[getdns-users] Strange behavior with query ordering

Willem Toorop willem at nlnetlabs.nl
Thu Jun 18 15:09:40 UTC 2015 

Op 17-06-15 om 15:52 schreef Rose, Scott W.:
> I can - but looking at some outside open resolvers, some get it, some don't.  Something seems to be up with our provider.  I wouldn't be the first time.  I was using http://www.digwebinterface.com/ and see that some work, but some (some of the ones outside of the US) don't.  
> 
> Problem seems to be solved by upgrading to getdns-0.2.0  (was using 0.1.8).  Not sure what it was, but now it seems to work.

Hi Scott,

Definitely something wrong with your provider yes.

The name servers on 129.6.100.200 and 129.6.100.201 (sometimes known as
ns1.had-pilot.biz. and ns2.had-pilot.biz., but at other times known as
had1.had-pilot.com. and ns2.had-pilot.com.) serve a zone with SOA serial
20131045 some of the time and with SOA serial 20111556 some other times.

Interestingly on both occasions they have up-to-date DNSSEC signatures!

So I suspect a setup where 129.6.100.200 and 129.6.100.201 are
load-balancers handing out requests to slave servers which do their own
signing.  One of the slave servers is stale at SOA serial 20111556 though.

See the output of the two dig commands below and notice the different
values for NS and for the SOA serial:

willem at bonobo:~/repos/getdns/src$ dig @129.6.100.201 had-pilot.biz. soa
+dnssec +cd

; <<>> DiG 9.10.2rc2 <<>> @129.6.100.201 had-pilot.biz. soa +dnssec +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29540
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 3072
;; QUESTION SECTION:
;had-pilot.biz.			IN	SOA

;; ANSWER SECTION:
had-pilot.biz.		3600	IN	SOA	ns2.had-pilot.biz. no-reply.had-pilot.biz.
20111556 43200 43200 1209600 600
had-pilot.biz.		3600	IN	RRSIG	SOA 8 2 3600 20150625030023 20150618020023
24186 had-pilot.biz.
bN57c7bfeK+XfxcN5FcRVot404oEOq3kb/3b6bY2/Zh7RiNmfNtWiqrZ
tZ6gGnJqf0wUrjyYtN2u4v3mLLVGjYPmrSH01WqVVuQ+oXNicvQMCDrd
2PZMxjrj2W4jkYmGw2PHoB1T/VhaKBKvSsPlWBUvql6ZB8q3rmC7WNtr L/w=

;; AUTHORITY SECTION:
had-pilot.biz.		3600	IN	NS	ns1.had-pilot.biz.
had-pilot.biz.		3600	IN	NS	ns2.had-pilot.biz.
had-pilot.biz.		3600	IN	RRSIG	NS 8 2 3600 20150625030023 20150618020023
24186 had-pilot.biz.
bprJ1BOrEmtftlhWaplvQsVbv3gpBXX1/US8cPXImFNNMJSeHeOuz8VE
Ms/z6GxUqO/v9lz5kNPItgOlfz8ti4MlllpKEkaNUSCkN1am7h3qI3Sg
AfvtMMEu0zpq80p5zf7/Oxucsttrq2QmEHgiXj7C3BdiRyeFdwuEQ0gn LOk=

;; ADDITIONAL SECTION:
ns1.had-pilot.biz.	3600	IN	A	129.6.100.200
ns1.had-pilot.biz.	3600	IN	RRSIG	A 8 3 3600 20150625030023
20150618020023 24186 had-pilot.biz.
JXOX8kbnBSwVTeGw41hjUrRXuf/m5EIlfyiCEZEAp56xA8YTRzqZR2mo
aqO/PiIXyuedrQqUIzR5/yRsx35bSkG3ubi3ShabsyFGVsoNp6q3uonH
FzHmIdyJyVrJtei/KlzUB7DObxqX4vxy1vcsoEL2jA3DBQpoSZGkbvdm iWE=
ns2.had-pilot.biz.	3600	IN	A	129.6.100.201
ns2.had-pilot.biz.	3600	IN	RRSIG	A 8 3 3600 20150625030023
20150618020023 24186 had-pilot.biz.
jqjrmN8Oq9p/7oeWlQ5W3IMaHDndcOoB8PSDMRT1qVAoMfp0fZcLZsH0
gMe0EHXBp5HA6ycpiUH/su4u6lQAqsE5Wmch6AfbHfkg21b7hRCy3+6I
G+Xtpgtx+t9XUw8hdsgwK3XohsqlLd/4MI3kGn6R3MFdRuiFgk3E9Ds3 qbo=

;; Query time: 335 msec
;; SERVER: 129.6.100.201#53(129.6.100.201)
;; WHEN: Thu Jun 18 15:15:59 CEST 2015
;; MSG SIZE  rcvd: 847



willem at bonobo:~$ dig @129.6.100.201 ns1.had-pilot.com. a +dnssec +cd

; <<>> DiG 9.10.2rc2 <<>> @129.6.100.201 ns1.had-pilot.com. a +dnssec +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40502
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 3072
;; QUESTION SECTION:
;ns1.had-pilot.com.		IN	A

;; AUTHORITY SECTION:
had5.had-pilot.com.	3600	IN	NSEC	ns2.had-pilot.com. A RRSIG NSEC
had5.had-pilot.com.	3600	IN	RRSIG	NSEC 8 3 3600 20150625030024
20150618020024 28335 had-pilot.com.
bHX8Y2Y8nr3p+kuHBTe9FIBebbXIoZhGCJIKGvQCYpojKNFY4fE4drgb
3+M5Vn0RF2xRpPBA4oackMiljSivnUH1WeFpnyJZkwtB3mBqiwN7swZV
3KsEWYtdwiY8FdfG4tEVlTkvHpxJzaC9PcvuxAoE2H2ACYXwYpF/i2uC GhI=
had-pilot.com.		3600	IN	NSEC	had1.had-pilot.com. NS SOA MX TXT RRSIG
NSEC DNSKEY SPF
had-pilot.com.		3600	IN	RRSIG	NSEC 8 2 3600 20150625030024
20150618020024 28335 had-pilot.com.
HV6/69+uNEUc3AJuhR/j1s/5pXHAPmwIzdygrubTGwowUCWAzNJYdq5c
t8jfMp0U2jEhfX3lEPaPiM1GbgC8GW0A5zHcUdl7AatiTpQGWWHVPzL+
L/+YIUMPodGkGNWV24jajN0zRRfsP4lQZbiE+y2cAgeWbU+7kFEfdKtb CME=
had-pilot.com.		3600	IN	SOA	ns2.had-pilot.com. scottr.nist.gov. 20131045
43200 43200 1209600 3600
had-pilot.com.		3600	IN	RRSIG	SOA 8 2 3600 20150625030024 20150618020024
28335 had-pilot.com.
DpQUH88je0FfSFFF0Mf4W9YBAvLBKAqn6hZ5c9GSH/ONDQzbmcUUXms4
rSZ9+J24fk8IpI3mNEQ0ItUZBMCw39oi6f1rq/4WRpOoAv9XpuDPg0d3
oSWw5fME2MDmCIYiC/B1wUC+w59f97NaZ1eIaZNMkjqKMzm7xWJOgvcD 1Xk=

;; Query time: 93 msec
;; SERVER: 129.6.100.201#53(129.6.100.201)
;; WHEN: Thu Jun 18 13:58:02 CEST 2015
;; MSG SIZE  rcvd: 711



> 
> Scott
> 
> On Jun 16, 2015, at 11:22 PM, Melinda Shore <melinda.shore at nomountain.net> wrote:
> 
>> I'm actually not getting an A record in either case, and dig
>> also returns 0 answers.  Can you confirm that you can retrieve
>> the record not using the API?
>>
>> Thanks,
>>
>> Melinda
>> _______________________________________________
>> Users mailing list
>> Users at getdnsapi.net
>> http://getdnsapi.net/mailman/listinfo/users
> 
> ===================================
> Scott Rose
> NIST
> scott.rose at nist.gov
> +1 301-975-8439
> Google Voice: +1 571-249-3671
> http://www.dnsops.gov/
> https://www.had-pilot.com/
> ===================================
> 
> 
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
>

More information about the Users mailing list