Inconsistent resolution
Alan Batie
alan at peak.org
Wed Sep 19 00:48:28 UTC 2012
We're having a very similar problem to the thread "question about how a
particular dig works ...", in that "dig +trace" works and "dig" doesn't
(which implies a problem with the local resolving named).
This particular story is that someone didn't get a domain renewed in
time (the oregonisonline.net domain that this domain uses for its
nameservers) and there's clearly polluted caches somewhere, but dig and
named are not being very helpful in tracking them down:
A "dig +trace" on a recursive resolver works fine, showing that the
chain has been properly restored and that particular resolver *can* get
the right data:
----------
<rns3.peak.org> [278] # dig +trace squarecirclers.org
; <<>> DiG 9.4.3-P1 <<>> +trace squarecirclers.org
;; global options: printcmd
. 517515 IN NS m.root-servers.net.
. 517515 IN NS i.root-servers.net.
. 517515 IN NS l.root-servers.net.
. 517515 IN NS h.root-servers.net.
. 517515 IN NS d.root-servers.net.
. 517515 IN NS f.root-servers.net.
. 517515 IN NS a.root-servers.net.
. 517515 IN NS c.root-servers.net.
. 517515 IN NS e.root-servers.net.
. 517515 IN NS b.root-servers.net.
. 517515 IN NS k.root-servers.net.
. 517515 IN NS g.root-servers.net.
. 517515 IN NS j.root-servers.net.
;; Received 332 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
;; Received 438 bytes from 192.33.4.12#53(c.root-servers.net) in 36 ms
squarecirclers.org. 172800 IN NS ns1.oregonisonline.net.
squarecirclers.org. 172800 IN NS ns2.oregonisonline.net.
;; Received 90 bytes from 2001:500:f::1#53(d0.org.afilias-nst.org) in 86 ms
squarecirclers.org. 3600 IN A 207.55.97.142
squarecirclers.org. 3600 IN NS ns2.oregonisonline.net.
squarecirclers.org. 3600 IN NS ns1.oregonisonline.net.
;; Received 106 bytes from 50.57.78.108#53(ns2.oregonisonline.net) in 68 ms
----------
A normal dig using that same nameserver's resolver fails, however:
----------
<rns3.peak.org> [279] # dig !$
dig squarecirclers.org
; <<>> DiG 9.4.3-P1 <<>> squarecirclers.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57824
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;squarecirclers.org. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 18 17:07:41 2012
;; MSG SIZE rcvd: 36
----------
This implies to me that the local nameserver has stale data, however
named has been restarted several times. When I turn on logging, all it
tells me is "yup, got a query and went to look it up!", which isn't
terribly useful:
----------
18-Sep-2012 16:42:14.661 queries: client 69.59.192.249#4192: query:
squarecirclers.org IN A +
18-Sep-2012 16:42:14.661 resolver: createfetch: squarecirclers.org A
----------
On another nameserver that doesn't have the production traffic, a tshark
shows:
----------
6 6.389222 2607:f678::19:249 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS
Standard query A squarecirclers.org
7 6.389788 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:40::1 DNS
Standard query A squarecirclers.org
8 6.526514 2001:500:40::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS
Standard query response
9 6.527284 93.89.92.124 -> 192.52.178.30 DNS Standard query A
ns1.oregonisonline.net
10 6.527449 93.89.92.124 -> 192.52.178.30 DNS Standard query AAAA
ns1.oregonisonline.net
11 6.527617 93.89.92.124 -> 192.52.178.30 DNS Standard query A
ns2.oregonisonline.net
12 6.527763 93.89.92.124 -> 192.52.178.30 DNS Standard query AAAA
ns2.oregonisonline.net
13 6.543621 192.52.178.30 -> 93.89.92.124 DNS Standard query response
14 6.543788 192.52.178.30 -> 93.89.92.124 DNS Standard query response
15 6.544282 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query A ns1.peak.org
16 6.544401 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query AAAA ns1.peak.org
17 6.544510 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query A ns2.peak.org
18 6.544609 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query AAAA ns2.peak.org
19 6.545122 192.52.178.30 -> 93.89.92.124 DNS Standard query response
20 6.545970 192.52.178.30 -> 93.89.92.124 DNS Standard query response
21 6.552082 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
22 6.552282 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
23 6.552488 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
24 6.552497 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
25 6.552611 93.89.92.124 -> 50.57.78.108 DNS Standard query AAAA
ns2.peak.org
26 6.552841 93.89.92.124 -> 50.57.78.108 DNS Standard query A
ns1.peak.org
27 6.643233 50.57.78.108 -> 93.89.92.124 DNS Standard query response
28 6.643904 50.57.78.108 -> 93.89.92.124 DNS Standard query response
A 207.55.16.51
29 6.644258 93.89.92.124 -> 207.55.16.51 DNS Standard query A
ns1.oregonisonline.net
30 6.644387 93.89.92.124 -> 207.55.16.51 DNS Standard query AAAA
ns1.oregonisonline.net
31 6.644496 93.89.92.124 -> 207.55.16.51 DNS Standard query A
ns2.oregonisonline.net
32 6.644597 93.89.92.124 -> 207.55.16.51 DNS Standard query AAAA
ns2.oregonisonline.net
33 6.794078 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns1.peak.org AAAA 2607:f678::53
34 6.794330 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns1.peak.org A 207.55.16.51
35 6.795111 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns2.peak.org
36 6.795352 2a01:348:0:15:5d59:5c7c:0:1 -> 2607:f678::19:249 DNS
Standard query response, Server failure
37 6.796046 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns2.peak.org A 50.57.78.108
----------
This implies that there's something it doesn't like about the "final"
nameserver being a CNAME, however there are other bind nameservers that
are working fine:
----------
<ns6.peak.org> [538] # dig @localhost squarecirclers.org
; <<>> DiG 9.9.2rc1 <<>> @localhost squarecirclers.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45005
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;squarecirclers.org. IN A
;; ANSWER SECTION:
squarecirclers.org. 3600 IN A 207.55.97.142
;; AUTHORITY SECTION:
squarecirclers.org. 3600 IN NS ns2.oregonisonline.net.
squarecirclers.org. 3600 IN NS ns1.oregonisonline.net.
;; Query time: 484 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 18 17:14:06 2012
;; MSG SIZE rcvd: 117
----------
I'm hoping someone can enlighten me on how to troubleshoot this further...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4444 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120918/d14221fb/attachment.bin>
More information about the bind-users
mailing list