Bennett, Steve wrote:

>We have two servers running BIND - one is running v9.2.1, the other is
>running v9.3.0. We're seeing problems resolving names in the GOV tld on
>the v9.3.0 server, and I can't see if this a problem in BIND v9.3.0 or
>something wrong in the GOV. domain, or (most likely) something daft that
>I've done. It looks as though the v9.3.0 nameserver is unable to resolve
>anything in "GOV."
>
>I do see differences in response if I use "dig" to try and find
>nameservers in GOV compared to nameservers in other TLDs, for example,
>compare looking up the namservers for "microsoft.com." and "nih.gov.":
>
> 1a) find the nameservers for "com."
> $dig ns com.
>
> ; <<>> DiG 9.3.0 <<>> ns com.
> ;; global options: printcmd
> com. 172800 IN NS k.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
>
> 1b) find "microsoft.com" nameservers:
> $dig @a.gtld-servers.net. ns microsoft.com.=20
>
> ; <<>> DiG 9.3.0 <<>> @a.gtld-servers.net. ns
>microsoft.com.
> ;; global options: printcmd
> microsoft.com. 172800 IN NS ns1.msft.net.
> microsoft.com. 172800 IN NS ns2.msft.net.
> microsoft.com. 172800 IN NS ns3.msft.net.
> microsoft.com. 172800 IN NS ns4.msft.net.
> microsoft.com. 172800 IN NS ns5.msft.net.
>
>This looks OK, but if I try the same for "nih.gov" (for example):
>
> 2a) find "gov" nameservers:
> $dig ns gov.
>
> ; <<>> DiG 9.3.0 <<>> ns gov.
> ;; global options: printcmd
> gov. 172800 IN NS c.gov.zoneedit.com.
> gov. 172800 IN NS b.gov.zoneedit.com.
> gov. 172800 IN NS a.gov.zoneedit.com.
> gov. 172800 IN NS g.gov.zoneedit.com.
> gov. 172800 IN NS f.gov.zoneedit.com.
> gov. 172800 IN NS e.gov.zoneedit.com.
> gov. 172800 IN NS d.gov.zoneedit.com.
>
> 2b) find "nih.gov" nameservers:
> $dig @a.gov.zoneedit.com. ns nih.gov.
>
> ; <<>> DiG 9.3.0 <<>> @a.gov.zoneedit.com. ns nih.gov.
> ;; global options: printcmd
>
>Shouldn't 2b return the list of nameservers for the domain "nih.gov"? If
>not, why not?
>

I assume, since you truncated the output, that you got some sort of
timeout for the 2b query. What happens if you try some of the other
nameservers for .gov? Do they all timeout? If so, look at your
networking/firewall configuration. That query comes back just fine for me:

% dig @a.gov.zoneedit.com ns nih.gov

; <<>> DiG 9.2.2rc1 <<>> @a.gov.zoneedit.com ns nih.gov
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64671
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;nih.gov. IN NS

;; AUTHORITY SECTION:
nih.gov. 10800 IN NS LHC.NLM.nih.gov.
nih.gov. 10800 IN NS NS.nih.gov.
nih.gov. 10800 IN NS NS2.nih.gov.

;; ADDITIONAL SECTION:
LHC.NLM.nih.gov. 10800 IN A 130.14.35.128
NS.nih.gov. 10800 IN A 128.231.128.251
NS2.nih.gov. 10800 IN A 128.231.64.1

;; Query time: 75 msec
;; SERVER: 216.55.155.29#53(a.gov.zoneedit.com)
;; WHEN: Mon Jan 31 20:31:38 2005
;; MSG SIZE rcvd: 130

%


- Kevin