Re: DNS ed.gov translations

[Peter Charbonneau <Peter.Charbonneau () williams edu>]

On May 28, 2009, at 8:37 PM, Mark Andrews wrote:

> In message <C0FCEA35-9D75-4841-8FF4-1E7A68C17C0B () williams edu>,  
> Peter Charbonneau writes:
> > Greetings,
> >
> >   Periodically, we loose the capability of translating .ed.gov names.
> >
> >   Today, it seems that it is www.dl.ed.gov and www.fafsa.ed.gov that
> > will not translate.
> >
> > If I use dig .... I get:
> >
> > porthos2:~ pcharbon2$ dig +trace www.fafsa.ed.gov
> >
> > ; <<>> DiG 9.4.3-P1 <<>> +trace www.fafsa.ed.gov
> > ;; global options:  printcmd
> > .                       499251  IN      NS      L.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      M.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      H.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      D.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      A.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      K.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      B.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      G.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      E.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      I.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      J.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      C.ROOT-SERVERS.NET.
> > .                       499251  IN      NS      F.ROOT-SERVERS.NET.
> > ;; Received 488 bytes from 137.165.4.21#53(137.165.4.21) in 2 ms
> >
> > gov.                    172800  IN      NS      E.GOV.ZONEEDIT.COM.
> > gov.                    172800  IN      NS      G.GOV.ZONEEDIT.COM.
> > gov.                    172800  IN      NS      A.GOV.ZONEEDIT.COM.
> > gov.                    172800  IN      NS      B.GOV.ZONEEDIT.COM.
> > gov.                    172800  IN      NS      C.GOV.ZONEEDIT.COM.
> > gov.                    172800  IN      NS      D.GOV.ZONEEDIT.COM.
> > gov.                    172800  IN      NS      F.GOV.ZONEEDIT.COM.
> > ;; Received 274 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in  
> > 82
> > ms
> >
> > ed.gov.                 86400   IN      NS      eduptcdns02.ed.gov.
> > ed.gov.                 86400   IN      NS      eduftcdns01.ed.gov.
> > ed.gov.                 86400   IN      NS      eduftcdns02.ed.gov.
> > ed.gov.                 86400   IN      NS      eduptcdns01.ed.gov.
> > ;; Received 202 bytes from 216.55.155.29#53(A.GOV.ZONEEDIT.COM) in  
> > 84 ms
> >
> > dig: couldn't get address for 'eduftcdns01.ed.gov': not found
> > porthos2:~ pcharbon2$
> >
> >
> > It always seems to fail after the "third" lookup sequence.
> >
> > After about an hour (or two or eight) it starts working again for  
> > some
> > period of time.
> >
> > I am out of troubleshooting tools and don't know where to go from
> > here.  Any help would be greatly appreciated.
> >
> >
> >
> > PeteC
> >
> >
> > Peter Charbonneau
> > Sr. Network and Systems Administrator
> > Williams College
> > (413) 597-3408 (office)
> > (413) 822-2922 (cell)
> > OIT will NEVER ask for your password!
>
>         What nameserver and version are you running?
>         What options do you have turned on in the nameserver?
>         What firewall settings do you have?  Do you allow fragments
>         through?
>         
>         Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Bind 9.4.2
--------------  named.conf options -----------------------------
options {
        directory "/var/named"; // sets root dir, use full path to  
escape
        statistics-file "/var/named/named.stats"; // stats are your  
friend
        dump-file "/var/named/named.dump";
        zone-statistics yes;
        allow-recursion { 127.0.0.1; 137.165.0.0/16; }; // allow  
recursive lookups
        allow-transfer { none; }; // allow transfers to these IP's
        notify no; // dont notify the above IP's when a zone is  
updated, since we are a slave server
        pid-file "/var/run/named/named.pid";
        transfer-format many-answers; // Generates more efficient  
zone transfers
        listen-on { any; };
};
// Include logging config file
include "/var/named/conf/logging.conf";

// Include to ACLs
include "/var/named/conf/acls.conf";

// Include TSIG Keys
include "/etc/bind/keys.conf";
------------------------------------------------------------------------
Firewalls are Cisco ASAs that pass all traffic to/from the nameservers.
Fragments are allowed through.

What dig (above) shows is typical of the problem we see.  We get to  
that "tier" and one of the listed servers (in this case  
eduftcdns01.ed.gov) fails to respond.  If I try to ping it or  
traceroute to it, I can't get to it.  Shouldn't bind, then, try one of  
the other three servers listed?


PeteC

Peter Charbonneau
Sr. Systems and Network Administrator
Williams College
(413) 597-3408 (D)
(413) 822-2922 (C)