[sf-lug] DNS, testing/troubleshooting ... (Re: Looks great, thanks! Re: linuxmafia.com/svlug.org DNS slaves for sf-lug.{com, org}! :-))

Fri Jul 24 02:14:03 PDT 2015

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] DNS, testing/troubleshooting ... (Re: Looks  
> great, thanks! Re:	linuxmafia.com/svlug.org DNS slaves for  
> sf-lug.{com, org}! :-))
> Date: Thu, 23 Jul 2015 21:24:29 -0700

> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>
>> Dang, over 24 hours and nobody else took a stab at it and posted to the
>> list?
>
> I'll readily confess that I didn't try because I lacked time and also
> had never noticed or used dig's +nssearch flag before you demonstrated
> its usage.  (As you say, there's a lot to be said for re-reading man
> pages occasionally.)

Yes, there is that ... 24 hours can be relatively short ... especially
for volunteer, and people's free time stuff - I certainly can't always
get to or do something like that within 24 hours.

> I see it boils down to 'find and report the authoritative name servers
> for this DNS zone using iterative queries only (not recursive ones),
> and return each one's copy of the SOA record'.
>
>
>
>> Anyway, some hints:
>> $ dig -4 sf-lug.com. +nssearch
>
> (Return values show _no_ timeouts with the IPv4-only querying flag '-4'
> added.)
>
> I'm guessing your local nameserver was timing out on the IPv6 phrase of
> the queries it made when you said 'dig +nssearch sf-lug.com.' or
> 'dig +nssearch sf-lug.org.' (without the -4 flag).  Because it has IPv6
> problems whereby things attempt IPv6 queries, fail, timeout, and retry
> and succeed on the followup IPv4 attempt.
>
> The laptop in front of me has no timeouts when doing the same queries
> with default IP stack semantics (not limited to IPv4 only):
>
> Litte-Datamaskin:~ rick$ dig +nssearch sf-lug.com.
> SOA ns1.sf-lug.com. jim.well.com. 2015072000 10800 3600 1209600  
> 10800 from server 198.144.195.186 in 8 ms.
> SOA ns1.sf-lug.com. jim.well.com. 2015072000 10800 3600 1209600  
> 10800 from server 64.62.190.98 in 134 ms.
> SOA ns1.sf-lug.com. jim.well.com. 2015072000 10800 3600 1209600  
> 10800 from server 198.144.194.12 in 136 ms.
> SOA ns1.sf-lug.com. jim.well.com. 2015072000 10800 3600 1209600  
> 10800 from server 208.96.15.252 in 143 ms.
> SOA ns1.sf-lug.com. jim.well.com. 2015072000 10800 3600 1209600  
> 10800 from server 72.249.38.88 in 211 ms.
> Litte-Datamaskin:~ rick$ dig +nssearch sf-lug.org.
> SOA ns1.sf-lug.org. jim.well.com. 113020527 10800 3600 1209600 3600  
> from server 198.144.195.186 in 4 ms.
> SOA ns1.sf-lug.org. jim.well.com. 113020527 10800 3600 1209600 3600  
> from server 64.62.190.98 in 55 ms.
> SOA ns1.sf-lug.org. jim.well.com. 113020527 10800 3600 1209600 3600  
> from server 198.144.194.12 in 61 ms.
> SOA ns1.sf-lug.org. jim.well.com. 113020527 10800 3600 1209600 3600  
> from server 208.96.15.252 in 69 ms.
> SOA ns1.sf-lug.org. jim.well.com. 113020527 10800 3600 1209600 3600  
> from server 72.249.38.88 in 107 ms.
> Litte-Datamaskin:~ rick$

Yes, quite correct on that.  Of all the NS servers for those two domains,
each has one NS that has both an IPv4 and an IPv6 address.  The host
I ran the check from has no IPv6 Internet access, so the tests attempting
to use IPv6 failed (timed out).  With the -4 option, dig(1) skips attempting
to use IPv6 and only uses IPv4.  dig(1) also has a -6 flag to try over
IPv6 only.  Unfortunately I don't have a host at my fingertips where I
can do Internet IPv6 checks (8-O) ... I'll have to "fix" that.  :-)
Interestingly when you did the check, without the -4 option, I not only
see no errors, but also don't see a reported result on the IPv6 NS IP.
I'm guessing perhaps your dig(1) didn't attempt IPv6 for some reason, or
perhaps otherwise didn't report on the IPv6 NS IP?  Does dig(1) from that
host of yours support the -6 option, and if so, curious what that then
reports?  And does that host have IPv6 Internet access?