On May 28, 2009, at 8:37 PM, Mark Andrews wrote:

In message <C0FCEA35-9D75-4841-8FF4-1E7A68C17C0B@williams.edu>, Peter Charbonneau writes:

...

Greetings,

Periodically, we loose the capability of translating .ed.gov names.

Today, it seems that it is www.dl.ed.gov and www.fafsa.ed.gov that will not translate.

If I use dig .... I get:

porthos2:~ pcharbon2$ dig +trace www.fafsa.ed.gov

; <<>> DiG 9.4.3-P1 <<>> +trace www.fafsa.ed.gov ;; global options: printcmd . 499251 IN NS L.ROOT-SERVERS.NET. . 499251 IN NS M.ROOT-SERVERS.NET. . 499251 IN NS H.ROOT-SERVERS.NET. . 499251 IN NS D.ROOT-SERVERS.NET. . 499251 IN NS A.ROOT-SERVERS.NET. . 499251 IN NS K.ROOT-SERVERS.NET. . 499251 IN NS B.ROOT-SERVERS.NET. . 499251 IN NS G.ROOT-SERVERS.NET. . 499251 IN NS E.ROOT-SERVERS.NET. . 499251 IN NS I.ROOT-SERVERS.NET. . 499251 IN NS J.ROOT-SERVERS.NET. . 499251 IN NS C.ROOT-SERVERS.NET. . 499251 IN NS F.ROOT-SERVERS.NET. ;; Received 488 bytes from 137.165.4.21#53(137.165.4.21) in 2 ms

gov. 172800 IN NS E.GOV.ZONEEDIT.COM. gov. 172800 IN NS G.GOV.ZONEEDIT.COM. gov. 172800 IN NS A.GOV.ZONEEDIT.COM. gov. 172800 IN NS B.GOV.ZONEEDIT.COM. gov. 172800 IN NS C.GOV.ZONEEDIT.COM. gov. 172800 IN NS D.GOV.ZONEEDIT.COM. gov. 172800 IN NS F.GOV.ZONEEDIT.COM. ;; Received 274 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 82 ms

ed.gov. 86400 IN NS eduptcdns02.ed.gov. ed.gov. 86400 IN NS eduftcdns01.ed.gov. ed.gov. 86400 IN NS eduftcdns02.ed.gov. ed.gov. 86400 IN NS eduptcdns01.ed.gov. ;; Received 202 bytes from 216.55.155.29#53(A.GOV.ZONEEDIT.COM) in 84 ms

dig: couldn't get address for 'eduftcdns01.ed.gov': not found porthos2:~ pcharbon2$

It always seems to fail after the "third" lookup sequence.

After about an hour (or two or eight) it starts working again for some period of time.

I am out of troubleshooting tools and don't know where to go from here. Any help would be greatly appreciated.

PeteC

Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (office) (413) 822-2922 (cell) OIT will NEVER ask for your password!

What nameserver and version are you running? What options do you have turned on in the nameserver? What firewall settings do you have? Do you allow fragments through?

Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Bind 9.4.2 -------------- named.conf options ----------------------------- options { directory "/var/named"; // sets root dir, use full path to escape statistics-file "/var/named/named.stats"; // stats are your friend dump-file "/var/named/named.dump"; zone-statistics yes; allow-recursion { 127.0.0.1; 137.165.0.0/16; }; // allow recursive lookups allow-transfer { none; }; // allow transfers to these IP's notify no; // dont notify the above IP's when a zone is updated, since we are a slave server pid-file "/var/run/named/named.pid"; transfer-format many-answers; // Generates more efficient zone transfers listen-on { any; }; }; // Include logging config file include "/var/named/conf/logging.conf"; // Include to ACLs include "/var/named/conf/acls.conf"; // Include TSIG Keys include "/etc/bind/keys.conf"; ------------------------------------------------------------------------ Firewalls are Cisco ASAs that pass all traffic to/from the nameservers. Fragments are allowed through. What dig (above) shows is typical of the problem we see. We get to that "tier" and one of the listed servers (in this case eduftcdns01.ed.gov) fails to respond. If I try to ping it or traceroute to it, I can't get to it. Shouldn't bind, then, try one of the other three servers listed? PeteC Peter Charbonneau Sr. Systems and Network Administrator Williams College (413) 597-3408 (D) (413) 822-2922 (C)