[CentOS] CentOS6 bind DLV problems

Fri Aug 16 09:53:49 UTC 2013
Tony Mountifield <tony at softins.co.uk>

In article <520D158F.9080008 at plnet.rs>,
Ljubomir Ljubojevic <centos at plnet.rs> wrote:
> On 08/14/2013 07:14 PM, Tony Mountifield wrote:
> > I have two CentOS6 boxes, both running Bind as a local resolver, with
> > what appears to me to be the same configuration as each other. I have
> > a problem on one but not the other, to do with DNSSEC Lookaside Validation.
> >
> > On the box with the problem, if I do: host www.bbc.co.uk
> > (for example), it sits there for a while, then gives me a timeout error.
> > I did some tests while running a tcpdump packet capture on udp port 53,
> > and I discovered that bind was fetching the correct answer normally,
> > and then performing a validation query to one of the DLV servers at ISC
> > (e.g.,, or It was not
> > receiving any reply. After several seconds, it tried another DLV server
> > and again received no reply.
> >
> > A similar test on the other box receives replies from ISC no problem.
> >
> > I have tried disabling iptables on the failing box, but that didn't help.
> > I'm assuming something in the request causes ISC to ignore it.
> >
> Have you tried to switch IP addresses and see if possible routing or 
> public IP denial is in place?

No, that's not easy to do, as the two boxes are in different providers
with specific assigned IP addresses.

I haven't had time to test more since my original posting, so any other
suggestions would be welcome too!

I guess I may have to go and subscribe to the bind list...

Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org