Lookup failures

Steven Shockley steve.shockley at shockley.net
Sat Nov 16 19:33:14 UTC 2024 

Thanks to those who replied to my earlier email.  I've straightened out 
my routing issues but I'm still having name resolution failures.

Since then I've upgraded to OpenBSD 7.6 with BIND 9.20.2 from packages, 
with no change.

I'm getting frequent lookup failures on most or all devices, but they 
eventually resolve if you retry a few times.  I tried setting up Unbound 
on the same machine and forwarding requests from BIND to Unbound, and 
haven't gotten the problem to reoccur, so this seems to be a BIND 
resolver issue.

In the BIND error logs, I see:

16-Nov-2024 11:48:12.424 queries: info: client @0x19ba5321020 
10.0.2.46#34512 (snappymail.eu): query: snappymail.eu IN AAAA + (10.0.0.1)
16-Nov-2024 11:48:12.424 query-errors: info: client @0x19ba5321020 
10.0.2.46#34512 (snappymail.eu): query failed (failure) for 
snappymail.eu/IN/AAAA at query.c:7717
16-Nov-2024 11:48:12.424 queries: info: client @0x19affba6020 
10.0.2.46#37102 (snappymail.eu): query: snappymail.eu IN A + (10.0.0.1)
16-Nov-2024 11:48:12.425 query-errors: info: client @0x19affba6020 
10.0.2.46#37102 (snappymail.eu): query failed (failure) for 
snappymail.eu/IN/A at query.c:7717


I ran tcpdump on both the internal and external interfaces.  Dumps 
available on request.  The result:

Client requests A from BIND 0x7c67
BIND requests A from EU delegation servers 0x3fed
Client requests AAAA from BIND 0x48ef
BIND requests AAAA from EU delegation servers 0xb3e8
0xb3e8 responds with list of AAAA name servers
0x3fed responds with RRset exists
BIND requests A from EU delegation server 0x5d5b
BIND returns server failure AAAA to client in response to 0x48ef
0x5d5b returns with list of A name servers
BIND returns server failure A to client in response to 0x7c67
[3 seconds]
[Client re-tries query with local domain appended, fails]
Client requests A from BIND, returns server failure
Client requests AAAA from BIND, returns server failure
[3 seconds]
Client requests AAAA from BIND, returns server failure
Client requests A from BIND, returns server failure
[4 seconds]
[Error logs above are printed]
Client requests A from BIND 0x1986
Client requests AAAA from BIND 0xf345
BIND requests A from ns3.openprovider.eu 0x5fcd
BIND requests AAAA from ns3.openprovider.eu 0x4bcd
0x4bcd response with ipv6 address
0x5fcd response with ipv4 address
BIND requests DNSKEY from ns3.openprovider.eu 0x60bf
0x60bf response with keys
BIND returns AAAA to client 0xf345
BIND returns A to client 0x1986

I sort-of have a workaround, but I'd rather not have to run two DNS 
servers and I don't think Unbound can do client registration.  I'm 
guessing that BIND gets confused by the RRset exists response (YXRRSET) 
and Unbound does not.

More information about the bind-users mailing list