problems with UA worldwide sites on IPv6 enabled PC

Mathias Koerber mathias at koerber.org
Sun May 1 14:44:40 UTC 2005


[X-post rec.travel.air, comp.protocols.dns.bind w/ Fup2 the latter
If this is considered offtopic for either, pls ignore ]


I have a problem using United Airlines' Singapore
site (www.unitedairlines.com.sg) from a PC which
is IPv6 enabled. When I turn off IPv6 totally
(which requires a restart every time), I can resolve
the site. With IPv6, resolution fails.

The problem lies in the fact that the nameservers
for www.unitedairlines.com.sg are misconfigured.
When my resolving nameservers is first asked for
an IPv6 address (AAAA record) for the site and
gets a NOERROR/0 (no AAAA record for that name)
it performs the required NS verification and promptly
declares the nameservers lame, so that the IPv4 address
query (A record) that follows immediately fails due
to lame nameservers. Without IPv6 support, the first
query is an A record query and succeeds. The nameserver
caches the data and thus the lameness does not hurt
as much, especially it is not cached quite a long as
the A record.

Having been in discussions with UA support on this
for close to two weeks, they still deny that their
DNS is misconfigured.

I wonder whether anyone else has seen this problem or
can verify it independently. It seems that all UAL
worldwide sites are affected, but definitely
www.unitedairlines.com.sg and www.ual.com.sg.

If anyone else sees this and could confirm this problem
in an email to technicsal at uasupport.com (CC: to me please)
I would appreciate it. It seems that each email to them
received a different case-id. One you could
quote is 'KMM2535194V78842L0KM'

Mathias


Here is the detailed problem description I sent UAL on
this problem recently (KMM2534973V89232L0KM):

> 
> Let me try to show you again where the problem lies:
> 
> 
> 1. The domain unitedairlines.com.sg is delegated from the .SG domain
>    administrator (SGNIC) to your 2 nameservers dns01.uls-prod.com and
>    dns02.uls-prod.com: [correct]
> 
>   > [root at nano1 ~]# dig @ds.nic.net.sg unitedairlines.com.sg any
>   >
>   > ; <<>> DiG 9.3.0 <<>> @ds.nic.net.sg unitedairlines.com.sg any
>   > ;; global options:  printcmd
>   > ;; Got answer:
>   > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22877
>   > ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>   >
>   > ;; QUESTION SECTION:
>   > ;unitedairlines.com.sg.         IN      ANY
>   >
>   > ;; ANSWER SECTION:
>   > unitedairlines.com.sg.  21600   IN      NS      dns01.uls-prod.com.
>   > unitedairlines.com.sg.  21600   IN      NS      dns02.uls-prod.com.
>   >
>   > ;; AUTHORITY SECTION:
>   > unitedairlines.com.sg.  21600   IN      NS      dns01.uls-prod.com.
>   > unitedairlines.com.sg.  21600   IN      NS      dns02.uls-prod.com.
>   >
>   > ;; Query time: 25 msec
>   > ;; SERVER: 202.42.194.205#53(ds.nic.net.sg)
>   > ;; WHEN: Sat Apr 30 10:10:46 2005
>   > ;; MSG SIZE  rcvd: 119
>   >
> 
> 2. Both of those nameservers do answer authoritatively for the domain
>    unitedairlines.com.sg: [correct]
> 
>   > [root at nano1 ~]# dig @dns01.uls-prod.com unitedairlines.com.sg any
>   >
>   > ; <<>> DiG 9.3.0 <<>> @dns01.uls-prod.com unitedairlines.com.sg any
>   > ;; global options:  printcmd
>   > ;; Got answer:
>   > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65378
>   > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
>                  ^^
>   authoritative reply: GOOD!
> 
>   >
>   > ;; QUESTION SECTION:
>   > ;unitedairlines.com.sg.         IN      ANY
>   >
>   > ;; ANSWER SECTION:
>   > unitedairlines.com.sg.  86400   IN      SOA     netops.uls-prod.com.
> hostinfo.ualloyalty.com. 2003090301 10800 3600 604800 86400
>   > unitedairlines.com.sg.  86400   IN      NS      dns02.uls-prod.com.
>   > unitedairlines.com.sg.  86400   IN      NS      dns01.uls-prod.com.
>   >
>   > ;; ADDITIONAL SECTION:
>   > dns01.uls-prod.com.     86400   IN      A       209.87.112.200
>   > dns02.uls-prod.com.     86400   IN      A       209.87.113.200
>   >
>   > ;; Query time: 286 msec
>   > ;; SERVER: 209.87.112.200#53(dns01.uls-prod.com)
>   > ;; WHEN: Sat Apr 30 10:13:03 2005
>   > ;; MSG SIZE  rcvd: 186
>   >
>   > [root at nano1 ~]# dig @dns02.uls-prod.com unitedairlines.com.sg any
>   >
>   > ; <<>> DiG 9.3.0 <<>> @dns02.uls-prod.com unitedairlines.com.sg any
>   > ;; global options:  printcmd
>   > ;; Got answer:
>   > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54430
>   > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
>                  ^^
>   authoritative reply: GOOD!
>   >
>   > ;; QUESTION SECTION:
>   > ;unitedairlines.com.sg.         IN      ANY
>   >
>   > ;; ANSWER SECTION:
>   > unitedairlines.com.sg.  86400   IN      SOA     netops.uls-prod.com.
> hostinfo.ualloyalty.com. 2003090301 10800 3600 604800 86400
>   > unitedairlines.com.sg.  86400   IN      NS      dns01.uls-prod.com.
>   > unitedairlines.com.sg.  86400   IN      NS      dns02.uls-prod.com.
>   >
>   > ;; ADDITIONAL SECTION:
>   > dns01.uls-prod.com.     86400   IN      A       209.87.112.200
>   > dns02.uls-prod.com.     86400   IN      A       209.87.113.200
>   >
>   > ;; Query time: 254 msec
>   > ;; SERVER: 209.87.113.200#53(dns02.uls-prod.com)
>   > ;; WHEN: Sat Apr 30 10:14:11 2005
>   > ;; MSG SIZE  rcvd: 186
> 
> 3. HOWEVER, both nameservers reply with an NON-AUTHORITATIVE answer when
>    queried for www.unitedairlines.com.sg [incorrect]
> 
>   > [root at nano1 ~]# dig @dns01.uls-prod.com www.unitedairlines.com.sg a
>   >
>   > ; <<>> DiG 9.3.0 <<>> @dns01.uls-prod.com www.unitedairlines.com.sg a
>   > ;; global options:  printcmd
>   > ;; Got answer:
>   > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52996
>   > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>               ^^^^^^^^^
>    no AA flag: answer is non-authoritative
>    (i.e., your server claims to not be a master server for that domain!)
> 
>   >
>   > ;; QUESTION SECTION:
>   > ;www.unitedairlines.com.sg.     IN      A
>   >
>   > ;; ANSWER SECTION:
>   > www.unitedairlines.com.sg. 0    IN      A       209.87.113.91
> 
>   an answer is still returned though..
> 
>   >
>   > ;; AUTHORITY SECTION:
>   > www.unitedairlines.com.sg. 86400 IN     NS      dc1lbs1.uls-prod.com.
>   > www.unitedairlines.com.sg. 86400 IN     NS      dc2lbs1.uls-prod.com.
> 
>   AH, interesting. dns01.uls-prod.com claims that
> www.unitedairlines.com.sg is it's own subdomain and that the nameservers
> that should be queries are dc1lbs1.uls-prod.com and dc2lbs1.uls-prod.com.
> 
>   >
>   > ;; ADDITIONAL SECTION:
>   > dc1lbs1.uls-prod.com.   86400   IN      A       209.87.112.4
>   > dc2lbs1.uls-prod.com.   86400   IN      A       209.87.113.4
> 
> and it also gives us glue records with those servers' IP addresses:
> 
>   >
>   > ;; Query time: 290 msec
>   > ;; SERVER: 209.87.112.200#53(dns01.uls-prod.com)
>   > ;; WHEN: Sat Apr 30 10:17:51 2005
>   > ;; MSG SIZE  rcvd: 147
> 
> 
> We get the same answer when asking dns02.uls-prod.com:
> 
>   > [root at nano1 ~]# dig @dns02.uls-prod.com www.unitedairlines.com.sg a
>   >
>   > ; <<>> DiG 9.3.0 <<>> @dns02.uls-prod.com www.unitedairlines.com.sg a
>   > ;; global options:  printcmd
>   > ;; Got answer:
>   > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57359
>   > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>   >
>   > ;; QUESTION SECTION:
>   > ;www.unitedairlines.com.sg.     IN      A
>   >
>   > ;; ANSWER SECTION:
>   > www.unitedairlines.com.sg. 0    IN      A       209.87.113.91
>   >
>   > ;; AUTHORITY SECTION:
>   > www.unitedairlines.com.sg. 86400 IN     NS      dc2lbs1.uls-prod.com.
>   > www.unitedairlines.com.sg. 86400 IN     NS      dc1lbs1.uls-prod.com.
>   >
>   > ;; ADDITIONAL SECTION:
>   > dc1lbs1.uls-prod.com.   86400   IN      A       209.87.112.4
>   > dc2lbs1.uls-prod.com.   86400   IN      A       209.87.113.4
>   >
>   > ;; Query time: 264 msec
>   > ;; SERVER: 209.87.113.200#53(dns02.uls-prod.com)
>   > ;; WHEN: Sat Apr 30 10:17:56 2005
>   > ;; MSG SIZE  rcvd: 147
> 
> 4. Ok, let's ask dc1lbs1.uls-prod.com for an authoritative A record for
> www.unitedairlines.com.sg then as instructed by dns02.uls-prod.com:
> 
>   > [root at nano1 ~]# dig @dc2lbs1.uls-prod.com. www.unitedairlines.com.sg a
>   >
>   > ; <<>> DiG 9.3.0 <<>> @dc2lbs1.uls-prod.com. www.unitedairlines.com.sg a
>   > ;; global options:  printcmd
>   > ;; Got answer:
>   > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39547
>   > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>                  ^^
>      good authoritative answer
> 
>   >
>   > ;; QUESTION SECTION:
>   > ;www.unitedairlines.com.sg.     IN      A
>   >
>   > ;; ANSWER SECTION:
>   > www.unitedairlines.com.sg. 0    IN      A       209.87.113.91
> 
>     good A record. [correct]
>   >
>   > ;; Query time: 249 msec
>   > ;; SERVER: 209.87.113.4#53(dc2lbs1.uls-prod.com.)
>   > ;; WHEN: Sat Apr 30 10:27:44 2005
>   > ;; MSG SIZE  rcvd: 59
> 
> 
> HOWEVER: We had been told by dns01.uls-prod.com that
> dc2lbs1.uls-prod.com is the real nameserver for
> www.unitedairlines.com.sg, so a good nameserver will not simply trust
> the NS records learned this way, but will refresh them by asking
> dc2lbs1.uls-prod.com itself:
> 
>   > [root at nano1 ~]# dig @dc2lbs1.uls-prod.com. www.unitedairlines.com.sg NS
>   >
>   > ; <<>> DiG 9.3.0 <<>> @dc2lbs1.uls-prod.com.
> www.unitedairlines.com.sg NS
>   > ;; global options:  printcmd
>   > ;; Got answer:
>   > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49223
>   > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>   >
>   > ;; QUESTION SECTION:
>   > ;www.unitedairlines.com.sg.     IN      NS
>   >
>   > ;; Query time: 258 msec
>   > ;; SERVER: 209.87.113.4#53(dc2lbs1.uls-prod.com.)
>   > ;; WHEN: Sat Apr 30 10:30:23 2005
>   > ;; MSG SIZE  rcvd: 43
> 
> BAD: Now dc2lbs1.uls-prod.com returns a SERVFAIL error for this domain.
> This will result in the local nameserver (in this case here at my ISP)
> to mark this nameserver as LAME for this domain.
> 
> The problem is that dns01.uls-prod.com/dns02.uls-prod.com claim
> that www.unitedairlines.com.sg is a separate zone with authoritative
> nameservers dc1lbs1.uls-prod.com/dc2lbs1.uls-prod.com, but that those
> two nameservers respond with failure when asked to confirm the NS
> list for www.unitedairlines.com.sg...
> 
> The same problem seems to exist for other of your worldwide domains.


I also pointed UAL at this, which seems pertinent:

> http://www.ietf.org/internet-drafts/draft-ietf-dnsop-misbehavior-against-aaaa-02.txt




More information about the bind-users mailing list