Inconsistent resolution

Alan Batie alan at peak.org
Wed Sep 19 00:48:28 UTC 2012


We're having a very similar problem to the thread "question about how a
particular dig works ...", in that "dig +trace" works and "dig" doesn't
(which implies a problem with the local resolving named).

This particular story is that someone didn't get a domain renewed in
time (the oregonisonline.net domain that this domain uses for its
nameservers) and there's clearly polluted caches somewhere, but dig and
named are not being very helpful in tracking them down:

A "dig +trace" on a recursive resolver works fine, showing that the
chain has been properly restored and that particular resolver *can* get
the right data:

----------
<rns3.peak.org> [278] # dig +trace squarecirclers.org

; <<>> DiG 9.4.3-P1 <<>> +trace squarecirclers.org
;; global options:  printcmd
.			517515	IN	NS	m.root-servers.net.
.			517515	IN	NS	i.root-servers.net.
.			517515	IN	NS	l.root-servers.net.
.			517515	IN	NS	h.root-servers.net.
.			517515	IN	NS	d.root-servers.net.
.			517515	IN	NS	f.root-servers.net.
.			517515	IN	NS	a.root-servers.net.
.			517515	IN	NS	c.root-servers.net.
.			517515	IN	NS	e.root-servers.net.
.			517515	IN	NS	b.root-servers.net.
.			517515	IN	NS	k.root-servers.net.
.			517515	IN	NS	g.root-servers.net.
.			517515	IN	NS	j.root-servers.net.
;; Received 332 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

org.			172800	IN	NS	a2.org.afilias-nst.info.
org.			172800	IN	NS	b0.org.afilias-nst.org.
org.			172800	IN	NS	a0.org.afilias-nst.info.
org.			172800	IN	NS	d0.org.afilias-nst.org.
org.			172800	IN	NS	c0.org.afilias-nst.info.
org.			172800	IN	NS	b2.org.afilias-nst.org.
;; Received 438 bytes from 192.33.4.12#53(c.root-servers.net) in 36 ms

squarecirclers.org.	172800	IN	NS	ns1.oregonisonline.net.
squarecirclers.org.	172800	IN	NS	ns2.oregonisonline.net.
;; Received 90 bytes from 2001:500:f::1#53(d0.org.afilias-nst.org) in 86 ms

squarecirclers.org.	3600	IN	A	207.55.97.142
squarecirclers.org.	3600	IN	NS	ns2.oregonisonline.net.
squarecirclers.org.	3600	IN	NS	ns1.oregonisonline.net.
;; Received 106 bytes from 50.57.78.108#53(ns2.oregonisonline.net) in 68 ms
----------

A normal dig using that same nameserver's resolver fails, however:

----------
<rns3.peak.org> [279] # dig !$
dig squarecirclers.org

; <<>> DiG 9.4.3-P1 <<>> squarecirclers.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57824
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;squarecirclers.org.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 18 17:07:41 2012
;; MSG SIZE  rcvd: 36
----------

This implies to me that the local nameserver has stale data, however
named has been restarted several times.  When I turn on logging, all it
tells me is "yup, got a query and went to look it up!", which isn't
terribly useful:

----------
18-Sep-2012 16:42:14.661 queries: client 69.59.192.249#4192: query:
squarecirclers.org IN A +
18-Sep-2012 16:42:14.661 resolver: createfetch: squarecirclers.org A
----------

On another nameserver that doesn't have the production traffic, a tshark
shows:

----------
  6   6.389222 2607:f678::19:249 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS
Standard query A squarecirclers.org
  7   6.389788 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:40::1 DNS
Standard query A squarecirclers.org
  8   6.526514 2001:500:40::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS
Standard query response
  9   6.527284 93.89.92.124 -> 192.52.178.30 DNS Standard query A
ns1.oregonisonline.net
 10   6.527449 93.89.92.124 -> 192.52.178.30 DNS Standard query AAAA
ns1.oregonisonline.net
 11   6.527617 93.89.92.124 -> 192.52.178.30 DNS Standard query A
ns2.oregonisonline.net
 12   6.527763 93.89.92.124 -> 192.52.178.30 DNS Standard query AAAA
ns2.oregonisonline.net
 13   6.543621 192.52.178.30 -> 93.89.92.124 DNS Standard query response
 14   6.543788 192.52.178.30 -> 93.89.92.124 DNS Standard query response
 15   6.544282 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query A ns1.peak.org
 16   6.544401 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query AAAA ns1.peak.org
 17   6.544510 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query A ns2.peak.org
 18   6.544609 2a01:348:0:15:5d59:5c7c:0:1 -> 2001:500:f::1 DNS Standard
query AAAA ns2.peak.org
 19   6.545122 192.52.178.30 -> 93.89.92.124 DNS Standard query response
 20   6.545970 192.52.178.30 -> 93.89.92.124 DNS Standard query response
 21   6.552082 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
 22   6.552282 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
 23   6.552488 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
 24   6.552497 2001:500:f::1 -> 2a01:348:0:15:5d59:5c7c:0:1 DNS Standard
query response
 25   6.552611 93.89.92.124 -> 50.57.78.108 DNS Standard query AAAA
ns2.peak.org
 26   6.552841 93.89.92.124 -> 50.57.78.108 DNS Standard query A
ns1.peak.org
 27   6.643233 50.57.78.108 -> 93.89.92.124 DNS Standard query response
 28   6.643904 50.57.78.108 -> 93.89.92.124 DNS Standard query response
A 207.55.16.51
 29   6.644258 93.89.92.124 -> 207.55.16.51 DNS Standard query A
ns1.oregonisonline.net
 30   6.644387 93.89.92.124 -> 207.55.16.51 DNS Standard query AAAA
ns1.oregonisonline.net
 31   6.644496 93.89.92.124 -> 207.55.16.51 DNS Standard query A
ns2.oregonisonline.net
 32   6.644597 93.89.92.124 -> 207.55.16.51 DNS Standard query AAAA
ns2.oregonisonline.net
 33   6.794078 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns1.peak.org AAAA 2607:f678::53
 34   6.794330 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns1.peak.org A 207.55.16.51
 35   6.795111 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns2.peak.org
 36   6.795352 2a01:348:0:15:5d59:5c7c:0:1 -> 2607:f678::19:249 DNS
Standard query response, Server failure
 37   6.796046 207.55.16.51 -> 93.89.92.124 DNS Standard query response
CNAME ns2.peak.org A 50.57.78.108
----------

This implies that there's something it doesn't like about the "final"
nameserver being a CNAME, however there are other bind nameservers that
are working fine:

----------
<ns6.peak.org> [538] # dig @localhost squarecirclers.org

; <<>> DiG 9.9.2rc1 <<>> @localhost squarecirclers.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45005
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;squarecirclers.org.		IN	A

;; ANSWER SECTION:
squarecirclers.org.	3600	IN	A	207.55.97.142

;; AUTHORITY SECTION:
squarecirclers.org.	3600	IN	NS	ns2.oregonisonline.net.
squarecirclers.org.	3600	IN	NS	ns1.oregonisonline.net.

;; Query time: 484 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 18 17:14:06 2012
;; MSG SIZE  rcvd: 117
----------

I'm hoping someone can enlighten me on how to troubleshoot this further...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4444 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120918/d14221fb/attachment.bin>


More information about the bind-users mailing list