date:20140708

Re: problem resolving ardownload.adobe.com

2014-07-08 Thread Barry Margolin

In article ,
 Mark Andrews  wrote:

> 
> The adobe servers are just plain broken.
> 
>   Request a CNAME -> NXDOMAIN (Should return CNAME record)
>   Request a TXT -> NXDOMAIN (Should return CNAME record)
>   Request a NS -> NXDOMAIN (Should return CNAME record)
>   Add a EDNS option -> NXDOMAIN (Should return CNAME record)
> 
> I suspect load balancer is passing non A/ queries through to a
> backing server that doesn't have a fallback CNAME in the zone for
> ardownload.wip4.adobe.com resulting in NXDOMAIN being returned.
> That said, the load balancer should know that if it returning CNAME
> to A and  queries, that it should also return CNAME to all other
> query types.  This is basic RFC 1034 behaviour.

This is pretty common misbehavior for dedicated load balancers.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem resolving ardownload.adobe.com

2014-07-08 Thread Nicholas F Miller

FWIW,

I ran into this issue with www.elevationsbanking.com as well. The setup was 
very similar, the record resolved to a CNAME which in turn resolved to another 
CNAME. When the TTL expired on the CNAME the record would revert to NXDOMAIN. 
It wasn’t until the TTL expired for the SOA that things would resolve correctly 
again.

In the case of ardownload.adobe.com the record will initially resolve. When the 
TTL for ardownload.wip4.adobe.com expires the result becomes NXDOMAIN.

The people over at Digital Insight wound up removing the CNAME chaining which 
has solved the issue so far. Looking at www.elevationsbanking.com it appears 
digitalinsight.com are also using a load balancer. My thinking was they weren’t 
delegating their domain correctly on/to their GTMs.

_
Nicholas Miller, OIT, University of Colorado at Boulder




On Jul 7, 2014, at 8:34 PM, Mark Andrews  wrote:

> 
> The adobe servers are just plain broken.
> 
>   Request a CNAME -> NXDOMAIN (Should return CNAME record)
>   Request a TXT -> NXDOMAIN (Should return CNAME record)
>   Request a NS -> NXDOMAIN (Should return CNAME record)
>   Add a EDNS option -> NXDOMAIN (Should return CNAME record)
> 
> I suspect load balancer is passing non A/ queries through to a
> backing server that doesn't have a fallback CNAME in the zone for
> ardownload.wip4.adobe.com resulting in NXDOMAIN being returned.
> That said, the load balancer should know that if it returning CNAME
> to A and  queries, that it should also return CNAME to all other
> query types.  This is basic RFC 1034 behaviour.
> 
> Mark
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com cname 
> @du1gtm001.adobe.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 201
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.   IN  CNAME
> 
> ;; AUTHORITY SECTION:
> wip4.adobe.com.   30  IN  SOA sj1gtm001.adobe.com. 
> hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
> 
> ;; Query time: 486 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Tue Jul 08 12:15:41 EST 2014
> ;; MSG SIZE  rcvd: 111
> 
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a 
> @du1gtm001.adobe.com +nsid
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37308
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.   IN  A
> 
> ;; AUTHORITY SECTION:
> wip4.adobe.com.   30  IN  SOA sj1gtm001.adobe.com. 
> hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
> 
> ;; Query time: 422 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Tue Jul 08 12:17:30 EST 2014
> ;; MSG SIZE  rcvd: 111
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a 
> @du1gtm001.adobe.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37210
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.   IN  A
> 
> ;; ANSWER SECTION:
> ardownload.wip4.adobe.com. 300IN  CNAME   
> ardownload.adobe.com.edgesuite.net.
> 
> ;; Query time: 441 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Tue Jul 08 12:15:57 EST 2014
> ;; MSG SIZE  rcvd: 102
> 
> 
> In message 
> 
> , Casey Deccio writes:
>> 
>> On Wed, Jul 2, 2014 at 2:51 PM, Carl Byington  wrote:
>> 
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>> 
>>> version: 9.10.0-P2
>>> 
>>> dig ardownload.adobe.com. @localhost
>>> 
>>> ;; ANSWER SECTION:
>>> ardownload.adobe.com.   8743IN  CNAME   ardownload.wip4.adobe.com.
>>> 
>>> 
>> What is the rest of the dig output?  Specifically, what status is your
>> resolver giving you (NOERROR or NXDOMAIN)?
>> 
>> When queried for type NS, the adobe load balancer returns NXDOMAIN:
>> 
>> $ dig @du1gtm001.adobe.com  ardownload.wip4.adobe.com ns
>> 
>> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @du1gtm001.adobe.com
>> ardownload.wip4.adobe.com ns
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42533
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>> 
>> ;; QUESTION SECTION:
>> ;ardownload.wip4.adobe.com.INNS
>> 
>> ;; AUTHORITY SECTION:
>> wip4.adobe.com.30IN

Checking proper SPF record

2014-07-08 Thread Alex

Hi,

I have a mail server that manages mail for about ten domains, using
bind-9.9.4-12.P2 on fedora20. I'd like to make sure my SPF record in my SOA
is set up correctly, and hoped someone could help. Currently I have the
following:

$TTL 1d

@  INSOA   ns.example.com. admin.ns.example.com. (
2011041707  ;serial (mmddxx)
3h  ;refresh every 3 hours
1h  ;retry every 1 hr
7d  ;expire in 7 days
1d );minimum ttl 1 day

IN  NS  ns.example.com.
IN  NS  ns1.example.com.
IN  NS  ns2.example.com.

A   192.168.1.10

IN  MX  10 smtp.example.com.

IN TXT "v=spf1 mx a ip4:192.168.1.11/32 ip4:192.168.2.11/32
a:smtp.example.com a:smtp1.example.com -all"

ns  IN  TXT "v=spf1 a -all"
ns1 IN  TXT "v=spf1 a -all"
ns2 IN  TXT "v=spf1 a -all"
smtpIN  TXT "v=spf1 a -all"
smtp1   IN  TXT "v=spf1 a -all"

I believe there is a new SPF TXT entry in addition to the one I've created
above that's now being used? The references I read were unclear.

Does this look correct? I'd have to add this SOA to every domain the mail
server manages, correct? The smtp and smtp1 servers are the only two
servers that should be responsible for this domain.

Any ideas greatly appreciated.
Thanks,
Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Checking proper SPF record

2014-07-08 Thread Kevin Darcy



http://www.kitterman.com/spf/validate.html

- Kevin

On 7/8/2014 12:43 PM, Alex wrote:

Hi,

I have a mail server that manages mail for about ten domains, using 
bind-9.9.4-12.P2 on fedora20. I'd like to make sure my SPF record in 
my SOA is set up correctly, and hoped someone could help. Currently I 
have the following:


$TTL 1d

@  INSOA ns.example.com . 
admin.ns.example.com . (

2011041707  ;serial (mmddxx)
3h  ;refresh every 3 hours
1h  ;retry every 1 hr
7d  ;expire in 7 days
1d );minimum ttl 1 day

IN  NS ns.example.com .
IN  NS ns1.example.com .
IN  NS ns2.example.com .

A   192.168.1.10

IN  MX  10 smtp.example.com 
.


IN TXT "v=spf1 mx a ip4:192.168.1.11/32 
 ip4:192.168.2.11/32  
a:smtp.example.com  a:smtp1.example.com 
 -all"


ns  IN  TXT "v=spf1 a -all"
ns1 IN  TXT "v=spf1 a -all"
ns2 IN  TXT "v=spf1 a -all"
smtpIN  TXT "v=spf1 a -all"
smtp1   IN  TXT "v=spf1 a -all"

I believe there is a new SPF TXT entry in addition to the one I've 
created above that's now being used? The references I read were unclear.


Does this look correct? I'd have to add this SOA to every domain the 
mail server manages, correct? The smtp and smtp1 servers are the only 
two servers that should be responsible for this domain.


Any ideas greatly appreciated.
Thanks,
Alex


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Checking proper SPF record

2014-07-08 Thread G.W. Haywood


Hi there,

On Tue, 8 Jul 2014, Alex wrote:


... Does this look correct? ...


No, it's terrible.

Drop a line over at the SPF-users mailing list, they'll sort you out.

Use real names and addresses, then it's more than just a conjecture.

This will all be published for the world to see anyway, so there's no
sense at all in using bogus data, and if you use real data people can
really check it for you.

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Checking proper SPF record

2014-07-08 Thread Reindl Harald


> IN TXT "v=spf1 mx a ip4:192.168.1.11/32 ip4:192.168.2.11/32 
> a:smtp.example.com a:smtp1.example.com -all"

go away with anonymized data if you want help
espcially in case of data which will made public anyways



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Checking proper SPF record

2014-07-08 Thread Alex

Hi all,

Thought I'd try this again. Thanks so much for your help. I'm using
bind-9.9.4-12.P2 on fedora20.

$TTL 1d

@  INSOA   ns.guardiandigital.com. admin.ns.guardiandigital.com. (
2014070701  ;serial (mmddxx)
3h  ;refresh every 3 hours
1h  ;retry every 1 hr
7d  ;expire in 7 days
1d );minimum ttl 1 day

IN  NS  ns.guardiandigital.com.
IN  NS  ns1.guardiandigital.com.
IN  NS  ns2.guardiandigital.com.

A   64.1.16.14

IN  MX  10 smtp.guardiandigital.com.

IN TXT "v=spf1 mx a ip4:64.1.16.3/32 ip4:64.1.16.27/32 ip4:
66.104.218.98/32 a:smtp.guardiandigital.com a:smtp1.guardiandigital.com
?all"

ns  IN  TXT "v=spf1 a -all"
ns1 IN  TXT "v=spf1 a -all"
ns2 IN  TXT "v=spf1 a -all"
smtpIN  TXT "v=spf1 a -all"
smtp1   IN  TXT "v=spf1 a -all"

Thanks,
Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problem resolving ardownload.adobe.com

Re: problem resolving ardownload.adobe.com

Checking proper SPF record

Re: Checking proper SPF record

Re: Checking proper SPF record

Re: Checking proper SPF record

Re: Checking proper SPF record

7 matches

Site Navigation

Mail list logo

Footer information