DNS ed.gov translations
Peter Charbonneau
Peter.Charbonneau at williams.edu
Fri May 29 01:06:55 UTC 2009
On May 28, 2009, at 8:37 PM, Mark Andrews wrote:
>
> In message <C0FCEA35-9D75-4841-8FF4-1E7A68C17C0B at williams.edu>,
> Peter Charbonneau writes:
>> Greetings,
>>
>> Periodically, we loose the capability of translating .ed.gov names.
>>
>> Today, it seems that it is www.dl.ed.gov and www.fafsa.ed.gov that
>> will not translate.
>>
>> If I use dig .... I get:
>>
>> porthos2:~ pcharbon2$ dig +trace www.fafsa.ed.gov
>>
>> ; <<>> DiG 9.4.3-P1 <<>> +trace www.fafsa.ed.gov
>> ;; global options: printcmd
>> . 499251 IN NS L.ROOT-SERVERS.NET.
>> . 499251 IN NS M.ROOT-SERVERS.NET.
>> . 499251 IN NS H.ROOT-SERVERS.NET.
>> . 499251 IN NS D.ROOT-SERVERS.NET.
>> . 499251 IN NS A.ROOT-SERVERS.NET.
>> . 499251 IN NS K.ROOT-SERVERS.NET.
>> . 499251 IN NS B.ROOT-SERVERS.NET.
>> . 499251 IN NS G.ROOT-SERVERS.NET.
>> . 499251 IN NS E.ROOT-SERVERS.NET.
>> . 499251 IN NS I.ROOT-SERVERS.NET.
>> . 499251 IN NS J.ROOT-SERVERS.NET.
>> . 499251 IN NS C.ROOT-SERVERS.NET.
>> . 499251 IN NS F.ROOT-SERVERS.NET.
>> ;; Received 488 bytes from 137.165.4.21#53(137.165.4.21) in 2 ms
>>
>> gov. 172800 IN NS E.GOV.ZONEEDIT.COM.
>> gov. 172800 IN NS G.GOV.ZONEEDIT.COM.
>> gov. 172800 IN NS A.GOV.ZONEEDIT.COM.
>> gov. 172800 IN NS B.GOV.ZONEEDIT.COM.
>> gov. 172800 IN NS C.GOV.ZONEEDIT.COM.
>> gov. 172800 IN NS D.GOV.ZONEEDIT.COM.
>> gov. 172800 IN NS F.GOV.ZONEEDIT.COM.
>> ;; Received 274 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in
>> 82
>> ms
>>
>> ed.gov. 86400 IN NS eduptcdns02.ed.gov.
>> ed.gov. 86400 IN NS eduftcdns01.ed.gov.
>> ed.gov. 86400 IN NS eduftcdns02.ed.gov.
>> ed.gov. 86400 IN NS eduptcdns01.ed.gov.
>> ;; Received 202 bytes from 216.55.155.29#53(A.GOV.ZONEEDIT.COM) in
>> 84 ms
>>
>> dig: couldn't get address for 'eduftcdns01.ed.gov': not found
>> porthos2:~ pcharbon2$
>>
>>
>> It always seems to fail after the "third" lookup sequence.
>>
>> After about an hour (or two or eight) it starts working again for
>> some
>> period of time.
>>
>> I am out of troubleshooting tools and don't know where to go from
>> here. Any help would be greatly appreciated.
>>
>>
>>
>> PeteC
>>
>>
>> Peter Charbonneau
>> Sr. Network and Systems Administrator
>> Williams College
>> (413) 597-3408 (office)
>> (413) 822-2922 (cell)
>> OIT will NEVER ask for your password!
>
> What nameserver and version are you running?
> What options do you have turned on in the nameserver?
> What firewall settings do you have? Do you allow fragments
> through?
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
Bind 9.4.2
-------------- named.conf options -----------------------------
options {
directory "/var/named"; // sets root dir, use full path to
escape
statistics-file "/var/named/named.stats"; // stats are your
friend
dump-file "/var/named/named.dump";
zone-statistics yes;
allow-recursion { 127.0.0.1; 137.165.0.0/16; }; // allow
recursive lookups
allow-transfer { none; }; // allow transfers to these IP's
notify no; // dont notify the above IP's when a zone is
updated, since we are a slave server
pid-file "/var/run/named/named.pid";
transfer-format many-answers; // Generates more efficient
zone transfers
listen-on { any; };
};
// Include logging config file
include "/var/named/conf/logging.conf";
// Include to ACLs
include "/var/named/conf/acls.conf";
// Include TSIG Keys
include "/etc/bind/keys.conf";
------------------------------------------------------------------------
Firewalls are Cisco ASAs that pass all traffic to/from the nameservers.
Fragments are allowed through.
What dig (above) shows is typical of the problem we see. We get to
that "tier" and one of the listed servers (in this case
eduftcdns01.ed.gov) fails to respond. If I try to ping it or
traceroute to it, I can't get to it. Shouldn't bind, then, try one of
the other three servers listed?
PeteC
Peter Charbonneau
Sr. Systems and Network Administrator
Williams College
(413) 597-3408 (D)
(413) 822-2922 (C)
More information about the NANOG
mailing list