>>> Mark Andrews 11/24/04 3:46 PM >>>

>> BIND 9.2.4 on RHEL3 (Update 3) recompiled from a source rpm w/
>> --disable-ipv6 added in the configure flags.
>>
>> Background - named runs fine for a while then quits resolving

external
>> names as illustrated below. When I issue # rndc dumpdb then grep for
>> www.yahoo.com in named_dump.db there is no answer. If I wait about 15
> >minutes www.yahoo.com will resolve OK - no action taken - it's found

in
>> the named_dump.db. Recursion is turned on for the nameserver

172.16.8.4
>> (my.nameserver), the client is 172.17.217.55 trying to resolve
>> www.yahoo.com and the secondary nameserver is 172.16.8.104
>> (2nd.nameserver).
> >
>> Finally, we have a hunch this may be related to bandwidth issues as
>> executing $ dig +trace www.yahoo.com does resolve ... after 20

seconds.
>> Any thoughts are greatly appreciated.
> >
>> <>

>
> I would be looking at a broken / misconfigured firewall.
>
> The following two queries should return a referral to the
> COM servers from A.ROOT-SERVERS.NET (198.41.0.4). The >first
> one is plain DNS, the second is EDNS and the answer size will
> exceed the 512 bytes supported by plain DNS.
>
> dig soa com +norec @198.41.0.4
> dig soa com +norec @198.41.0.4 +bufsize=4096
>
> Your firewall should be capable of supporting EDNS as it has

been
> on the Standards Track for 5 years now.
>
>Network Working Group P.

Vixie
>Request for Comments: 2671

ISC
>Category: Standards Track August

1999
>
>
> Extension Mechanisms for DNS (EDNS0)
>
> If you upgrade to 9.3.0 you can use "edns-udp-size 512;"
> to work around the firewall but the extra answer space
> provided by EDNS *is* required for correct DNS operation. We
> knew 5 years ago that it would be required, we just didn't
> know when we would exceed the capabilities of plain DNS.
> That time has now come.
>
> Mark
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: >Mark_Andrews@isc.org


Mark, Thanks for the reply. The queries above work fine when our DNS is
working correctly and also work when named is returning ServFail for
certain external hosts (on both the server and on the client). My
assumption is that this would rule out the firewall issue - FWIW we run
CheckPoint NG/AI R55 w/ the lasest update applied.

Perhaps we have a misconfigured name server so I'm posting our
named.conf for everyone to see if there are any glaring issues. Some
definitions: A.A.A, B.B.B, C.C.C are external IP addresses, 172.18.2 is
in the DMZ, .80 & .81 are name servers in the DMZ serving clients
resolving our external domain names.

[root@mynameserver root]# cat /etc/named.conf
options {
directory "/var/named/zone";
recursive-clients 3000;
recursion yes;
};

logging {
channel my_syslog {
syslog daemon;
severity info;
};
channel log_file {
file "/var/named/log/msgs.log";
severity debug;
};

channel xfer-log {
file "/var/named/log/bind-xfer.log" versions unlimited size 10m;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
category security { log_file; };
category config { log_file; };
category lame-servers { null; };
};

acl "2nd-nameserver" { 172.16.8.104; };

zone "." {
type hint;
file "named.ca";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "db.127.0.0";
allow-transfer { none; };
};

zone "zone1" {
type master;
file "zone1";
allow-transfer { "2nd-nameserver"; };
};

zone "zone2" {
type master;
file "zone2";
allow-transfer { "2nd-nameserver"; };
};

zone "A.A.A.IN-ADDR.ARPA" {
type master;
file "db.A.A.A";
allow-transfer { "2nd-nameserver"; };
};

zone "B.B.B.IN-ADDR.ARPA" {
type master;
file "db.B.B.B";
allow-transfer { "2nd-nameserver"; };
};

zone "C.C.C.IN-ADDR.ARPA" {
type master;
file "db.C.C.C";
allow-transfer { "2nd-nameserver"; };
};

zone "16.172.IN-ADDR.ARPA" {
type master;
file "db.172.16";
allow-transfer { "2nd-nameserver"; };
};

zone "17.172.IN-ADDR.ARPA" {
type master;
file "db.172.17";
allow-transfer { "2nd-nameserver"; };
};

zone "2.18.172.IN-ADDR.ARPA" {
type master;
file "db.172.18.2";
allow-transfer { "2nd-nameserver"; };
};

zone "zone3" {
type forward;
forwarders { 172.18.2.80; 172.18.2.81; };
};

zone "zone4" {
type forward;
forwarders { other-dept-ns1; other-dept-ns2; };
};

zone "zone5" {
type forward;
forwarders { 172.18.2.80; 172.18.2.81; };
};

zone "zone6" {
type forward;
forwarders { 172.18.2.80; 172.18.2.81; };
};

zone "zone7" {
type forward;
forwarders { 172.18.2.80; 172.18.2.81; };
};

include "/etc/rndc.key";

controls {
inet * allow { localhost; } keys { "rndckey"; };
};

================================================== ===
[root@mynameserver root]# dig soa com +norec @198.41.0.4


; <<>> DiG 9.2.4 <<>> soa com +norec @198.41.0.4
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26782
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 15


;; QUESTION SECTION:
;com. IN SOA


;; AUTHORITY SECTION:
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30

;; Query time: 78 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Dec 9 08:10:38 2004
;; MSG SIZE rcvd: 509

[root@mynameserver root]# dig soa com +norec @198.41.0.4 +bufsize=4096

; <<>> DiG 9.2.4 <<>> soa com +norec @198.41.0.4 +bufsize=4096
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10743
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com. IN SOA

;; AUTHORITY SECTION:
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30

;; Query time: 86 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Dec 9 08:10:46 2004
;; MSG SIZE rcvd: 520