5WhgaKRta+XcrlNPyiWmzLbiuOhd6SDVez2 
ZCbpjg+ufNiVPuJdIqicXFkzA7+M0yD9NSrkqm4dsm8B47rsmfaBbMSN

Re: NOAA.GOV domain not working

2017-09-18 Thread Mark Andrews 




In message 
, John 
Miller writes:
> Hi Ricky,
>
> Try running a "dig +trace www.nhc.noaa.gov," then query each record in
> the chain and see which one's slow to respond.  I don't see anything
> crazy in your named.conf.  Something you didn't mention: does clearing
> cache make a difference?

Well this pair are a bit crazy.  No sane configuration has these this way.

 dnssec-validation no;
 dnssec-lookaside auto;

Mark

> John
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about NAPTR

2017-09-18 Thread Mark Andrews 

In message <1505796688.2518.99.ca...@biplane.com.au>, Karl Auer writes:
> On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote:
> > In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer
> > writes:
> > > And is it true that "if the Regexp field is not empty, the
> > > Replacement field will not be used"?
> > With the current flags no but who know what will happen in the
> > future.
>
> Not sure what "no" means. My fault for putting up a statement with two
> negatives.
>
> It seems to me that the output from a NAPTR is EITHER the result of
> applying a regexp to the left-hand side domain name, OR the value of
> the replacement field. I.e., they are mutually exclusive. So if the
> regexp is empty, the replacement is used verbatim. If the regexp is NOT
> empty, the replacement is ignored (but still has to conform to domain
> name syntax, hence the need for a dot).
>
> Is that understanding correct?

As things currently stand yes.  Someone could write a document today
that specifies a flag that combines the fields.  The future is uncertain.

> Thanks, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: A52E F6B9 708B 51C4 85E61634 0571 ADF9 3C1C 6A3A
> Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about NAPTR

2017-09-18 Thread Karl Auer 
On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote:
> In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer
> writes:
> > And is it true that "if the Regexp field is not empty, the
> > Replacement field will not be used"?
> With the current flags no but who know what will happen in the
> future.

Not sure what "no" means. My fault for putting up a statement with two
negatives.

It seems to me that the output from a NAPTR is EITHER the result of
applying a regexp to the left-hand side domain name, OR the value of
the replacement field. I.e., they are mutually exclusive. So if the
regexp is empty, the replacement is used verbatim. If the regexp is NOT
empty, the replacement is ignored (but still has to conform to domain
name syntax, hence the need for a dot).

Is that understanding correct?

Thanks, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about NAPTR

2017-09-18 Thread Mark Andrews 

In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer writes:
> On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote:
> > In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer
> > writes:
> > > 2: Can the Replacement field be empty? It looks from the text and
> > > examples as if it should always contain a complete domain name BUT
> > > that if the Regexp field is not empty, the Replacement field will
> > > not be used.
> > No. Use '.' as a place holder.
>
> Er - isn't "." a complete domain name?

Yes.  The field must exist. "." is used as place holder.  Note "."
is used as a place holder in a number of different records.

> And is it true that "if the Regexp field is not empty, the Replacement
> field will not be used"?

With the current flags no but who know what will happen in the future.

> Thanks for the info.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: A52E F6B9 708B 51C4 85E61634 0571 ADF9 3C1C 6A3A
> Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Questions about NAPTR

2017-09-18 Thread Karl Auer 
I've been reading RFC2915 and have a couple of questions about NAPTR
records. I'm trying to do *basic* validation of data from a database
being processed into the DNS.

1: Can the Flags field be empty? It seems to me that it can be under
some circumstances.

2: Can the Replacement field be empty? It looks from the text and
examples as if it should always contain a complete domain name BUT that
if the Regexp field is not empty, the Replacement field will not be
used.

3: Can the Regexp field be empty? It seems to me that it can be, in
which case the Replacement field will be used without alteration.

Regards, K.
 
-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NOAA.GOV domain not working

2017-09-18 Thread Mark Andrews 

In message <36f8dd297fd5504aa37968ada5ba93eb01178c2...@gnbexmb8pb.gnb.ca>, 
"Levesque, Ricky (SNB)" writes:
> Thanks Warren,
> I can query all the noaa.gov name servers without issues, and the replies
> are fast (sub 100ms)

Remember nameservers ask questions with different options set to
DiG's default options.  DiG +trace turns on these additional options
or you can use "dig +dnssec +norec".

We really should make all the root and TLD servers return maximal
EDNS answers (pad to the advertised EDNS UDP size).  This would
create a little short term pain by exposing all the broken firewalls
which would then get fixed or the nameserver would be reconfigured
to advertise a smaller EDNS buffer size.  At the moment we have
people stumbling over the odd zone that returns large responses.
Root and TLD operators do everyone a disservice by trying to reduce
UDP response sizes to fit into a single ethernet frame.  It just
hides the problem cause by bad firewall configuration.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

About use bind to do DNSSEC with no correct RSASHA256 signature

2017-09-18 Thread yaohongyuan 
Hi all,


We used bind to do the DNSSEC , DYNAMIC ZONES , AND AUTOMATIC SIGNING. 
But at last week we found that there is just one 'RRSIGNSEC3' record is 
illegality(No correct RSASHA256 signature) signed by bind.
dnssec-verify -o XXX -E pkcs11 XXX.txt.signed
Loading zone 'XXX' from file 'XXX.txt.signed'
Verifying the zone using the following algorithms: RSASHA256.
No correct RSASHA256 signature for 4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX 
NSEC3
The zone is not fully signed for the following algorithms: RSASHA256.
dnssec-verify: fatal: DNSSEC completeness test failed.


This error record as below:
4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX.3600INRRSIGNSEC3 8 2 3600 20170925080748 
20170911074409 55399 XXX. 
AAAJ0lYBXu+DKpPARWqucXHr2hmUm5nGeKzcEg8L+n2Cb0APyG4UvNBYZ3lPzmSVRLw77NsGypPoMG23ovRMhhsmKg2uORh65ikucL072HksSbTNRn5/RPqw8sCD8RiCMrLj+wj5xFhqAa8Xk3UZMEMFK2jWROOT4LKDRhs=


Our zone configure as below :
{   
dnssec-enable yes;
dnssec-validation yes;
type master;
update-check-ksk yes;
dnssec-dnskey-kskonly yes;
auto-dnssec maintain;
sig-validity-interval 14 5;
dnssec-update-mode maintain;
serial-update-method increment;
}
We used bind with below version :
named -V
BIND 9.10.5 
running on Linux x86_64 2.6.32-696.3.2.el6.x86_64 #1 SMP Tue Jun 20 
01:26:55 UTC 2017
built by make with 'CC=gcc -m64' '--enable-threads' 
'--with-openssl=/opt/pkcs11/usr' '--with-pkcs11=/usr/local/lib/pkcs11.so' 
'--prefix=/usr/local/bind-9.10.5'
compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-18)
compiled with OpenSSL version: OpenSSL 1.0.2h  3 May 2016
linked to OpenSSL version: OpenSSL 1.0.2h  3 May 2016
compiled with libxml2 version: 2.7.6
linked to libxml2 version: 20706


Is this a known issue?
Did we have fixed this ? 
We have tried to manual correct this record ,but didn't find the right way.
We tried remove this RRSIG but get REFUSED log as below:
updating zone 'XXX/IN': update failed: explicit RRSIG updates are 
currently not supported in secure zones except at the apex (REFUSED)
We tried remove this NSEC3 but get REFUSED log as below:
updating zone 'XXX/IN': update failed: explicit NSEC3 updates are 
not allowed in secure zones (REFUSED)


How to correct this invalid record?
Could anybody give us some help? We will be very appreciate.
Thank you very much.


Best regards,
Dean



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users