topic new bind 9.9 and root NS take 2 in Operating System - Linux https://community.hpe.com/t5/operating-system-linux/new-bind-9-9-and-root-ns-take-2/m-p/5750435#M81481 <P>Hi;</P><P>&nbsp;</P><P>A short summary of the previous post: I have a client who's migrating from two old DNS physical servers to two new virtual ones running bind 9.9. &nbsp;I did their migration and, long story short, we're having problems getting the two new systems to talk to the root name servers. &nbsp;My two initial theories (new NS has to be registered to talk to root NS and issue w/DNSSEC) both proved to be incorrect which leaves something on the network.</P><P>&nbsp;</P><P>The core problem is that we cannot reach the root name servers via udp. &nbsp;We *can*, however, reach google's name servers via udp. &nbsp; &nbsp;We can also reach the root name servers via tcp...</P><P>&nbsp;</P><P># dig +novc @f.root-servers.net</P><P>; &lt;&lt;&gt;&gt; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 &lt;&lt;&gt;&gt; +novc @f.root-servers.net<BR />; (1 server found)<BR />;; global options: +cmd<BR />;; connection timed out; no servers could be reached</P><P>&nbsp;</P><P># dig +noanswer +noquestion +novc @8.8.8.8</P><P>; &lt;&lt;&gt;&gt; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 &lt;&lt;&gt;&gt; +noanswer +noquestion +novc @8.8.8.8<BR />; (1 server found)<BR />;; global options: +cmd<BR />;; Got answer:<BR />;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 11665<BR />;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1</P><P>;; OPT PSEUDOSECTION:<BR />; EDNS: version: 0, flags:; udp: 512<BR />;; Query time: 13 msec<BR />;; SERVER: 8.8.8.8#53(8.8.8.8)<BR />;; WHEN: Thu Aug 2 08:52:09 2012<BR />;; MSG SIZE rcvd: 239</P><P>&nbsp;</P><P>and&nbsp;</P><P>&nbsp;</P><P># dig +noanswer +noadditional +noquestion +vc @f.root-servers.net</P><P>; &lt;&lt;&gt;&gt; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 &lt;&lt;&gt;&gt; +noanswer +noadditional +noquestion +vc @f.root-servers.net<BR />; (1 server found)<BR />;; global options: +cmd<BR />;; Got answer:<BR />;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 60360<BR />;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 23<BR />;; WARNING: recursion requested but not available</P><P>;; OPT PSEUDOSECTION:<BR />; EDNS: version: 0, flags:; udp: 4096<BR />;; Query time: 77 msec<BR />;; SERVER: 192.5.5.241#53(192.5.5.241)<BR />;; WHEN: Thu Aug 2 08:55:19 2012<BR />;; MSG SIZE rcvd: 699</P><P>&nbsp;</P><P>So, short version: the new dns systems can send outbound udp packets; but, something is blocking those packets going to the root name servers. &nbsp;</P><P>&nbsp;</P><P>Has anyone seen anything like this and/or know what might be causing it? &nbsp;Failing that, does anyone know of a way to force recursions to use tcp vs udp?</P><P>&nbsp;</P><P>This one's just plain weird... appreciate any hints/tips/suggestions.</P><P>&nbsp;</P><P>Doug O'Leary</P> Thu, 02 Aug 2012 13:59:52 GMT Doug O'Leary 2012-08-02T13:59:52Z new bind 9.9 and root NS take 2 https://community.hpe.com/t5/operating-system-linux/new-bind-9-9-and-root-ns-take-2/m-p/5750435#M81481 <P>Hi;</P><P>&nbsp;</P><P>A short summary of the previous post: I have a client who's migrating from two old DNS physical servers to two new virtual ones running bind 9.9. &nbsp;I did their migration and, long story short, we're having problems getting the two new systems to talk to the root name servers. &nbsp;My two initial theories (new NS has to be registered to talk to root NS and issue w/DNSSEC) both proved to be incorrect which leaves something on the network.</P><P>&nbsp;</P><P>The core problem is that we cannot reach the root name servers via udp. &nbsp;We *can*, however, reach google's name servers via udp. &nbsp; &nbsp;We can also reach the root name servers via tcp...</P><P>&nbsp;</P><P># dig +novc @f.root-servers.net</P><P>; &lt;&lt;&gt;&gt; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 &lt;&lt;&gt;&gt; +novc @f.root-servers.net<BR />; (1 server found)<BR />;; global options: +cmd<BR />;; connection timed out; no servers could be reached</P><P>&nbsp;</P><P># dig +noanswer +noquestion +novc @8.8.8.8</P><P>; &lt;&lt;&gt;&gt; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 &lt;&lt;&gt;&gt; +noanswer +noquestion +novc @8.8.8.8<BR />; (1 server found)<BR />;; global options: +cmd<BR />;; Got answer:<BR />;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 11665<BR />;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1</P><P>;; OPT PSEUDOSECTION:<BR />; EDNS: version: 0, flags:; udp: 512<BR />;; Query time: 13 msec<BR />;; SERVER: 8.8.8.8#53(8.8.8.8)<BR />;; WHEN: Thu Aug 2 08:52:09 2012<BR />;; MSG SIZE rcvd: 239</P><P>&nbsp;</P><P>and&nbsp;</P><P>&nbsp;</P><P># dig +noanswer +noadditional +noquestion +vc @f.root-servers.net</P><P>; &lt;&lt;&gt;&gt; DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 &lt;&lt;&gt;&gt; +noanswer +noadditional +noquestion +vc @f.root-servers.net<BR />; (1 server found)<BR />;; global options: +cmd<BR />;; Got answer:<BR />;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 60360<BR />;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 23<BR />;; WARNING: recursion requested but not available</P><P>;; OPT PSEUDOSECTION:<BR />; EDNS: version: 0, flags:; udp: 4096<BR />;; Query time: 77 msec<BR />;; SERVER: 192.5.5.241#53(192.5.5.241)<BR />;; WHEN: Thu Aug 2 08:55:19 2012<BR />;; MSG SIZE rcvd: 699</P><P>&nbsp;</P><P>So, short version: the new dns systems can send outbound udp packets; but, something is blocking those packets going to the root name servers. &nbsp;</P><P>&nbsp;</P><P>Has anyone seen anything like this and/or know what might be causing it? &nbsp;Failing that, does anyone know of a way to force recursions to use tcp vs udp?</P><P>&nbsp;</P><P>This one's just plain weird... appreciate any hints/tips/suggestions.</P><P>&nbsp;</P><P>Doug O'Leary</P> Thu, 02 Aug 2012 13:59:52 GMT https://community.hpe.com/t5/operating-system-linux/new-bind-9-9-and-root-ns-take-2/m-p/5750435#M81481 Doug O'Leary 2012-08-02T13:59:52Z