Michelle Sullivan wrote:
Stephane Bortzmeyer wrote:
On Mon, Feb 15, 2010 at 10:22:17AM +0100, Michelle Sullivan <michelle@sorbs.net> wrote a message of 185 lines which said:
213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. 213.in-addr.arpa. 86400 IN NS NS3.NIC.FR. 213.in-addr.arpa. 86400 IN NS SUNIC.SUNET.SE. 213.in-addr.arpa. 86400 IN NS SNS-PB.ISC.ORG. 213.in-addr.arpa. 86400 IN NS SEC1.APNIC.NET. 213.in-addr.arpa. 86400 IN NS SEC3.APNIC.NET. 213.in-addr.arpa. 86400 IN NS TINNIE.ARIN.NET. ;; Received 224 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 20011 ms
;; connection timed out; no servers could be reached
It is highly improbable that all these name servers are unreachable from you. Therefore, I suspect that *content* is the issue. RIPE-NCC zones are signed with DNSSEC. Are you sure you do not have a broken middlebox which deletes DNSSEC-signed answers?
(I tried from an US/Datotel/Level3 machine and everything works.)
Thanks... F**Kin' PIXs!
Then again.... michelle@enigma:~$ dig +trace +bufsize=512 -x 81.255.164.225 ; <<>> DiG 9.3.3 <<>> +trace +bufsize=512 -x 81.255.164.225 ;; global options: printcmd . 352606 IN NS L.ROOT-SERVERS.NET. . 352606 IN NS M.ROOT-SERVERS.NET. . 352606 IN NS A.ROOT-SERVERS.NET. . 352606 IN NS B.ROOT-SERVERS.NET. . 352606 IN NS C.ROOT-SERVERS.NET. . 352606 IN NS D.ROOT-SERVERS.NET. . 352606 IN NS E.ROOT-SERVERS.NET. . 352606 IN NS F.ROOT-SERVERS.NET. . 352606 IN NS G.ROOT-SERVERS.NET. . 352606 IN NS H.ROOT-SERVERS.NET. . 352606 IN NS I.ROOT-SERVERS.NET. . 352606 IN NS J.ROOT-SERVERS.NET. . 352606 IN NS K.ROOT-SERVERS.NET. ;; Received 511 bytes from 111.125.160.132#53(111.125.160.132) in 1 ms 81.in-addr.arpa. 86400 IN NS SNS-PB.ISC.ORG. 81.in-addr.arpa. 86400 IN NS TINNIE.ARIN.NET. 81.in-addr.arpa. 86400 IN NS NS3.NIC.FR. 81.in-addr.arpa. 86400 IN NS SEC1.APNIC.NET. 81.in-addr.arpa. 86400 IN NS SEC3.APNIC.NET. 81.in-addr.arpa. 86400 IN NS SUNIC.SUNET.SE. 81.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. ;; Received 235 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 179 ms ;; connection timed out; no servers could be reached michelle@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR ; <<>> DiG 9.3.3 <<>> +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52112 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;225.164.255.81.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 255.81.in-addr.arpa. 172800 IN NS proof.rain.fr. 255.81.in-addr.arpa. 172800 IN NS ns.ripe.net. 255.81.in-addr.arpa. 172800 IN NS bow.rain.fr. ;; ADDITIONAL SECTION: ns.ripe.net. 172800 IN A 193.0.0.193 ns.ripe.net. 172800 IN AAAA 2001:610:240:0:53::193 ;; Query time: 320 msec ;; SERVER: 192.134.0.49#53(192.134.0.49) ;; WHEN: Mon Feb 15 23:37:36 2010 ;; MSG SIZE rcvd: 170 michelle@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @SEC3.APNIC.NET ; <<>> DiG 9.3.3 <<>> +bufsize=4096 -x 81.255.164.225 @SEC3.APNIC.NET ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32853 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;225.164.255.81.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 255.81.in-addr.arpa. 172800 IN NS ns.ripe.net. 255.81.in-addr.arpa. 172800 IN NS bow.rain.fr. 255.81.in-addr.arpa. 172800 IN NS proof.rain.fr. ;; Query time: 200 msec ;; SERVER: 202.12.28.140#53(202.12.28.140) ;; WHEN: Mon Feb 15 23:29:41 2010 ;; MSG SIZE rcvd: 126 michelle@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @ns.ripe.net. ; <<>> DiG 9.3.3 <<>> +bufsize=4096 -x 81.255.164.225 @ns.ripe.net. ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1316 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;225.164.255.81.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 164.255.81.in-addr.arpa. 3600 IN NS proof.rain.fr. 164.255.81.in-addr.arpa. 3600 IN NS bow.rain.fr. ;; Query time: 322 msec ;; SERVER: 193.0.0.193#53(193.0.0.193) ;; WHEN: Mon Feb 15 23:30:03 2010 ;; MSG SIZE rcvd: 101 michelle@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @proof.rain.fr. ; <<>> DiG 9.3.3 <<>> +bufsize=4096 -x 81.255.164.225 @proof.rain.fr. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5704 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;225.164.255.81.in-addr.arpa. IN PTR ;; ANSWER SECTION: 225.164.255.81.in-addr.arpa. 3600 IN PTR mail.pharaon.fr. ;; AUTHORITY SECTION: 164.255.81.in-addr.arpa. 3600 IN NS 194.51.3.65. 164.255.81.in-addr.arpa. 3600 IN NS bow.rain.fr. ;; ADDITIONAL SECTION: bow.rain.fr. 83600 IN A 194.51.3.49 ;; Query time: 326 msec ;; SERVER: 194.51.3.65#53(194.51.3.65) ;; WHEN: Mon Feb 15 23:30:14 2010 ;; MSG SIZE rcvd: 149 michelle@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @bow.rain.fr. ; <<>> DiG 9.3.3 <<>> +bufsize=4096 -x 81.255.164.225 @bow.rain.fr. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22282 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;225.164.255.81.in-addr.arpa. IN PTR ;; ANSWER SECTION: 225.164.255.81.in-addr.arpa. 3600 IN PTR mail.pharaon.fr. ;; AUTHORITY SECTION: 164.255.81.in-addr.arpa. 3600 IN NS 194.51.3.65. 164.255.81.in-addr.arpa. 3600 IN NS bow.rain.fr. ;; ADDITIONAL SECTION: bow.rain.fr. 83600 IN A 194.51.3.49 ;; Query time: 340 msec ;; SERVER: 194.51.3.49#53(194.51.3.49) ;; WHEN: Mon Feb 15 23:30:54 2010 ;; MSG SIZE rcvd: 149 michelle@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @SNS-PB.ISC.ORG ; <<>> DiG 9.3.3 <<>> +bufsize=4096 -x 81.255.164.225 @SNS-PB.ISC.ORG ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9273 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;225.164.255.81.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 255.81.in-addr.arpa. 172800 IN NS bow.rain.fr. 255.81.in-addr.arpa. 172800 IN NS ns.ripe.net. 255.81.in-addr.arpa. 172800 IN NS proof.rain.fr. ;; ADDITIONAL SECTION: ns.ripe.net. 172800 IN A 193.0.0.193 ns.ripe.net. 172800 IN AAAA 2001:610:240:0:53::193 ;; Query time: 183 msec ;; SERVER: 192.5.4.1#53(192.5.4.1) ;; WHEN: Mon Feb 15 23:31:20 2010 ;; MSG SIZE rcvd: 170 michelle@enigma:~$ dig -x 81.255.164.225 @SNS-PB.ISC.ORG ; <<>> DiG 9.3.3 <<>> -x 81.255.164.225 @SNS-PB.ISC.ORG ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2301 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2 ;; QUESTION SECTION: ;225.164.255.81.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 255.81.in-addr.arpa. 172800 IN NS bow.rain.fr. 255.81.in-addr.arpa. 172800 IN NS proof.rain.fr. 255.81.in-addr.arpa. 172800 IN NS ns.ripe.net. ;; ADDITIONAL SECTION: ns.ripe.net. 172800 IN A 193.0.0.193 ns.ripe.net. 172800 IN AAAA 2001:610:240:0:53::193 ;; Query time: 183 msec ;; SERVER: 192.5.4.1#53(192.5.4.1) ;; WHEN: Mon Feb 15 23:31:37 2010 ;; MSG SIZE rcvd: 159 michelle@enigma:~$ dig +trace +bufsize=4096 -x 81.255.164.225 ; <<>> DiG 9.3.3 <<>> +trace +bufsize=4096 -x 81.255.164.225 ;; global options: printcmd . 352340 IN NS H.ROOT-SERVERS.NET. . 352340 IN NS I.ROOT-SERVERS.NET. . 352340 IN NS J.ROOT-SERVERS.NET. . 352340 IN NS K.ROOT-SERVERS.NET. . 352340 IN NS L.ROOT-SERVERS.NET. . 352340 IN NS M.ROOT-SERVERS.NET. . 352340 IN NS A.ROOT-SERVERS.NET. . 352340 IN NS B.ROOT-SERVERS.NET. . 352340 IN NS C.ROOT-SERVERS.NET. . 352340 IN NS D.ROOT-SERVERS.NET. . 352340 IN NS E.ROOT-SERVERS.NET. . 352340 IN NS F.ROOT-SERVERS.NET. . 352340 IN NS G.ROOT-SERVERS.NET. ;; Received 643 bytes from 111.125.160.132#53(111.125.160.132) in 1 ms 81.in-addr.arpa. 86400 IN NS NS3.NIC.FR. 81.in-addr.arpa. 86400 IN NS SEC1.APNIC.NET. 81.in-addr.arpa. 86400 IN NS SEC3.APNIC.NET. 81.in-addr.arpa. 86400 IN NS SUNIC.SUNET.SE. 81.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. 81.in-addr.arpa. 86400 IN NS SNS-PB.ISC.ORG. 81.in-addr.arpa. 86400 IN NS TINNIE.ARIN.NET. ;; Received 235 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 178 ms ;; connection timed out; no servers could be reached ... what am I missing? (Set the PIX v7.2.1 to allow DNS upto 4096 bytes - results are the same before and after) Note: As far as I know lookups from this server worked until around Sept 09, the hosts changed from 203.15.51.32/27 to 111.125.160.129/26 at this time, they have been failing since. Thanks, Michelle