shut down hung fetch while resolving 'aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A'
Ondřej Surý
ondrej at isc.org
Tue Dec 17 20:16:00 UTC 2024
disa.mil servers are timing out on me over IPv6:
$ dig IN NS gcds.disa.mil. @DNS1.DISA.MIL.
;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out
;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out
;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out
; <<>> DiG 9.21.3-1+0~20241211.133+debian12~1.gbp5b5fe5-Debian <<>> IN NS gcds.disa.mil. @DNS1.DISA.MIL.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55426
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gcds.disa.mil. IN NS
;; ANSWER SECTION:
gcds.disa.mil. 12699 IN NS dns1.disa.mil.
gcds.disa.mil. 12699 IN NS dns3.disa.mil.
gcds.disa.mil. 12699 IN NS dns5.disa.mil.
gcds.disa.mil. 12699 IN NS dns2.disa.mil.
gcds.disa.mil. 12699 IN NS dns4.disa.mil.
;; ADDITIONAL SECTION:
dns1.disa.mil. 7151 IN AAAA 2608:125:0:1811:1001:9012:f00:20
dns2.disa.mil. 7151 IN AAAA 2608:102:0:182d:1001:9012:c00:20
dns3.disa.mil. 7151 IN AAAA 2608:145:0:180b:1001:9012:d00:20
dns4.disa.mil. 6608 IN AAAA 2608:c182:0:1012:1001:9012:1400:20
dns4.disa.mil. 6608 IN AAAA 2608:c182::1001:9012:1600:20
dns5.disa.mil. 7151 IN AAAA 2608:4122:0:1012:1001:9012:1400:20
;; Query time: 252 msec
;; SERVER: 152.229.110.232#53(DNS1.DISA.MIL.) (UDP)
;; WHEN: Tue Dec 17 21:09:53 CET 2024
;; MSG SIZE rcvd: 305
And given there's so many delegations and so many redirections, the result is inevitable...
There's at least 4 queries that need to be done against disa.mil servers and if they all end up with timeout over IPv6, the whole query times out because it will run out of the time.
gdcs.disa.mil IN NS
apps.gdcs.disa.mil IN NS
cds.disa.mil IN NS
e1008.d.akamaiedge.akamai.csd.disa.mil. IN A
Ondřej
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 17. 12. 2024, at 20:56, Clark, Roger <roclar at wm.edu> wrote:
>
> I have a user who is unsuccessfully trying to resolve ‘extranet.aro.army.mil’ using our BIND resolvers. The query is failing with a 'shut down hung fetch while resolving’ error message with some DNSSEC warning as well. The name resolves without issue querying other external resolvers and also is successful using dig +trace. I did notice there was an issue with an error produced by one of the names in the CNAMe chain ( https://gitlab.isc.org/isc-projects/bind9/-/issues/4797 ).
>
> Do I have something misconfigured or is there something wrong on the authoritative side?
>
> Thank you!
>
> Roger
>
> Query:
> # dig extranet.aro.army.mil @localhost
> ;; communications error to 127.0.0.1#53: timed out
> ;; communications error to 127.0.0.1#53: timed out
> ;; communications error to 127.0.0.1#53: timed out
> ;; communications error to 127.0.0.1#53: timed out
> ;; communications error to 127.0.0.1#53: timed out
>
> ; <<>> DiG 9.18.32 <<>> extranet.aro.army.mil @localhost
> ;; global options: +cmd
> ;; no servers could be reached
>
> Logs:
> 17-Dec-2024 16:05:59.558 client @0x7fae4b99e230 127.0.0.1#55089 (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1)
> 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure response; parent indicates it should be secure
> 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure response; parent indicates it should be secure
> 17-Dec-2024 16:06:00.518 validating apps.gcds.disa.mil/NS: no valid signature found
> 17-Dec-2024 16:06:00.594 validating apps.gcds.disa.mil/SOA: no valid signature found
> 17-Dec-2024 16:06:00.594 validating Q3C76IBKTMFUF8PMSHSSCOPM8LOKJKK2.apps.gcds.disa.mil/NSEC3: no valid signature found
> 17-Dec-2024 16:06:00.642 validating apps.gcds.disa.mil/SOA: no valid signature found
> 17-Dec-2024 16:06:00.642 validating LP2F0U0VHJI70GSV9KTM3KC7HQDJKD9R.apps.gcds.disa.mil/NSEC3: no valid signature found
> 17-Dec-2024 16:06:00.678 validating aro.army.mil.apps.gcds.disa.mil/CNAME: no valid signature found
> 17-Dec-2024 16:06:01.558 client @0x7fae4b97e220 127.0.0.1#39052 (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1)
> 17-Dec-2024 16:06:03.562 client @0x7fae4a551240 127.0.0.1#35234 (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1)
> 17-Dec-2024 16:06:05.566 client @0x7fae4a54f260 127.0.0.1#58021 (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1)
> 17-Dec-2024 16:06:07.566 client @0x7fae4a547290 127.0.0.1#52253 (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1)
> 17-Dec-2024 16:06:12.678 shut down hung fetch while resolving 'aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A'
> 17-Dec-2024 16:06:12.678 client @0x7fae4b99e230 127.0.0.1#55089 (extranet.aro.army.mil): query failed (operation canceled) for extranet.aro.army.mil/IN/A at query.c:7877
> 17-Dec-2024 16:06:12.678 client @0x7fae4b97e220 127.0.0.1#39052 (extranet.aro.army.mil): query failed (operation canceled) for extranet.aro.army.mil/IN/A at query.c:7877
> 17-Dec-2024 16:06:12.678 client @0x7fae4a551240 127.0.0.1#35234 (extranet.aro.army.mil): query failed (operation canceled) for extranet.aro.army.mil/IN/A at query.c:7877
> 17-Dec-2024 16:06:12.678 client @0x7fae4a54f260 127.0.0.1#58021 (extranet.aro.army.mil): query failed (operation canceled) for extranet.aro.army.mil/IN/A at query.c:7877
> 17-Dec-2024 16:06:12.678 client @0x7fae4a547290 127.0.0.1#52253 (extranet.aro.army.mil): query failed (operation canceled) for extranet.aro.army.mil/IN/A at query.c:7877
>
> Trace:
>
> # dig +trace extranet.aro.army.mil @localhost
>
> ; <<>> DiG 9.18.32 <<>> +trace extranet.aro.army.mil @localhost
> ;; global options: +cmd
> . 518092 IN NS b.root-servers.net.
> . 518092 IN NS g.root-servers.net.
> . 518092 IN NS f.root-servers.net.
> . 518092 IN NS k.root-servers.net.
> . 518092 IN NS a.root-servers.net.
> . 518092 IN NS d.root-servers.net.
> . 518092 IN NS c.root-servers.net.
> . 518092 IN NS m.root-servers.net.
> . 518092 IN NS e.root-servers.net.
> . 518092 IN NS i.root-servers.net.
> . 518092 IN NS h.root-servers.net.
> . 518092 IN NS j.root-servers.net.
> . 518092 IN NS l.root-servers.net.
> . 518092 IN RRSIG NS 8 0 518400 20241230050000 20241217040000 61050 . rswM6OY8ylCNnmkfbUrdnNcTyPMuraztXrBbrrfTOO1M3vp9gCea+qj+ FKEPxb/M7EwJYthquLPfOX+5nkV2ROBFwXrTBYS4Zg6zLC40lNwPFqdY 9X2cYpfYW1ljr1LuW9bEyBYwCfZB8g7eg+v0nMyrX+uDLH2mneiwJhiZ orJTZqVegiHMlX5jNe+btW7uJdAD+05MkI8CP8uD4ZElZ4ghjAG77aZB DLD9Ra+SE4j/1ECrkWEwP543tlYq0mmLIDP3TDObTGFMy3qjjItQtM83 NmCWD8OAFNbl28AaYMDREpMryZDaxPXNEYiAF3JDfTyM1otJqd7C9kjm 9gM/qg==
> ;; Received 1137 bytes from 127.0.0.1#53(localhost) in 0 ms
>
> mil. 172800 IN NS con1.nipr.mil.
> mil. 172800 IN NS pac2.nipr.mil.
> mil. 172800 IN NS pac1.nipr.mil.
> mil. 172800 IN NS eur2.nipr.mil.
> mil. 172800 IN NS eur1.nipr.mil.
> mil. 172800 IN NS con2.nipr.mil.
> mil. 86400 IN DS 63500 8 2 3BAA83867103D6604A124282063F295E1B15C87CC13CB875A42F5754 A912EBE0
> mil. 86400 IN RRSIG DS 8 1 86400 20241230050000 20241217040000 61050 . X2VVY9CekNpZhFq3x4ZIz8gI9nsCicqgJHzi1kEaRAW4hXzZGR+hAMNq 58680WjNluI/zaWt6eOpfkt+8XNEMJfc5cK5dmnOCs6jv9Blkv4moe6O 3Mr5F5Dm37m13Jw8pBIMJb2ylk1pzOsDQbWKjS+Ak3xXJH357YopmxVO fXQ6Zmu6VCmbiA9rhtI5fX2wuwzhcI5gAn4ARCTFVDo5XM8JKwc3vHs9 9dtGZhJ2UZ9ryZk+ulxGabZ3czSWjof93zn9GHfKezUFeGOqEkdO3op/ 9Oift8tpAM+IDdZFaFgI3VU+SJpwX+5BgavHILio8YtB5wXZ1z1Wfp3r iZw/kw==
> ;; Received 802 bytes from 192.36.148.17#53(i.root-servers.net) in 44 ms
>
> ARMY.MIL. 21600 IN NS NS02.ARMY.MIL.
> ARMY.MIL. 21600 IN NS NS01.ARMY.MIL.
> ARMY.MIL. 21600 IN NS NS03.ARMY.MIL.
> ARMY.MIL. 10800 IN DS 34552 8 1 2DFA605AE37365DC018249BC6E7FEB3EF55BAF85
> ARMY.MIL. 10800 IN DS 34552 8 2 77BF656C5361FF501D81AC4F7DAB185B5F8587AF0421283F7373956F 2DFA4543
> ARMY.MIL. 10800 IN RRSIG DS 8 2 10800 20241224000431 20241217000431 40843 mil. oGdnWjQd0HT+UP0o7ct3fbY/Ur/bcxWX6sYflvIZnGy5VlpEB8TF1xQG gtwtHUhfcPTHxUHIqnN+CDarvQTGSbfjCDOrHtYKt1kSSQD91Gz3efgP 4G68ACiGH7SbMUOpDGIBQ/MWzibBPnE1biJchhPuMALfz9GO2qM2Sb5c IIw=
> ;; Received 410 bytes from 199.252.154.234#53(eur1.nipr.mil) in 32 ms
>
> extranet.aro.army.mil. 3600 IN CNAME aro.army.mil.apps.gcds.disa.mil.
> extranet.aro.army.mil. 3600 IN RRSIG CNAME 8 4 3600 20241220162507 20241216162111 44331 aro.army.mil. GQ8IGU9aMU6ZiVZrIAJJDv+kPU7YGYs66bpQiMtNw2VtoScz9uhhOs7M Nns1t8uClwMhVVr/NE0cPh5yK7Y0p4AQQWJT3IY07b+5Jy5HFf0bwEWs lBTjqvVOzaVdKXAW0SSTt8dd8phvIskmKDJDPeJx05HKd6cIExzvG1dG M+krqrGsltBQANXByi5koLfUWaxLGzoC676kBM4MhxRHYOXaCzdhIf1K VWaxLMptuhVke1pi8oMY/4FQREs8PEwRwPVRRD4lgMw6XshRpVuI9V65 r+JxiGI/kiwm9Z9ckr6nBEkkry/0/5G4NtcgzfncADRxUrUvJ5NNvd/E rHnhWw==
> aro.army.mil.apps.gcds.disa.mil. 3599 IN CNAME aro.army.mil.edgekey.dmz.akamai.csd.disa.mil.
> aro.army.mil.apps.gcds.disa.mil. 3599 IN RRSIG CNAME 8 7 3600 20250108200421 20241209200421 57303 apps.gcds.disa.mil. Pw8WDBdIcSyZsOtYpuOw9/i2Bc4IfcPvel+/MU6GC7ekpS4ba7JZRv13 7se5C1VEOxQlKc+Z/yLY5EhfJfrlJg9QmIKXhRj9h2rzjsjoFljzp0PQ joSo7J4eiWGCPi9TNLWMiC5A8Qj8JYYdOHC0RRFWUOjGQHeGPvStcUfj ROQ=
> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. 179 IN CNAME e1008.d.akamaiedge.akamai.csd.disa.mil.
> e1008.d.akamaiedge.akamai.csd.disa.mil. 14 IN A 214.48.248.31
> ;; Received 669 bytes from 140.153.43.44#53(NS01.ARMY.MIL) in 80 ms
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241217/36c33ed7/attachment-0001.htm>
More information about the bind-users
mailing list