Question on prod.msocdn.com
Jim Glassford
jmglass at iup.edu
Fri Nov 11 12:45:23 UTC 2016
Just fyi,
Found my problem here, our Tipping Point IPS was misbehaving for
msocdn.com, all well now.
The contributors on the ISC lists are a wealth of information and
appreciated.
best!
jim
On 11/9/2016 2:50 PM, Jim Glassford wrote:
> On 11/9/2016 2:42 PM, Jim Glassford wrote:
>>
>>
>> On 11/9/2016 4:55 AM, Tony Finch wrote:
>>> Jim Glassford <jmglass at iup.edu> wrote:
>>>> Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd
>>>> either
>>>> timeout or SERVFAIL depending on version of bind.
>>> It works for me with BIND 9.11 and 9.10.4-P4.
>>>
>>> There are some EDNS-related changes in 9.10 which might be why these
>>> versions are better able to resolve this domain.
>>>
>>> It looks like you are running 9.8.2rc1, which was released in 2012 (and
>>> 9.8 was EOL 2 years ago) and 9.9.4 which is 3 years old. You can't
>>> rely on
>>> Red Hat to backport all the relevant fixes, so if you are running an
>>> important production service on BIND you should use the latest versions
>>> from isc.org.
>>>
>>>> dnssec-debugger.versignlabs.com on prod.msocdn.com and not sure,
>>>> looks like
>>>> the problem is in dspg.akamaiedge.net?
>>> Yes, there are several problems on the Akamai side of things
>>> http://dnsviz.net/d/prod.msocdn.com/dnssec/
>>>
>>> Tony.
>>
>> Thanks Tony and also others that replied off list.
>> I installed 9.11.0-P1 and having the same issue. Tried out the nta
>> and hey, It works pretty sweet.
>> Not sure what my problem is here but will continue to trouble shoot.
>> best!
>> jim
>>
>> [root at dns3 bind-9.11.0-P1]# rndc status
>> version: BIND 9.11.0-P1 <id:1e9bd53>
>> running on dns3: Linux x86_64 2.6.32-642.6.2.el6.x86_64 #1 SMP Mon
>> Oct 24 10:22:33 EDT 2016
>> boot time: Wed, 09 Nov 2016 19:24:10 GMT
>> last configured: Wed, 09 Nov 2016 19:24:10 GMT
>> configuration file: /etc/named.conf
>> CPUs found: 2
>> worker threads: 2
>> UDP listeners per interface: 1
>> number of zones: 175 (80 automatic)
>> debug level: 3
>> xfers running: 0
>> xfers deferred: 0
>> soa queries in progress: 0
>> query logging is ON
>> recursive clients: 0/9900/10000
>> tcp clients: 0/150
>> server is up and running
>>
>>
>> [root at dns3 bind-9.11.0-P1]# dig prod.msocdn.com
>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65097
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;prod.msocdn.com. IN A
>> ;; Query time: 4002 msec
>> ;; WHEN: Wed Nov 9 14:40:02 2016
>> ;; MSG SIZE rcvd: 33
>>
>> [root at dns3 bind-9.11.0-P1]#
>> [root at dns3 bind-9.11.0-P1]# rndc nta prod.msocdn.com
>> Negative trust anchor added: prod.msocdn.com/_default, expires
>> 09-Nov-2016 15:40:58.000
>> [root at dns3 bind-9.11.0-P1]#
>> [root at dns3 bind-9.11.0-P1]# dig prod.msocdn.com
>>
>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25756
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 9, ADDITIONAL: 9
>>
>> ;; QUESTION SECTION:
>> ;prod.msocdn.com. IN A
>>
>> ;; ANSWER SECTION:
>> prod.msocdn.com. 3600 IN CNAME
>> wildcard.msocdn.com.edgekey.net.
>> wildcard.msocdn.com.edgekey.net. 300 IN CNAME e7566.dspg.akamaiedge.net.
>> e7566.dspg.akamaiedge.net. 20 IN A 104.95.43.11
>>
>> ;; AUTHORITY SECTION:
>> dspg.akamaiedge.net. 4000 IN NS n2dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS n4dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS n1dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS n6dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS n3dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS n5dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS n7dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS n0dspg.akamaiedge.net.
>> dspg.akamaiedge.net. 4000 IN NS a0dspg.akamaiedge.net.
>>
>> ;; ADDITIONAL SECTION:
>> n7dspg.akamaiedge.net. 8000 IN A 165.254.211.12
>> n5dspg.akamaiedge.net. 4000 IN A 165.254.211.14
>> n2dspg.akamaiedge.net. 4000 IN A 165.254.211.20
>> n4dspg.akamaiedge.net. 8000 IN A 165.254.211.15
>> n0dspg.akamaiedge.net. 4000 IN A 209.48.71.63
>> n1dspg.akamaiedge.net. 6000 IN A 88.221.81.194
>> n3dspg.akamaiedge.net. 6000 IN A 209.8.212.93
>> n6dspg.akamaiedge.net. 6000 IN A 165.254.211.13
>> a0dspg.akamaiedge.net. 8000 IN AAAA 2600:1480:e800::c0
>>
>> ;; Query time: 1282 msec
>> ;; WHEN: Wed Nov 9 14:41:14 2016
>> ;; MSG SIZE rcvd: 475
>>
>> [root at dns3 bind-9.11.0-P1]#
>>
>
> Sorry, stupid of me, wrong dig version for the show :-(
> correct version below;
>
> [root at dns3 bind-9.11.0-P1]# dig prod.msocdn.com
>
> ; <<>> DiG 9.11.0-P1 <<>> prod.msocdn.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6415
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 7accb22e23d969e7b1b834bb58237d6c6ce2e0e5666f14bc (good)
> ;; QUESTION SECTION:
> ;prod.msocdn.com. IN A
>
> ;; Query time: 4015 msec
> ;; WHEN: Wed Nov 09 14:47:56 EST 2016
> ;; MSG SIZE rcvd: 72
>
> [root at dns3 bind-9.11.0-P1]#
> [root at dns3 bind-9.11.0-P1]# rndc nta prod.msocdn.com
> Negative trust anchor added: prod.msocdn.com/_default, expires
> 09-Nov-2016 15:49:38.000
> [root at dns3 bind-9.11.0-P1]#
> [root at dns3 bind-9.11.0-P1]# dig prod.msocdn.com
>
> ; <<>> DiG 9.11.0-P1 <<>> prod.msocdn.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58831
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 9, ADDITIONAL: 10
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 11c933f06d1b44d124164c7458237de251f105d0543c7956 (good)
> ;; QUESTION SECTION:
> ;prod.msocdn.com. IN A
>
> ;; ANSWER SECTION:
> prod.msocdn.com. 3600 IN CNAME
> wildcard.msocdn.com.edgekey.net.
> wildcard.msocdn.com.edgekey.net. 300 IN CNAME e7566.dspg.akamaiedge.net.
> e7566.dspg.akamaiedge.net. 20 IN A 104.95.43.11
>
> ;; AUTHORITY SECTION:
> dspg.akamaiedge.net. 4000 IN NS n1dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS n0dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS n2dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS n7dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS n6dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS n5dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS a0dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS n3dspg.akamaiedge.net.
> dspg.akamaiedge.net. 4000 IN NS n4dspg.akamaiedge.net.
>
> ;; ADDITIONAL SECTION:
> n5dspg.akamaiedge.net. 4000 IN A 165.254.211.7
> n0dspg.akamaiedge.net. 4000 IN A 165.254.211.13
> n1dspg.akamaiedge.net. 6000 IN A 209.8.212.100
> n2dspg.akamaiedge.net. 8000 IN A 209.48.71.53
> n4dspg.akamaiedge.net. 8000 IN A 165.254.211.12
> n7dspg.akamaiedge.net. 8000 IN A 165.254.211.29
> n3dspg.akamaiedge.net. 4000 IN A 88.221.81.192
> n6dspg.akamaiedge.net. 6000 IN A 165.254.211.6
> a0dspg.akamaiedge.net. 6000 IN AAAA 2600:1480:e800::c0
>
> ;; Query time: 2278 msec
> ;; WHEN: Wed Nov 09 14:49:54 EST 2016
> ;; MSG SIZE rcvd: 514
>
> [root at dns3 bind-9.11.0-P1]#
>
>
>
More information about the bind-users
mailing list