Don't understand why I get a FORMERR (quad-A - ipv6 related)
Hello guys, I have BIND 9.6-ESV-R5-P1 on SLES 11 SP1 installed and it is working fine. I only have a situation where I don't understand what's happening and why : I try to do a quad-A query to www.ryanair.com (which is doesn't exists, only single A). When trying this with dig on my BIND server, I get a SERVFAIL return code. When doing the same query on the google DNS (8.8.8.8) I only get no answer but a return code of NOERROR. (I only took www.ryanair.com as an exemple but I get the same behavior with some other records like exch-eu.atdmt.com ...) *Here is the dig on google DNS* dig @8.8.8.8 www.ryanair.com ; DiG 9.9.0 @8.8.8.8 www.ryanair.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 56244 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 *Here is the dig on my bind server:* dig www.ryanair.com ; DiG 9.9.0 www.ryanair.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 25197 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 *So I configured a channel with a debug3 severity on my BIND to try understanding what's happening. Here is the response exerpt:* 25-Apr-2012 14:00:52.009 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): response 25-Apr-2012 14:00:52.009 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): noanswer_response 25-Apr-2012 14:00:52.009 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): cancelquery 25-Apr-2012 14:00:52.010 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): add_bad 25-Apr-2012 14:00:52.010 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 193.95.148.92#53 25-Apr-2012 14:00:52.010 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 193.95.148.92#53 25-Apr-2012 14:00:52.010 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 193.95.148.92#53 25-Apr-2012 14:00:52.010 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): try 25-Apr-2012 14:00:52.010 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): query 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): send 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): sent 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): udpconnected 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): senddone 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): response 25-Apr-2012 14:00:52.030 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): cancelquery 25-Apr-2012 14:00:52.030 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): resend 25-Apr-2012 14:00:52.030 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): query 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): send 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): sent 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): udpconnected 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): senddone 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: UDP request 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: view MLT-EXTERNAL: query 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: view MLT-EXTERNAL: send 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: view MLT-EXTERNAL: sendto 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: view MLT-EXTERNAL: senddone 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: view MLT-EXTERNAL: next 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: view MLT-EXTERNAL: endrequest 25-Apr-2012 14:00:52.047 client: debug 3: client @0x7f0d238e0380: udprecv 25-Apr-2012 14:00:52.050 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): response 25-Apr-2012 14:00:52.050 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): noanswer_response 25-Apr-2012 14:00:52.050 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): cancelquery 25-Apr-2012 14:00:52.050 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): add_bad 25-Apr-2012 14:00:52.050 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 62.73.129.182#53 25-Apr-2012 14:00:52.050 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 62.73.129.182#53 25-Apr-2012 14:00:52.050 lame-servers: info: FORMERR
RE: SERVFAIL with ocsp.entrust.net.
Thanks for the help everyone. The query is now coming back with a NOERROR response. Of note, any other query besides A or is still showing SERVFAIL. Thank you, Ralph F. Bischof, Jr. NASA Agency IPAM/DNS/DHCP SAIC/NICS 256-544-3982 -Original Message- From: bind-users-bounces+ralph.bischof=nasa@lists.isc.org [mailto:bind-users-bounces+ralph.bischof=nasa@lists.isc.org] On Behalf Of Bischof, Ralph F. (MSFC-IS40)[NICS] Sent: Tuesday, April 24, 2012 12:53 PM To: bind-users@lists.isc.org Subject: SERVFAIL with ocsp.entrust.net. Hi Mark, Good to hear. I have been working with someone at Entrust for a while now and had an email last night from him to check again. And, yes, my main concern is dual-stack IPv6 machines, hence the queries being important. Thank you, Ralph F. Bischof, Jr. NASA Agency IPAM/DNS/DHCP SAIC/NICS 256-544-3982 -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, April 24, 2012 10:44 AM To: Bischof, Ralph F. (MSFC-IS40)[NICS] Cc: comp-protocols-dns-b...@isc.org Subject: Re: SERVFAIL with ocsp.entrust.net. Entrust is definitely aware of the issue and are working on it. Yes it is a misconfiguration. This breaks FaceTime on dual stack machines on dual stack machines. They reported that they had fixed it earlier today but hadn't when I tested. They acknowledge the report that it was still broken and were going to look at their setup again. Mark ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Don't understand why I get a FORMERR (quad-A - ipv6 related)
The root cause is that the name servers for www.ryanair.com are misconfigured. They are returning answers as if they are configured for ryanair.com (see the SOA record) instead of www.ryanair.com as can be seen below. ; DiG 9.9.0rc2 www.ryanair.com @fr27dns.ryanair.com +noedns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22179 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.ryanair.com. IN ;; AUTHORITY SECTION: ryanair.com.10 IN SOA fr27dns.ryanair.com. root.ryanair.com. 1 10 10 10 10 ;; Query time: 366 msec ;; SERVER: 62.134.190.242#53(62.134.190.242) ;; WHEN: Wed Apr 25 23:44:37 2012 ;; MSG SIZE rcvd: 104 Mark In message CAO5znasqndyUCiKOXMb_9GE2oSYQ-nsfg1RSLu7wGedtoGGn=w...@mail.gmail.com , Nicolas Michel writes: --===4894654662251574803== Content-Type: multipart/alternative; boundary=f46d0444044c8d70a804be804c64 --f46d0444044c8d70a804be804c64 Content-Type: text/plain; charset=UTF-8 Hello guys, I have BIND 9.6-ESV-R5-P1 on SLES 11 SP1 installed and it is working fine. I only have a situation where I don't understand what's happening and why : I try to do a quad-A query to www.ryanair.com (which is doesn't exists, only single A). When trying this with dig on my BIND server, I get a SERVFAIL return code. When doing the same query on the google DNS (8.8.8.8) I only get no answer but a return code of NOERROR. (I only took www.ryanair.com as an exemple but I get the same behavior with some other records like exch-eu.atdmt.com ...) *Here is the dig on google DNS* dig @8.8.8.8 www.ryanair.com ; DiG 9.9.0 @8.8.8.8 www.ryanair.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 56244 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 *Here is the dig on my bind server:* dig www.ryanair.com ; DiG 9.9.0 www.ryanair.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 25197 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 *So I configured a channel with a debug3 severity on my BIND to try understanding what's happening. Here is the response exerpt:* 25-Apr-2012 14:00:52.009 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): response 25-Apr-2012 14:00:52.009 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): noanswer_response 25-Apr-2012 14:00:52.009 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): cancelquery 25-Apr-2012 14:00:52.010 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): add_bad 25-Apr-2012 14:00:52.010 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 193.95.148.92#53 25-Apr-2012 14:00:52.010 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 193.95.148.92#53 25-Apr-2012 14:00:52.010 lame-servers: info: FORMERR resolving ' www.ryanair.com//IN': 193.95.148.92#53 25-Apr-2012 14:00:52.010 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): try 25-Apr-2012 14:00:52.010 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): query 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): send 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): sent 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): udpconnected 25-Apr-2012 14:00:52.010 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): senddone 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): response 25-Apr-2012 14:00:52.030 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): cancelquery 25-Apr-2012 14:00:52.030 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): resend 25-Apr-2012 14:00:52.030 resolver: debug 3: fctx 0x7f0d23be2dc0( www.ryanair.com/'): query 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): send 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): sent 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): udpconnected 25-Apr-2012 14:00:52.030 resolver: debug 3: resquery 0x7f0d23be8dc0 (fctx 0x7f0d23be2dc0(www.ryanair.com/)): senddone 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: UDP request 25-Apr-2012 14:00:52.047 client: debug 3: client 195.130.131.10#3449: view MLT-EXTERNAL: query 25-Apr-2012 14:00:52.047 client: debug 3:
Re: Don't understand why I get a FORMERR (quad-A - ipv6 related)
Thank you for your answers guys! It's much more clear now ;) But the google DNS (8.8.8.8) still return NOERROR for the same query and the same situation. So I wonder what is the right behavior (documented in RFC? or maybe that situation is not documented so it is right to the software dev to decide wether to raise an error or not in that case?) Nicolas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Don't understand why I get a FORMERR (quad-A - ipv6 related)
In message CAO5znasqndyUCiKOXMb_9GE2oSYQ-nsfg1RSLu7wGedtoGGn=w...@mail.gmail.com , Nicolas Michel writes: I have BIND 9.6-ESV-R5-P1 on SLES 11 SP1 installed and it is working fine. I only have a situation where I don't understand what's happening and why : I try to do a quad-A query to www.ryanair.com (which is doesn't exists, only single A). When trying this with dig on my BIND server, I get a SERVFAIL return code. When doing the same query on the google DNS (8.8.8.8) I only get no answer but a return code of NOERROR. On 25.04.12 23:53, Mark Andrews wrote: The root cause is that the name servers for www.ryanair.com are misconfigured. They are returning answers as if they are configured for ryanair.com (see the SOA record) instead of www.ryanair.com as can be seen below. Hmm, I've been solving their problem years ago. Haven't they still fix that? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Don't understand why I get a FORMERR (quad-A - ipv6 related)
On 4/25/2012 10:28 AM, Matus UHLAR - fantomas wrote: In message CAO5znasqndyUCiKOXMb_9GE2oSYQ-nsfg1RSLu7wGedtoGGn=w...@mail.gmail.com , Nicolas Michel writes: I only get no answer but a return code of NOERROR. On 25.04.12 23:53, Mark Andrews wrote: The root cause is that the name servers for www.ryanair.com are misconfigured. They are returning answers as if they are configured for ryanair.com (see the SOA record) instead of www.ryanair.com as can be seen below. Hmm, I've been solving their problem years ago. Haven't they still fix that? You can get correct records, but it costs an extra Euro. :-) AlanC -- a...@clegg.com | acl...@infoblox.com 1.919.355.8851 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how can i recognize dnssec servers
Hi, all Bind'ers i'm just trying to write a bash script which allow me to collect a list of zones which are signed with dnssec by giving a file of request in argument. So my problem is that i created my personnal DNS with 3 signed zones when i'm testing all is good but when i made a dig +dnssec on gandi.net domain (for example) my dns server didn't return me a RRSIG in the answer section is it ok? Did you think i had a mistake on my named configuration? recursion is working very well but how can i do to know that a zone or domain has been signed? a dig +dnssec is the best or the only way to know that? Thank's for your help!!! William Thierry SAMEN ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how can i recognize dnssec servers
On Wed, 25 Apr 2012, William SAMEN wrote: Hi, all Bind'ers i'm just trying to write a bash script which allow me to collect a list of zones which are signed with dnssec by giving a file of request in argument. So my problem is that i created my personnal DNS with 3 signed zones when i'm testing all is good but when i made a dig +dnssec on gandi.net domain (for example) my dns server didn't return me a RRSIG in the answer section is it ok? Did you think i had a mistake on my named configuration? recursion is working very well but how can i do to know that a zone or domain has been signed? a dig +dnssec is the best or the only way to know that? Assuming your system uses a DNSSEC configured resolver with the root key , and with signed you really mean secure (that is with a DS or DLV trust path), you can use: [paul@thinkpad ~]$ dig +dnssec nohats.ca|grep flags |grep ad; ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7 [paul@thinkpad ~]$ echo $? 0 [paul@thinkpad ~]$ dig +dnssec foobar.ca|grep flags |grep ad; [paul@thinkpad ~]$ echo $? 1 Paul Thank's for your help!!! William Thierry SAMEN ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
