Hello,

I have 3 name server setup

ns1 to ns3 from ip .142 to .144

I customer try to edit his name server in his registrar but he has this error :


"Information sur la Zone
charentes.fr.
ns2.carat-hosting.com. 65.110.36.143
ns3.carat-hosting.com. 65.110.36.144


connectivité TCP (IP=65.110.36.144)


Résultat des tests
---- fatal ----
Le serveur n'écoute pas ou ne répond pas en TCP sur le port 53

Réf: IETF RFC1035 (p.32 4.2. Transport)

The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance.

ns2.carat-hosting.com./65.110.36.143


Statut final
ECHEC
--------------------------------------------------------------------------------
Profile: afnic (delegation under .fr/.re done by AFNIC registry)
Statistics: 17 tests in 4.96 sec accross 2 nameservers
Release: ZoneCheck-2.0.4-AFNIC
Last generated: 2004/10/19 02:39 UTC


" Le serveur n'écoute pas ou ne répond pas en TCP sur le port 53"
means
The server doesn't listen or answer in TCP on port 53

it says to see the IETF RFC1035 (p.32 4.2. Transport) page 32 point 4.2
here ftp://ftp.ietf.org/rfc/rfc1035.txt


here is the text

4.2.2. TCP usage

Messages sent over TCP connections use server port 53 (decimal). The
message is prefixed with a two byte length field which gives the message



Mockapetris [Page 32]

RFC 1035 Domain Implementation and Specification November 1987


length, excluding the two byte length field. This length field allows
the low-level processing to assemble a complete message before beginning
to parse it.

Several connection management policies are recommended:

- The server should not block other activities waiting for TCP
data.

- The server should support multiple connections.

- The server should assume that the client will initiate
connection closing, and should delay closing its end of the
connection until all outstanding client requests have been
satisfied.

- If the server needs to close a dormant connection to reclaim
resources, it should wait until the connection has been idle
for a period on the order of two minutes. In particular, the
server should allow the SOA and AXFR request sequence (which
begins a refresh operation) to be made on a single connection.
Since the server would be unable to answer queries anyway, a
unilateral close or reset may be used instead of a graceful
close.




I really don't understand what happens, as it is the first time I have this pbm

(his registrar, ovh, wanted I change my name server because they were on the same IP : I did it, and now this :\ )

Do you have an idea ?
What I have to do ?

Thanks

Do you have iptables unstalled (or something similar)? If so check to see of that port is being blocked.

that port isn't block

Of course it's the first think I have checked.

I tried without Iptables on, but anyway, I've created others domains, and there was no pbm, so .....

Ovh and the afnic are really specials, as they test that the name servers are not on the same IP/network/server.

I really don't know what to do

The most strange is that it does the same error with the sago customer name server (ns1.cust.sagonet.com) , but not with the sago name server (ns1.sagonet.com)

Thanks

Since you're at Sago, you can use ns1.cust.sagonet.com or ns2.cust.sagonet.com as secondary DNS for those domains that require the name servers to be on different netblocks.

Paul

Since you're at Sago, you can use ns1.cust.sagonet.com or ns2.cust.sagonet.com as secondary DNS for those domains that require the name servers to be on different netblocks.

Paul

yep but there is the error too :\

check it here : http://www.afnic.fr/outils/zonecheck/form_en

This isn't making sense to me. They say that the server isn't listening on TCP port 53.

"Le serveur n'écoute pas ou ne répond pas en TCP sur le port 53"
"Server doesn't listen/answer on port 53 for TCP protocol"


This is absolutely true. That's because it's listening on the UDP protocol, just like their "Description" says it should:

"The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance."

UDP == datagrams. DNS doesn't need to be on a TCP protocol. They say themselves that "datagrams (udp) are preferred".

I think you should ask them why they're FAILING adding nameservers when the servers use the "preferred" method!

Paul

lol

thanks Paul :)

Ok the pbm is this one.

The AFNIC is responsible for all .fr domains.

In the IETF RFC1035 (p.32 4.2. Transport) page 32 point 4.2 here ftp://ftp.ietf.org/rfc/rfc1035.txt

it says :

The Internet supports name server access using TCP [RFC-793] on server
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
port 53 (decimal).


So the dns server as to listen both on TCP port 53 an UDP port 53 ???

My Tinydns listen on UDP port 53


tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4792/dnscache
udp 0 0 65.110.36.143:53 0.0.0.0:* 4814/tinydns
udp 0 0 65.110.36.140:53 0.0.0.0:* 4815/tinydns
udp 0 0 65.110.36.142:53 0.0.0.0:* 4812/tinydns
udp 0 0 65.110.36.146:53 0.0.0.0:* 4805/tinydns
udp 0 0 65.110.36.145:53 0.0.0.0:* 4807/tinydns
udp 0 0 65.110.36.144:53 0.0.0.0:* 4808/tinydns
udp 0 0 65.110.36.147:53 0.0.0.0:* 4802/tinydns
udp 0 0 65.110.36.148:53 0.0.0.0:* 4800/tinydns
udp 0 0 127.0.0.1:53 0.0.0.0:* 4792/dnscache
udp 0 0 65.110.36.149:53 0.0.0.0:* 4799/tinydns
udp 0 0 65.110.36.141:53 0.0.0.0:* 4791/tinydns


How to setup tynidns to listen on tcp port 53 too.

Thanks you

Thanks a ton to Paul who resolves this PBM. He did setup of axfrdns
But I let him explain what he did exactly.

I only 2 words THANKS YOU (hmm it's 2)

@+++

Glad you and Paul were able to resolve this. Sorry I wasn't more help :-)

Hi Paul

I have a new pbm on this #!!#$@! dot fr zone

In fact a lot of registar propose to change only 2 name servers, not 3 as I have.

The problem is the satanic AFNIC zone check returns this error :


---- fatal ----
The nameserver list doesn't match the given one
The given nameserver list (ns1.carat-hosting.com., ns2.carat-hosting.com.) is not consistent with the one retrieved from the zone (ns1.carat-hosting.com., ns2.carat-hosting.com., ns3.carat-hosting.com.).

ns2.carat-hosting.com./65.110.36.143
ns1.carat-hosting.com./65.110.36.142


Final status
FAILURE (and 3 warning(s))


I've deleted the IP of my third name server at domainsite and did ask them to delete from their registry this ns3.carat-hosting.com name server.

But the problem is the same. I was wondering if I wouldn't keep this information through the "axfrdns" on IP .144

The strange thing is the result of an "dnsqr NS carat-hosting.com"

[root@padawan root]# dnsqr ns carat-hosting.com
2 carat-hosting.com:
71 bytes, 1+2+0+0 records, response, noerror
query: 2 carat-hosting.com
answer: carat-hosting.com 29156 NS ns1.carat-hosting.com
answer: carat-hosting.com 29156 NS ns2.carat-hosting.com


I do not see the ns3, so for me in my computeur and on the name server the is no more ns3.

So, where ns3 comes from ?
Do I have to stop the axfrdns" on IP .144 ?

How to do it ? I dind't find any /root/data and data.cdb in this IP

Thanks for your help

Thanks a ton to Paul who resolves this PBM.
He did setup of axfrdns. But I let him explain what he did exactly.


I would have loved to read more about this Paul!
Would you please give me a hint?

I'm actually going tru the same hell with OVH and AFNIC, trying to register a .fr domain on ns2.dyxs.net (primary) and ns1.dyxs.net (secondary).

When I first registered dynamixs.fr, both these NS seemed to be OK for Zonecheck. Now, although nothing has changed in the configuration of the servers, I keep getting this error status when I try to register new domains:

"Le serveur n'écoute pas ou ne répond pas en UDP sur le port 53"

According to my hosting provider, port 53 is *not* blocked for UDP.

:confused:

Any help in this matter would be seriously appreciated...

Thanks,
Geert

For a dot FR zone you have to first create the siteworx account.
It will create the DNS record fot the given domain

And after zonecheck will work.

If you have an error with TCP 53 you have to setup axfrdns

Hope it will help

If you have an error with TCP 53 you have to setup axfrdns



How to create a axfrdns ?

I also have the only world wide registar that require those settings for a .fr domain

Thank you in advance

Paulo

paulo[/LEFT];16578]How to create a axfrdns?

You need this for .de and .fr domains (and maybe others), you could do the following on your interworx server (I guess, we do not use the interworx DNS servers, we have build our separately djbsdns servers for all our interworx servers):


useradd -d /var/djbdns/axfrdns -m -s /sbin/nologin axfrdns
axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns /var/djbdns/tinydns <server dns ip>
echo ':allow,AXFR=""' > /var/djbdns/axfrdns/tcp
cd /var/djbdns/axfrdns/
make
ln -s /var/djbdns/axfrdns /service
Note:

.
axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns /var/djbdns/tinydns <server dns ip>
.
.
.
ln -s /var/djbdns/axfrdns /service
could also be:

.
axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns-<server-dns-ip> /var/djbdns/tinydns-<server-dns-ip> <server dns ip>
.
.
.
ln -s /var/djbdns/axfrdns-<server-dns-ip> /service
In my opinion this could be an easy fix that can be included in the mainstream rpms of interworx-CP. This would make the DNS server RFC compliant, which is good in my opinion, altough UDP is better but who knows who are out there that need TCP.
TCP and UDP port 53 should be opened, I guess, but I didn't check that now. We are using this in a production enviroment for years now and are able to register .de and .fr domains on our nameservers.

And of course this is needed as well:
Since you're at Sago, you can use ns1.cust.sagonet.com or ns2.cust.sagonet.com as secondary DNS for those domains that require the name servers to be on different netblocks.

Paul

Hi All,

I have the same problem on my two iworx server and I execute command line quoted by WebXtra, but the problem persist >_<.

You can see here the result of the test :

ZoneCheck Afnic Test (http://www.afnic.fr/outils/zonecheck/zc.cgi?zone=espace4you.com&ns0=&ips0=&ns1=&ips1=&ns2=&ips2=&ns3=&ips3=&ns4=&ips4=&ns5=&ips5=&ns6=&ips6=&ns7=&ips7=&intro=t&explain=t&details=t&progress=counter&report=byseverity&format=html&lang=en&errorlvl=&profile=afnic&chkmail=t&chkzone=t&chkrir=t&transp3=ipv4&transp3=ipv6&transp4=std)

If you have an idea ?

Thanks for your answers :)

Did you open both the TCP and UDP port 53 on your firewalls?

I have disable firewall and the problem is the same

is the axfrdns service running?
Do this:

ps aux| grep axfr

You should see something like this:

root 3148 0.0 0.1 1996 284 ? S Nov25 0:00 supervise axfrdns
root 3161 0.0 0.1 1892 304 ? S Nov25 0:01 tcpserver -vDRHl0 -x tcp.cdb -- 111.222.333.444 53 /usr/bin/axfrdns
root 19963 0.0 0.2 3240 512 pts/0 S+ 14:53 0:00 grep axfr

OK, forgot this in my post:

cd /var/djbdns/axfrdns/
make

This is the result for the command line :

root 1495 0.0 0.0 1520 252 ? S Dec14 0:00 readproctitle service errors: ...vise: fatal: unable to start axfrdns/run: file does not exist?supervise: fatal: unable to start axfrdns/run: file does not exist?supervise: fatal: unable to start axfrdns/run: file does not exist?supervise: fatal: unable to start axfrdns/run: file does not exist?supervise: fatal: unable to start axfrdns/run: file does not exist?supervise: fatal: unable to start axfrdns/run: file does not exist?
root 13285 0.0 0.0 1528 312 ? S 15:31 0:00 supervise axfrdns
root 16571 0.0 0.0 3920 696 pts/1 S+ 15:56 0:00 grep axfr

Yeah, forgot to mention this vital part:
OK, forgot this in my post:

cd /var/djbdns/axfrdns/
make

Thanks WebXTra, but there no make file :

[root@ns2 ~]# cd /var/djbdns/axfrdns/
[root@ns2 axfrdns]# make
make: *** No targets specified and no makefile found. Stop.
[root@ns2 axfrdns]#


Thanks for your help :)

Here are the steps I use to install axfrdns.
Be sure to replace all instances of IPADDRESS1 and IPADDRESS2 with the actual IP addresses you're using as your DNS servers.

# useradd axfrdns
# axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns-IPADDRESS1 /var/djbdns/tinydns IPADDRESS1
# axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns-IPADDRESS2 /var/djbdns/tinydns IPADDRESS2
# echo ':allow,AXFR=""' > /var/djbdns/axfrdns-IPADDRESS1/tcp
# echo ':allow,AXFR=""' > /var/djbdns/axfrdns-IPADDRESS2/tcp
# cd /var/djbdns/axfrdns-IPADDRESS1
# make
# cd /var/djbdns/axfrdns-IPADDRESS2
# make
# ln -s /var/djbdns/axfrdns-IPADDRESS1/ /service
# ln -s /var/djbdns/axfrdns-IPADDRESS2/ /service

Thanks WebXTra, but there no make file :



Thanks for your help :)

cd /var/djbdns/axfrdns-IPADDRESS1
make

Thanks pascal, for my ns2 your command line worked fine but for my ns1 it doesn't work :/, this is command line that I made :


[root@ns1 service]# axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns-87.98.153.17 /var/djbdns/tinydns 87.98.153.17
[root@ns1 service]# echo ':allow,AXFR=""' > /var/djbdns/axfrdns-87.98.153.17/tcp
[root@ns1 service]# cd /var/djbdns/axfrdns-87.98.153.17/
[root@ns1 axfrdns-87.98.153.17]# make
tcprules tcp.cdb tcp.tmp < tcp
[root@ns1 axfrdns-87.98.153.17]# ln -s /var/djbdns/axfrdns-87.98.153.17/ /service
[root@ns1 axfrdns-87.98.153.17]# svstat /service/axfrdns-87.98.153.17/
/service/axfrdns-87.98.153.17/: up (pid 22095) 1 seconds


You can see axfrdns processus run and when I launch test, I have the same problem :(

Any Idea ? FW are always disabled.

Thanks :)

I'd delete every AXFRDNS related stuff, and do it again

Try to look at your logs..

I don't have access to an interworx box yet, so it's difficult to remember...

Thanks pascal for your help, so in my iworx panel for DNS log, i've this :

Unknown Log


and when I look at /var/log/dmesg
There are no error about djbdns/axfrdns.

Any idea ?

Thanks :)

Thanks pascal for your help, so in my iworx panel for DNS log, i've this :

Unknown Log


It'd probably be best to open a support ticket so we can see why the DNS logs aren't showing up in the interface.

Paul

Ok thanks Paul, I open ticket for the log problem :)

I killed all axfrdns process and restart service and now it work ... very stupid problem >_< but now it work ^^