problem resolving ardownload.adobe.com

Nicholas F Miller nicholas.miller at Colorado.EDU
Tue Jul 8 15:07:01 UTC 2014 

FWIW,

I ran into this issue with www.elevationsbanking.com as well. The setup was very similar, the record resolved to a CNAME which in turn resolved to another CNAME. When the TTL expired on the CNAME the record would revert to NXDOMAIN. It wasn’t until the TTL expired for the SOA that things would resolve correctly again.

In the case of ardownload.adobe.com the record will initially resolve. When the TTL for ardownload.wip4.adobe.com expires the result becomes NXDOMAIN.

The people over at Digital Insight wound up removing the CNAME chaining which has solved the issue so far. Looking at www.elevationsbanking.com it appears digitalinsight.com are also using a load balancer. My thinking was they weren’t delegating their domain correctly on/to their GTMs.

_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder




On Jul 7, 2014, at 8:34 PM, Mark Andrews <marka at isc.org> wrote:

> 
> The adobe servers are just plain broken.
> 
> 	Request a CNAME -> NXDOMAIN (Should return CNAME record)
> 	Request a TXT -> NXDOMAIN (Should return CNAME record)
> 	Request a NS -> NXDOMAIN (Should return CNAME record)
> 	Add a EDNS option -> NXDOMAIN (Should return CNAME record)
> 
> I suspect load balancer is passing non A/AAAA queries through to a
> backing server that doesn't have a fallback CNAME in the zone for
> ardownload.wip4.adobe.com resulting in NXDOMAIN being returned.
> That said, the load balancer should know that if it returning CNAME
> to A and AAAA queries, that it should also return CNAME to all other
> query types.  This is basic RFC 1034 behaviour.
> 
> Mark
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com cname @du1gtm001.adobe.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 201
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.	IN	CNAME
> 
> ;; AUTHORITY SECTION:
> wip4.adobe.com.		30	IN	SOA	sj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
> 
> ;; Query time: 486 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Tue Jul 08 12:15:41 EST 2014
> ;; MSG SIZE  rcvd: 111
> 
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a @du1gtm001.adobe.com +nsid
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37308
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.	IN	A
> 
> ;; AUTHORITY SECTION:
> wip4.adobe.com.		30	IN	SOA	sj1gtm001.adobe.com. hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
> 
> ;; Query time: 422 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Tue Jul 08 12:17:30 EST 2014
> ;; MSG SIZE  rcvd: 111
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a @du1gtm001.adobe.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37210
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com.	IN	A
> 
> ;; ANSWER SECTION:
> ardownload.wip4.adobe.com. 300	IN	CNAME	ardownload.adobe.com.edgesuite.net.
> 
> ;; Query time: 441 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Tue Jul 08 12:15:57 EST 2014
> ;; MSG SIZE  rcvd: 102
> 
> 
> In message <CAEKtLiQWZUifPX_bxGJh7uhQkRUiiG=+k-D54Q2i_VebM6_c1A at mail.gmail.com>
> , Casey Deccio writes:
>> 
>> On Wed, Jul 2, 2014 at 2:51 PM, Carl Byington <carl at byington.org> wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> version: 9.10.0-P2
>>> 
>>> dig ardownload.adobe.com. @localhost
>>> 
>>> ;; ANSWER SECTION:
>>> ardownload.adobe.com.   8743    IN  CNAME   ardownload.wip4.adobe.com.
>>> 
>>> 
>> What is the rest of the dig output?  Specifically, what status is your
>> resolver giving you (NOERROR or NXDOMAIN)?
>> 
>> When queried for type NS, the adobe load balancer returns NXDOMAIN:
>> 
>> $ dig @du1gtm001.adobe.com  ardownload.wip4.adobe.com ns
>> 
>> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @du1gtm001.adobe.com
>> ardownload.wip4.adobe.com ns
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42533
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>> 
>> ;; QUESTION SECTION:
>> ;ardownload.wip4.adobe.com.    IN    NS
>> 
>> ;; AUTHORITY SECTION:
>> wip4.adobe.com.        30    IN    SOA    sj1gtm001.adobe.com.
>> hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
>> 
>> ;; Query time: 116 msec
>> ;; SERVER: 193.104.215.247#53(193.104.215.247)
>> ;; WHEN: Mon Jul  7 16:58:37 2014
>> ;; MSG SIZE  rcvd: 100
>> 
>> 
>> Even though A queries yield NOERROR:
>> 
>> $ dig @du1gtm001.adobe.com  ardownload.wip4.adobe.com a
>> 
>> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @du1gtm001.adobe.com
>> ardownload.wip4.adobe.com a
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21275
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>> 
>> ;; QUESTION SECTION:
>> ;ardownload.wip4.adobe.com.    IN    A
>> 
>> ;; ANSWER SECTION:
>> ardownload.wip4.adobe.com. 300    IN    CNAME
>> ardownload.adobe.com.edgesuite.net.
>> 
>> ;; Query time: 119 msec
>> ;; SERVER: 193.104.215.247#53(193.104.215.247)
>> ;; WHEN: Mon Jul  7 16:59:25 2014
>> ;; MSG SIZE  rcvd: 91
>> 
>> Your cache might be adversely affected by this behavior if your cache is
>> sending NS queries to authoritative servers (for example, RPZ with NS
>> lookup), which would cause the name to be cached as NXDOMAIN.
>> 
>> Casey
>> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list