problem resolving ardownload.adobe.com

Mark Andrews marka at isc.org
Tue Jul 8 02:34:59 UTC 2014 

The adobe servers are just plain broken.

	Request a CNAME -> NXDOMAIN (Should return CNAME record)
	Request a TXT -> NXDOMAIN (Should return CNAME record)
	Request a NS -> NXDOMAIN (Should return CNAME record)
	Add a EDNS option -> NXDOMAIN (Should return CNAME record)

I suspect load balancer is passing non A/AAAA queries through to a
backing server that doesn't have a fallback CNAME in the zone for
ardownload.wip4.adobe.com resulting in NXDOMAIN being returned.
That said, the load balancer should know that if it returning CNAME
to A and AAAA queries, that it should also return CNAME to all other
query types.  This is basic RFC 1034 behaviour.

Mark

; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com cname @du1gtm001.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 201
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ardownload.wip4.adobe.com.	IN	CNAME

;; AUTHORITY SECTION:
wip4.adobe.com.		30	IN	SOA	sj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60

;; Query time: 486 msec
;; SERVER: 193.104.215.247#53(193.104.215.247)
;; WHEN: Tue Jul 08 12:15:41 EST 2014
;; MSG SIZE  rcvd: 111


; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a @du1gtm001.adobe.com +nsid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37308
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ardownload.wip4.adobe.com.	IN	A

;; AUTHORITY SECTION:
wip4.adobe.com.		30	IN	SOA	sj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60

;; Query time: 422 msec
;; SERVER: 193.104.215.247#53(193.104.215.247)
;; WHEN: Tue Jul 08 12:17:30 EST 2014
;; MSG SIZE  rcvd: 111

; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a @du1gtm001.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37210
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ardownload.wip4.adobe.com.	IN	A

;; ANSWER SECTION:
ardownload.wip4.adobe.com. 300	IN	CNAME	ardownload.adobe.com.edgesuite.net.

;; Query time: 441 msec
;; SERVER: 193.104.215.247#53(193.104.215.247)
;; WHEN: Tue Jul 08 12:15:57 EST 2014
;; MSG SIZE  rcvd: 102


In message <CAEKtLiQWZUifPX_bxGJh7uhQkRUiiG=+k-D54Q2i_VebM6_c1A at mail.gmail.com>
, Casey Deccio writes:
> 
> On Wed, Jul 2, 2014 at 2:51 PM, Carl Byington <carl at byington.org> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > version: 9.10.0-P2
> >
> > dig ardownload.adobe.com. @localhost
> >
> > ;; ANSWER SECTION:
> > ardownload.adobe.com.   8743    IN  CNAME   ardownload.wip4.adobe.com.
> >
> >
> What is the rest of the dig output?  Specifically, what status is your
> resolver giving you (NOERROR or NXDOMAIN)?
> 
> When queried for type NS, the adobe load balancer returns NXDOMAIN:
> 
> $ dig @du1gtm001.adobe.com  ardownload.wip4.adobe.com ns
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @du1gtm001.adobe.com
> ardownload.wip4.adobe.com ns
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42533
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.    IN    NS
> 
> ;; AUTHORITY SECTION:
> wip4.adobe.com.        30    IN    SOA    sj1gtm001.adobe.com.
> hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
> 
> ;; Query time: 116 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Mon Jul  7 16:58:37 2014
> ;; MSG SIZE  rcvd: 100
> 
> 
> Even though A queries yield NOERROR:
> 
> $ dig @du1gtm001.adobe.com  ardownload.wip4.adobe.com a
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @du1gtm001.adobe.com
> ardownload.wip4.adobe.com a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21275
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.    IN    A
> 
> ;; ANSWER SECTION:
> ardownload.wip4.adobe.com. 300    IN    CNAME
> ardownload.adobe.com.edgesuite.net.
> 
> ;; Query time: 119 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Mon Jul  7 16:59:25 2014
> ;; MSG SIZE  rcvd: 91
> 
> Your cache might be adversely affected by this behavior if your cache is
> sending NS queries to authoritative servers (for example, RPZ with NS
> lookup), which would cause the name to be cached as NXDOMAIN.
> 
> Casey
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list