Discussion:
bind vs glue records (fwd)
(too old to reply)
Stephen Borrill
2016-03-24 17:07:02 UTC
Permalink
BTW, the reason I referred to glue records is because of warnings from:
http://mxtoolbox.com/SuperTool.aspx?action=dns%3astatic.acer.com&run=toolpage

---------- Forwarded message ----------
Date: Thu, 24 Mar 2016 16:41:58 +0000 (GMT)
From: Stephen Borrill <***@precedence.co.uk>
To: tech-***@netbsd.org
Subject: bind vs glue records

With netbsd-7, BIND 9.10.2-P4 and using root.cache with no forwarders, I'm
seeing problems with a few sites that have suspect glue records. I cannot
recreate the problem with netbsd-5 and its in-base BIND. Upstream recursive
servers such as Google don't have problems and so NetBSD is getting the blame
from end-users.

Example domains are:
static.acer.com
bmb.secure.barclays.com
download.adobe.com

# host static.acer.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

Host static.acer.com not found: 3(NXDOMAIN)
# host static.acer.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

static.acer.com is an alias for static-akamai.gtm.acer.com.
static-akamai.gtm.acer.com is an alias for wac.15D43.taucdn.net.
wac.15D43.taucdn.net is an alias for gp1.wac.v2cdn.net.
gp1.wac.v2cdn.net has address 93.184.220.20

On netbsd-7:
# /etc/rc.d/named restart
Stopping named.
Waiting for PIDS: 29737.
Starting named.
# dig static.acer.com

; <<>> DiG 9.10.2-P4 <<>> static.acer.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31266
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;static.acer.com. IN A

;; ANSWER SECTION:
static.acer.com. 86400 IN CNAME static-akamai.gtm.acer.com.

;; AUTHORITY SECTION:
gtm.acer.com. 60 IN SOA gtm1.acer.com.
hostmaster.gtm1.acer.com. 686 10800 3600 604800 60

;; Query time: 1263 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 24 16:39:50 GMT 2016
;; MSG SIZE rcvd: 128


On netbsd-5:
# /etc/rc.d/named restart
Stopping named.
Waiting for PIDS: 87.
Starting named.
# dig static.acer.com

; <<>> DiG 9.5.2-P2 <<>> static.acer.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20858
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;static.acer.com. IN A

;; ANSWER SECTION:
static.acer.com. 86400 IN CNAME static-akamai.gtm.acer.com.
static-akamai.gtm.acer.com. 30 IN CNAME wac.15D43.taucdn.net.
wac.15D43.taucdn.net. 3600 IN CNAME gp1.wac.v2cdn.net.
gp1.wac.v2cdn.net. 3600 IN A 93.184.220.20

;; AUTHORITY SECTION:
v2cdn.net. 172800 IN NS ns1.v2cdn.net.
v2cdn.net. 172800 IN NS ns2.v2cdn.net.

;; Query time: 623 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Mar 24 16:40:50 2016
;; MSG SIZE rcvd: 179
--
Stephen


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2016-03-24 21:41:54 UTC
Permalink
Post by Stephen Borrill
http://mxtoolbox.com/SuperTool.aspx?action=dns%3astatic.acer.com&run=toolpage
So we are setting some bit that the server does not like. It is probably
something like nsit (although it isn't - I tried). So can you tcpdump the
outgoing query packets from named and see what's different?

christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2016-03-24 22:28:44 UTC
Permalink
Date: Thu, 24 Mar 2016 17:07:02 +0000 (GMT)
From: Stephen Borrill <***@precedence.co.uk>
Message-ID: <***@ugly.internal.precedence.co.uk>

| BTW, the reason I referred to glue records is because of warnings from:
| http://mxtoolbox.com/SuperTool.aspx?action=dns%3astatic.acer.com&run=toolpage

What they are referring to there is the perennial problem with glue.
That is, the same data (supposedly) is recorded in more than one place,
and it gets inconsistent.

And that will (or can) cause all kinds of problems as well, but again
it is the delegated domain's problem to fix, not the resolvers.

The parent domain could also help (perhaps should also help) by verifying
the glue data they have from time to time (once a week would usually be
enough, but perhaps aside from .com it should be possible to do daily).
If they find the auth servers returning different answers to the glue they
have, they should just update the glue.

But none of them will do that, they all wait for the delegated domain's
operators to tell them to update the glue records - and many server operators
have no idea what they are supposed to do, and just change things without
informing anyone...

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mike Pumford
2016-03-26 18:33:22 UTC
Permalink
Post by Christos Zoulas
Post by Stephen Borrill
http://mxtoolbox.com/SuperTool.aspx?action=dns%3astatic.acer.com&run=toolpage
So we are setting some bit that the server does not like. It is probably
something like nsit (although it isn't - I tried). So can you tcpdump the
outgoing query packets from named and see what's different?
I've got what appears to be an identical setup here and it fails the
same way. I restarted bind on the server and then did:
host static.acer.com

Here's what I got from tcpdump after making the host request:

bash-4.3# tcpdump -vvvnr dns.cap
reading from file dns.cap, link-type PPP_ETHER (PPPoE)
18:28:52.974427 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 10352, offset
0, flags [none], proto UDP (17), length 84)
81.187.216.64.57077 > 192.43.172.30.53: [udp sum ok] 54578 [1au] A?
static.acer.com. ar: . OPT UDPsize=512 OK (56)
18:28:52.984237 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 58, id 3165, offset
0, flags [none], proto UDP (17), length 534)
192.43.172.30.53 > 81.187.216.64.57077: [udp sum ok] 54578-| q: A?
static.acer.com. 0/9/3 ns: acer.com. [2d] NS ns1.acer.com., acer.com.
[2d] NS ns2.acer.com., acer.com. [2d] NS ns3.acer.com., acer.com. [2d]
NS ns4.acer.com., acer.com. [2d] NS ns5.acer.com., acer.com. [2d] NS
ns6.acer.com., CK0POJMG874LJREF7EFN8430QVIT8BSM.com. [1d] Type50,
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. [1d] RRSIG,
T2AQSNVH0N0GGDLJ8T58H3IIBS6GN560.com. [1d] Type50 ar: ns1.acer.com. [2d]
A 193.0.238.131, ns2.acer.com. [2d] A 193.194.129.131, . OPT
UDPsize=4096 OK (506)
18:28:52.985172 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 0, offset 0,
flags [DF], proto TCP (6), length 64)
81.187.216.64.60578 > 192.43.172.30.53: Flags [S], cksum 0xc675
(correct), seq 1473385615, win 32768, options [mss 1468,nop,wscale
3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
18:28:52.995587 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 59, id 0, offset 0,
flags [DF], proto TCP (6), length 60)
192.43.172.30.53 > 81.187.216.64.60578: Flags [S.], cksum 0x1048
(correct), seq 960381313, ack 1473385616, win 14480, options [mss
1460,sackOK,TS val 2078546163 ecr 1,nop,wscale 7], length 0
18:28:52.995735 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 0, offset 0,
flags [DF], proto TCP (6), length 52)
81.187.216.64.60578 > 192.43.172.30.53: Flags [.], cksum 0x6728
(correct), seq 1, ack 1, win 4220, options [nop,nop,TS val 1 ecr
2078546163], length 0
18:28:52.996267 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 10353, offset
0, flags [DF], proto TCP (6), length 110)
81.187.216.64.60578 > 192.43.172.30.53: Flags [P.], cksum 0x07f9
(correct), seq 1:59, ack 1, win 4220, options [nop,nop,TS val 1 ecr
2078546163], length 5840481 [1au] A? static.acer.com. ar: . OPT
UDPsize=4096 OK (56)
18:28:53.006511 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 59, id 22911, offset
0, flags [DF], proto TCP (6), length 52)
192.43.172.30.53 > 81.187.216.64.60578: Flags [.], cksum 0x76ed
(correct), seq 1, ack 59, win 114, options [nop,nop,TS val 2078546174
ecr 1], length 0
18:28:53.006523 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 59, id 22912, offset
0, flags [DF], proto TCP (6), length 787)
192.43.172.30.53 > 81.187.216.64.60578: Flags [P.], cksum 0x73a8
(correct), seq 1:736, ack 59, win 114, options [nop,nop,TS val
2078546174 ecr 1], length 73540481- q: A? static.acer.com. 0/10/7 ns:
acer.com. [2d] NS ns1.acer.com., acer.com. [2d] NS ns2.acer.com.,
acer.com. [2d] NS ns3.acer.com., acer.com. [2d] NS ns4.acer.com.,
acer.com. [2d] NS ns5.acer.com., acer.com. [2d] NS ns6.acer.com.,
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. [1d] Type50,
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. [1d] RRSIG,
T2AQSNVH0N0GGDLJ8T58H3IIBS6GN560.com. [1d] Type50,
T2AQSNVH0N0GGDLJ8T58H3IIBS6GN560.com. [1d] RRSIG ar: ns1.acer.com. [2d]
A 193.0.238.131, ns2.acer.com. [2d] A 193.194.129.131, ns3.acer.com.
[2d] A 210.63.100.11, ns4.acer.com. [2d] A 210.63.96.11, ns5.acer.com.
[2d] A 208.203.4.141, ns6.acer.com. [2d] A 63.66.78.35, . OPT
UDPsize=4096 OK (733)
18:28:53.007811 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 0, offset 0,
flags [DF], proto TCP (6), length 52)
81.187.216.64.60578 > 192.43.172.30.53: Flags [F.], cksum 0x6403
(correct), seq 59, ack 736, win 4220, options [nop,nop,TS val 1 ecr
2078546174], length 0
18:28:53.009456 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 10354, offset
0, flags [none], proto UDP (17), length 84)
81.187.216.64.60142 > 63.66.78.35.53: [udp sum ok] 28270 [1au] A?
static.acer.com. ar: . OPT UDPsize=512 OK (56)
18:28:53.017882 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 59, id 22913, offset
0, flags [DF], proto TCP (6), length 52)
192.43.172.30.53 > 81.187.216.64.60578: Flags [F.], cksum 0x7401
(correct), seq 736, ack 60, win 114, options [nop,nop,TS val 2078546185
ecr 1], length 0
18:28:53.018006 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 0, offset 0,
flags [DF], proto TCP (6), length 52)
81.187.216.64.60578 > 192.43.172.30.53: Flags [.], cksum 0x63f7
(correct), seq 60, ack 737, win 4220, options [nop,nop,TS val 1 ecr
2078546185], length 0
18:28:53.135792 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 241, id 64275,
offset 0, flags [DF], proto UDP (17), length 225)
63.66.78.35.53 > 81.187.216.64.60142: [udp sum ok] 28270*- q: A?
static.acer.com. 1/3/5 static.acer.com. [1d] CNAME
static-akamai.gtm.acer.com. ns: gtm.acer.com. [5m] NS gtm2.acer.com.,
gtm.acer.com. [5m] NS gtm1.acer.com., gtm.acer.com. [5m] NS
gtm3.acer.com. ar: gtm1.acer.com. [1d] A 193.0.238.134, gtm2.acer.com.
[1d] A 122.146.111.24, gtm2.acer.com. [1d] A 210.241.130.24,
gtm3.acer.com. [1d] A 199.107.120.136, . OPT UDPsize=4096 OK (197)
18:28:53.137843 PPPoE [ses 0x1ec] IP6 (flowlabel 0x2cf0a, hlim 64,
next-header UDP (17) payload length: 76) 2001:8b0:84:1::1.64955 >
2001:502:ad09::23.53: [udp sum ok] 59781 [1au] Type32769?
static.acer.com.dlv.isc.org. ar: . OPT UDPsize=512 OK (68)
18:28:53.149193 PPPoE [ses 0x1ec] IP6 (hlim 58, next-header UDP (17)
payload length: 64) 2001:502:ad09::23.53 > 2001:8b0:84:1::1.64955: [udp
sum ok] 59781 NXDomain*-| q: Type32769? static.acer.com.dlv.isc.org.
0/0/1 ar: . OPT UDPsize=4096 OK (56)
18:28:53.150192 PPPoE [ses 0x1ec] IP6 (flowlabel 0x3e9da, hlim 64,
next-header TCP (6) payload length: 44) 2001:8b0:84:1::1.63913 >
2001:502:ad09::23.53: Flags [S], cksum 0xaa68 (correct), seq 1481817608,
win 32768, options [mss 1448,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val
1 ecr 0], length 0
18:28:53.161708 PPPoE [ses 0x1ec] IP6 (hlim 58, next-header TCP (6)
payload length: 32) 2001:502:ad09::23.53 > 2001:8b0:84:1::1.63913: Flags
[S.], cksum 0x2aa5 (correct), seq 935839941, ack 1481817609, win 14400,
options [mss 1440,nop,nop,sackOK,nop,wscale 9], length 0
18:28:53.161874 PPPoE [ses 0x1ec] IP6 (flowlabel 0x3e9da, hlim 64,
next-header TCP (6) payload length: 20) 2001:8b0:84:1::1.63913 >
2001:502:ad09::23.53: Flags [.], cksum 0x9362 (correct), seq 1, ack 1,
win 4163, length 0
18:28:53.162416 PPPoE [ses 0x1ec] IP6 (flowlabel 0x3e9da, hlim 64,
next-header TCP (6) payload length: 90) 2001:8b0:84:1::1.63913 >
2001:502:ad09::23.53: Flags [P.], cksum 0xa63e (correct), seq 1:71, ack
1, win 4163, length 7012946 [1au] Type32769?
static.acer.com.dlv.isc.org. ar: . OPT UDPsize=4096 OK (68)
18:28:53.173538 PPPoE [ses 0x1ec] IP6 (hlim 58, next-header TCP (6)
payload length: 20) 2001:502:ad09::23.53 > 2001:8b0:84:1::1.63913: Flags
[.], cksum 0xa342 (correct), seq 1, ack 71, win 29, length 0
18:28:53.173548 PPPoE [ses 0x1ec] IP6 (hlim 58, next-header TCP (6)
payload length: 773) 2001:502:ad09::23.53 > 2001:8b0:84:1::1.63913:
Flags [P.], cksum 0xc877 (correct), seq 1:754, ack 71, win 29, length
75312946 NXDomain*- q: Type32769? static.acer.com.dlv.isc.org. 0/6/1 ns:
dlv.isc.org. [1h] SOA ns-int.isc.org. hostmaster.isc.org. 2016032603
7200 3600 2419200 3600, dlv.isc.org. [1h] RRSIG,
absoluteopenbsd.com.dlv.isc.org. [1h] NSEC,
absoluteopenbsd.com.dlv.isc.org. [1h] RRSIG, toxi.co.dlv.isc.org. [1h]
NSEC, toxi.co.dlv.isc.org. [1h] RRSIG ar: . OPT UDPsize=4096 OK (751)
18:28:53.174345 PPPoE [ses 0x1ec] IP6 (flowlabel 0x3e9da, hlim 64,
next-header TCP (6) payload length: 20) 2001:8b0:84:1::1.63913 >
2001:502:ad09::23.53: Flags [F.], cksum 0x902a (correct), seq 71, ack
754, win 4163, length 0
18:28:53.181748 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 10355, offset
0, flags [none], proto UDP (17), length 84)
81.187.216.64.60231 > 199.6.0.29.53: [udp sum ok] 49358 [1au]
Type32769? com.dlv.isc.org. ar: . OPT UDPsize=512 OK (56)
18:28:53.185600 PPPoE [ses 0x1ec] IP6 (hlim 58, next-header TCP (6)
payload length: 20) 2001:502:ad09::23.53 > 2001:8b0:84:1::1.63913: Flags
[F.], cksum 0xa04f (correct), seq 754, ack 72, win 29, length 0
18:28:53.185773 PPPoE [ses 0x1ec] IP6 (flowlabel 0x3e9da, hlim 64,
next-header TCP (6) payload length: 20) 2001:8b0:84:1::1.63913 >
2001:502:ad09::23.53: Flags [.], cksum 0x9029 (correct), seq 72, ack
755, win 4163, length 0
18:28:53.276226 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 58, id 18090, offset
0, flags [none], proto UDP (17), length 532)
199.6.0.29.53 > 81.187.216.64.60231: [udp sum ok] 49358*- q:
Type32769? com.dlv.isc.org. 0/4/1 ns: dlv.isc.org. [1h] SOA
ns-int.isc.org. hostmaster.isc.org. 2016032603 7200 3600 2419200 3600,
dlv.isc.org. [1h] RRSIG, toxi.co.dlv.isc.org. [1h] NSEC,
toxi.co.dlv.isc.org. [1h] RRSIG ar: . OPT UDPsize=4096 OK (504)
18:28:53.283693 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 10356, offset
0, flags [none], proto UDP (17), length 95)
81.187.216.64.57686 > 193.194.129.131.53: [udp sum ok] 31038 [1au]
A? static-akamai.gtm.acer.com. ar: . OPT UDPsize=512 OK (67)
18:28:53.311830 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 49, id 54029, offset
0, flags [none], proto UDP (17), length 204)
193.194.129.131.53 > 81.187.216.64.57686: [udp sum ok] 31038- q: A?
static-akamai.gtm.acer.com. 0/3/5 ns: gtm.acer.com. [5m] NS
gtm2.acer.com., gtm.acer.com. [5m] NS gtm1.acer.com., gtm.acer.com. [5m]
NS gtm3.acer.com. ar: gtm1.acer.com. [1d] A 193.0.238.134,
gtm2.acer.com. [1d] A 122.146.111.24, gtm2.acer.com. [1d] A
210.241.130.24, gtm3.acer.com. [1d] A 199.107.120.136, . OPT
UDPsize=4096 OK (176)
18:28:53.313832 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 64, id 10357, offset
0, flags [none], proto UDP (17), length 95)
81.187.216.64.61636 > 210.241.130.24.53: [udp sum ok] 38321 [1au]
A? static-akamai.gtm.acer.com. ar: . OPT UDPsize=512 OK (67)
18:28:53.652369 PPPoE [ses 0x1ec] IP (tos 0x0, ttl 237, id 59536,
offset 0, flags [DF], proto UDP (17), length 135)
210.241.130.24.53 > 81.187.216.64.61636: [udp sum ok] 38321
NXDomain*- q: A? static-akamai.gtm.acer.com. 0/1/1 ns: gtm.acer.com.
[1m] SOA gtm1.acer.com. hostmaster.gtm1.acer.com. 686 10800 3600 604800
60 ar: . OPT UDPsize=4096 OK (107)
bash-4.3#

All I can see is that it appears to be querying
static-akamai.gtm.acer.com as an A record rather than the cname it
actually is but that's where my DNS expertise ends.

Mike

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Rhialto
2016-03-27 21:43:13 UTC
Permalink
I've got what appears to be an identical setup here and it fails the same
host static.acer.com
As another data point, I have bind9 from pkgsrc, and it seems to work:

$ host static.acer.com
static.acer.com is an alias for static-akamai.gtm.acer.com.
static-akamai.gtm.acer.com is an alias for wac.15D43.taucdn.net.
wac.15D43.taucdn.net is an alias for gp1.wac.v2cdn.net.
gp1.wac.v2cdn.net has address 93.184.220.20

-Olaf.
--
___ Olaf 'Rhialto' Seibert -- The Doctor: No, 'eureka' is Greek for
\X/ rhialto/at/xs4all.nl -- 'this bath is too hot.'
Loading...