In article <520D158F.9080008@xxxxxxxx>,
Ljubomir Ljubojevic <centos@xxxxxxxx> wrote:
> On 08/14/2013 07:14 PM, Tony Mountifield wrote:
> > I have two CentOS6 boxes, both running Bind as a local resolver, with
> > what appears to me to be the same configuration as each other. I have
> > a problem on one but not the other, to do with DNSSEC Lookaside Validation.
> >
> > On the box with the problem, if I do: host www.bbc.co.uk 127.0.0.1
> > (for example), it sits there for a while, then gives me a timeout error.
> > I did some tests while running a tcpdump packet capture on udp port 53,
> > and I discovered that bind was fetching the correct answer normally,
> > and then performing a validation query to one of the DLV servers at ISC
> > (e.g. 199.6.0.29, 199.6.0.30, 199.6.1.29 or 199.6.1.30). It was not
> > receiving any reply. After several seconds, it tried another DLV server
> > and again received no reply.
> >
> > A similar test on the other box receives replies from ISC no problem.
> >
> > I have tried disabling iptables on the failing box, but that didn't help.
> > I'm assuming something in the request causes ISC to ignore it.
> >
>
> Have you tried to switch IP addresses and see if possible routing or
> public IP denial is in place?
No, that's not easy to do, as the two boxes are in different providers
with specific assigned IP addresses.
I haven't had time to test more since my original posting, so any other
suggestions would be welcome too!
I guess I may have to go and subscribe to the bind list...
Cheers
Tony
--
Tony Mountifield
Work: tony@xxxxxxxxxxxxx - http://www.softins.co.uk
Play: tony@xxxxxxxxxxxxxxx - http://tony.mountifield.org
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
