problems with UA worldwide sites on IPv6 enabled PC

Barry Margolin barmar at alum.mit.edu
Sun May 1 17:00:34 UTC 2005 

In article <d52qq5$1bqn$1 at sf1.isc.org>,
 Mathias Koerber <mathias at koerber.org> wrote:

> Here is the detailed problem description I sent UAL on
> this problem recently (KMM2534973V89232L0KM):

If you want to emulate the way a resolver works, you should really be 
sending your queries without the RD flag, i.e. use the +norec option to 
dig.

> > 3. HOWEVER, both nameservers reply with an NON-AUTHORITATIVE answer when
> >    queried for www.unitedairlines.com.sg [incorrect]

You asked for recursion, so they recursed (it's not a great idea to have 
recursion enabled on authoritative server, but it's not prohibited by 
any specification I know of).  But since they're not authoritative for 
the www.unitdairlines.com.sg subdomain, they correctly return 
non-authoritative answers.

> > HOWEVER: We had been told by dns01.uls-prod.com that
> > dc2lbs1.uls-prod.com is the real nameserver for
> > www.unitedairlines.com.sg, so a good nameserver will not simply trust
> > the NS records learned this way, but will refresh them by asking
> > dc2lbs1.uls-prod.com itself:

I've never heard of BIND doing this explicit query for NS records when 
it's refreshing its cache.  It just sends whatever query it's recursing 
for to the most specific NS record in its cache, and expects it to 
return either an answer or a delegation to a lower-level server.

> > 
> >   > [root at nano1 ~]# dig @dc2lbs1.uls-prod.com. www.unitedairlines.com.sg NS
> >   >
> >   > ; <<>> DiG 9.3.0 <<>> @dc2lbs1.uls-prod.com.
> > www.unitedairlines.com.sg NS
> >   > ;; global options:  printcmd
> >   > ;; Got answer:
> >   > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49223
> >   > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >   >
> >   > ;; QUESTION SECTION:
> >   > ;www.unitedairlines.com.sg.     IN      NS
> >   >
> >   > ;; Query time: 258 msec
> >   > ;; SERVER: 209.87.113.4#53(dc2lbs1.uls-prod.com.)
> >   > ;; WHEN: Sat Apr 30 10:30:23 2005
> >   > ;; MSG SIZE  rcvd: 43
> > 
> > BAD: Now dc2lbs1.uls-prod.com returns a SERVFAIL error for this domain.
> > This will result in the local nameserver (in this case here at my ISP)
> > to mark this nameserver as LAME for this domain.
> > 
> > The problem is that dns01.uls-prod.com/dns02.uls-prod.com claim
> > that www.unitedairlines.com.sg is a separate zone with authoritative
> > nameservers dc1lbs1.uls-prod.com/dc2lbs1.uls-prod.com, but that those
> > two nameservers respond with failure when asked to confirm the NS
> > list for www.unitedairlines.com.sg...

These dcXlbs1.uls-prod.com servers are probably not full-featured 
nameservers, but DNS-based load balancing appliances like Local 
Director.  They typically implement just enough of the DNS protocol to 
support their needs.

Since these servers will not be queried for the NS records in the course 
of normal hostname resolution, I don't think this should cause any 
operational problems.  And I don't think it has anything to do with the 
problem you encounter only when enabling IPv6 on your PC.

However, I noticed that if I queried them with +norec, I did get a more 
proper response:

barmar $ dig www.unitedairlines.com.sg ns @dc1lbs1.uls-prod.com +norec

; <<>> DiG 9.2.2 <<>> www.unitedairlines.com.sg ns @dc1lbs1.uls-prod.com 
+norec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24703
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.unitedairlines.com.sg.   IN NS

;; AUTHORITY SECTION:
www.unitedairlines.com.sg. 86396 IN NS dc2lbs1.uls-prod.com.
www.unitedairlines.com.sg. 86396 IN NS dc1lbs1.uls-prod.com.

;; ADDITIONAL SECTION:
dc1lbs1.uls-prod.com.   86396 IN A  209.87.112.4
dc2lbs1.uls-prod.com.   86396 IN A  209.87.113.4

;; Query time: 117 msec
;; SERVER: 209.87.112.4#53(dc1lbs1.uls-prod.com)
;; WHEN: Sun May  1 12:56:14 2005
;; MSG SIZE  rcvd: 131

It's NON-AUTHORITATIVE, which is wrong, but at least it's not a SERVFAIL.

My guess is that your IPv6 problem is that you're querying for AAAA 
records, and these server return the same kind of non-authoritative 
NOERROR response for this.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list