PBM with RFC1035

Hello,

I have 3 name server setup

ns1 to ns3 from ip .142 to .144

I customer try to edit his name server in his registrar but he has this error :

"Information sur la Zone
charentes.fr.
ns2.carat-hosting.com. 65.110.36.143
ns3.carat-hosting.com. 65.110.36.144

connectivit? TCP (IP=65.110.36.144)

R?sultat des tests
---- fatal ----
Le serveur n’?coute pas ou ne r?pond pas en TCP sur le port 53

R?f: IETF RFC1035 (p.32 4.2. Transport)

The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance.

ns2.carat-hosting.com./65.110.36.143

Statut final
ECHEC

Profile: afnic (delegation under .fr/.re done by AFNIC registry)
Statistics: 17 tests in 4.96 sec accross 2 nameservers
Release: ZoneCheck-2.0.4-AFNIC
Last generated: 2004/10/19 02:39 UTC

" Le serveur n’?coute pas ou ne r?pond pas en TCP sur le port 53"
means
The server doesn’t listen or answer in TCP on port 53

it says to see the IETF RFC1035 (p.32 4.2. Transport) page 32 point 4.2
here ftp://ftp.ietf.org/rfc/rfc1035.txt

here is the text

4.2.2. TCP usage

Messages sent over TCP connections use server port 53 (decimal). The
message is prefixed with a two byte length field which gives the message

Mockapetris [Page 32]

RFC 1035 Domain Implementation and Specification November 1987

length, excluding the two byte length field. This length field allows
the low-level processing to assemble a complete message before beginning
to parse it.

Several connection management policies are recommended:

• The server should not block other activities waiting for TCP
  data.

• The server should support multiple connections.

• The server should assume that the client will initiate
  connection closing, and should delay closing its end of the
  connection until all outstanding client requests have been
  satisfied.

• If the server needs to close a dormant connection to reclaim
  resources, it should wait until the connection has been idle
  for a period on the order of two minutes. In particular, the
  server should allow the SOA and AXFR request sequence (which
  begins a refresh operation) to be made on a single connection.
  Since the server would be unable to answer queries anyway, a
  unilateral close or reset may be used instead of a graceful
  close.

I really don’t understand what happens, as it is the first time I have this pbm

(his registrar, ovh, wanted I change my name server because they were on the same IP : I did it, and now this :\ )

Do you have an idea ?
What I have to do ?

Thanks

Do you have iptables unstalled (or something similar)? If so check to see of that port is being blocked.

that port isn’t block

Of course it’s the first think I have checked.

I tried without Iptables on, but anyway, I’ve created others domains, and there was no pbm, so …

Ovh and the afnic are really specials, as they test that the name servers are not on the same IP/network/server.

I really don’t know what to do

The most strange is that it does the same error with the sago customer name server (ns1.cust.sagonet.com) , but not with the sago name server (ns1.sagonet.com)

Thanks

Since you’re at Sago, you can use ns1.cust.sagonet.com or ns2.cust.sagonet.com as secondary DNS for those domains that require the name servers to be on different netblocks.

Paul

yep but there is the error too :\

check it here : http://www.afnic.fr/outils/zonecheck/form_en

This isn’t making sense to me. They say that the server isn’t listening on TCP port 53.

“Le serveur n’?coute pas ou ne r?pond pas en TCP sur le port 53”
“Server doesn’t listen/answer on port 53 for TCP protocol”

This is absolutely true. That’s because it’s listening on the UDP protocol, just like their “Description” says it should:

“The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance.”

UDP == datagrams. DNS doesn’t need to be on a TCP protocol. They say themselves that “datagrams (udp) are preferred”.

I think you should ask them why they’re FAILING adding nameservers when the servers use the “preferred” method!

Paul

lol

thanks Paul

Ok the pbm is this one.

The AFNIC is responsible for all .fr domains.

In the IETF RFC1035 (p.32 4.2. Transport) page 32 point 4.2 here ftp://ftp.ietf.org/rfc/rfc1035.txt

it says :

The Internet supports name server access using TCP [RFC-793] on server
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
port 53 (decimal).

So the dns server as to listen both on TCP port 53 an UDP port 53 ???

My Tinydns listen on UDP port 53

tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4792/dnscache
udp 0 0 65.110.36.143:53 0.0.0.0:* 4814/tinydns
udp 0 0 65.110.36.140:53 0.0.0.0:* 4815/tinydns
udp 0 0 65.110.36.142:53 0.0.0.0:* 4812/tinydns
udp 0 0 65.110.36.146:53 0.0.0.0:* 4805/tinydns
udp 0 0 65.110.36.145:53 0.0.0.0:* 4807/tinydns
udp 0 0 65.110.36.144:53 0.0.0.0:* 4808/tinydns
udp 0 0 65.110.36.147:53 0.0.0.0:* 4802/tinydns
udp 0 0 65.110.36.148:53 0.0.0.0:* 4800/tinydns
udp 0 0 127.0.0.1:53 0.0.0.0:* 4792/dnscache
udp 0 0 65.110.36.149:53 0.0.0.0:* 4799/tinydns
udp 0 0 65.110.36.141:53 0.0.0.0:* 4791/tinydns

How to setup tynidns to listen on tcp port 53 too.

Thanks you

Thanks a ton to Paul who resolves this PBM. He did setup of axfrdns
But I let him explain what he did exactly.

I only 2 words THANKS YOU (hmm it’s 2)

@+++

Glad you and Paul were able to resolve this. Sorry I wasn’t more help

Hi Paul

I have a new pbm on this #!!#$@! dot fr zone

In fact a lot of registar propose to change only 2 name servers, not 3 as I have.

The problem is the satanic AFNIC zone check returns this error :

---- fatal ----
The nameserver list doesn’t match the given one
The given nameserver list (ns1.carat-hosting.com., ns2.carat-hosting.com.) is not consistent with the one retrieved from the zone (ns1.carat-hosting.com., ns2.carat-hosting.com., ns3.carat-hosting.com.).

ns2.carat-hosting.com./65.110.36.143
ns1.carat-hosting.com./65.110.36.142

Final status
FAILURE (and 3 warning(s))

I’ve deleted the IP of my third name server at domainsite and did ask them to delete from their registry this ns3.carat-hosting.com name server.

But the problem is the same. I was wondering if I wouldn’t keep this information through the “axfrdns” on IP .144

The strange thing is the result of an “dnsqr NS carat-hosting.com”

[root@padawan root]# dnsqr ns carat-hosting.com
2 carat-hosting.com:
71 bytes, 1+2+0+0 records, response, noerror
query: 2 carat-hosting.com
answer: carat-hosting.com 29156 NS ns1.carat-hosting.com
answer: carat-hosting.com 29156 NS ns2.carat-hosting.com

I do not see the ns3, so for me in my computeur and on the name server the is no more ns3.

So, where ns3 comes from ?
Do I have to stop the axfrdns" on IP .144 ?

How to do it ? I dind’t find any /root/data and data.cdb in this IP

Thanks for your help

I would have loved to read more about this Paul!
Would you please give me a hint?

I’m actually going tru the same hell with OVH and AFNIC, trying to register a .fr domain on ns2.dyxs.net (primary) and ns1.dyxs.net (secondary).

When I first registered dynamixs.fr, both these NS seemed to be OK for Zonecheck. Now, although nothing has changed in the configuration of the servers, I keep getting this error status when I try to register new domains:

“Le serveur n’?coute pas ou ne r?pond pas en UDP sur le port 53”

According to my hosting provider, port 53 is not blocked for UDP.

Any help in this matter would be seriously appreciated…

Thanks,
Geert

For a dot FR zone you have to first create the siteworx account.
It will create the DNS record fot the given domain

And after zonecheck will work.

If you have an error with TCP 53 you have to setup axfrdns

Hope it will help

How to create a axfrdns ?

I also have the only world wide registar that require those settings for a .fr domain

Thank you in advance

Paulo

You need this for .de and .fr domains (and maybe others), you could do the following on your interworx server (I guess, we do not use the interworx DNS servers, we have build our separately djbsdns servers for all our interworx servers):

useradd -d /var/djbdns/axfrdns -m -s /sbin/nologin axfrdns
axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns /var/djbdns/tinydns <server dns ip>
echo ':allow,AXFR=""' > /var/djbdns/axfrdns/tcp
cd /var/djbdns/axfrdns/
make
ln -s /var/djbdns/axfrdns /service

Note:

.
axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns /var/djbdns/tinydns <server dns ip>
.
.
.
ln -s /var/djbdns/axfrdns /service

could also be:

.
axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns-<server-dns-ip> /var/djbdns/tinydns-<server-dns-ip>  <server dns ip>
.
.
.
ln -s /var/djbdns/axfrdns-<server-dns-ip>  /service
 

In my opinion this could be an easy fix that can be included in the mainstream rpms of interworx-CP. This would make the DNS server RFC compliant, which is good in my opinion, altough UDP is better but who knows who are out there that need TCP.
TCP and UDP port 53 should be opened, I guess, but I didn’t check that now. We are using this in a production enviroment for years now and are able to register .de and .fr domains on our nameservers.

And of course this is needed as well:

[QUOTE=IWorx-Paul;1398]Since you’re at Sago, you can use ns1.cust.sagonet.com or ns2.cust.sagonet.com as secondary DNS for those domains that require the name servers to be on different netblocks.

Paul[/QUOTE]

Hi All,

I have the same problem on my two iworx server and I execute command line quoted by WebXtra, but the problem persist >_<.

You can see here the result of the test :

ZoneCheck Afnic Test

If you have an idea ?

Thanks for your answers

Did you open both the TCP and UDP port 53 on your firewalls?

I have disable firewall and the problem is the same

is the axfrdns service running?
Do this:

ps aux| grep axfr

You should see something like this:

root      3148  0.0  0.1  1996  284 ?        S    Nov25   0:00 supervise axfrdns
root      3161  0.0  0.1  1892  304 ?        S    Nov25   0:01 tcpserver -vDRHl0 -x tcp.cdb -- 111.222.333.444 53 /usr/bin/axfrdns
root     19963  0.0  0.2  3240  512 pts/0    S+   14:53   0:00 grep axfr

OK, forgot this in my post:

cd /var/djbdns/axfrdns/
make