From owner-freebsd-questions@FreeBSD.ORG Fri May 7 08:02:19 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 40B3C1065678 for ; Fri, 7 May 2010 08:02:19 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id A494C8FC1D for ; Fri, 7 May 2010 08:02:17 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o4782Dit051348 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 7 May 2010 09:02:13 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BE3C905.2000207@infracaninophile.co.uk> Date: Fri, 07 May 2010 09:02:13 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Jonathan Chen References: <3336_1273178399_4BE3291E_3336_4_1_4BE32922.4090608@solnetsolutions.co.nz> In-Reply-To: <3336_1273178399_4BE3291E_3336_4_1_4BE32922.4090608@solnetsolutions.co.nz> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: DNS not working since May 6 2010 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2010 08:02:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/05/2010 21:40:02, Jonathan Chen wrote: > I've got a small DNS server on my home network, and ever since May 6, > 2010 (co-incidentally DNSSEC root sign day), lookups on freebsd.org have > started failing. eg: Uh, the DURZ was installed on j.root; the last one of the root servers to get it. Besides, .org was DNSSEC signed way back in June 2009. That is not causing your problem here. > ~,8:36am> dig www.freebsd.org a > > ; <<>> DiG 9.6.1-P3 <<>> www.freebsd.org a > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > Lookups on other domains still appear to work, Google, OpenBSD, NetBSD, > etc. Is anyone else seeing this? How do I fix it? Works fine here: % dig +short www.freebsd.org a 69.147.83.33 Hmmm.... DNS for freebsd.org is provided by ISC. They had a fibre break yesterday -- no idea whether it could have affected resolving freebsd.org but it's worth trying again now its all been repaired. Otherwise, you need to work out why the DNS lookup is failing. That means turning up the logging on your recursive server and hunting for clues. Probably the biggest cause of DNS problems at the moment are firewalls that do not handle large UDP packets properly and that interfere with the EDNS and/or fall-back to TCP algorithms used. You can test that using: https://www.dns-oarc.net/oarc/services/replysizetest Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvjyQUACgkQ8Mjk52CukIzpGQCfXqIAySAfR/zH7lo2beKvfHs+ Zd8An3QMXUrUQgec0ftbgS/5aTcTEKX3 =xuja -----END PGP SIGNATURE-----