[dns-operations] To A or to AAAA - was Re: Signaling client

Thu Jan 20 01:48:33 UTC 2011

In message <20110120005516.ECF209027AC at drugs.dv.isc.org>, Mark Andrews writes:
> 
> In message <alpine.LSU.2.00.1101191603010.3329 at hermes-1.csi.cam.ac.uk>, Tony 
> Fi
> nch writes:
> > On Wed, 19 Jan 2011, Joe Abley wrote:
> > > On 2011-01-19, at 09:38, Mark Andrews wrote:
> > >
> > > > 99.999% of AAAA lookups work fine.
> > >
> > > Are there public test results that confirm this?
> > 
> > I just took a sample of 10000 different domain names from my mail server
> > logs. 0.8% of the AAAA lookups returned SERVFAIL or timed out. If I don't
> > uniquify the domain names I get a failure rate of 0.5%.
> > 
> > This probably doesn't correspond very well to the query pattern on a
> > normal recursive DNS server. Also I did not count other failure modes such
> > as returning NXDOMAIN when the domain name has A records but not AAAA.
> > 
> > Tony.
> > -- 
> > f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> > HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7
> ,
> > DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
> > ROUGH. RAIN THEN FAIR. GOOD.
> 
> Anyone with access to a nameserver can do something similar to this.
> Dump the contents of the cache.  Extract all the A/AAAA records and
> make a unique list of the names then make lookups for the A/AAAA
> records.  Alternatively you can just extract all the owner names
> of any record and look those up.  junk turns the multi-line records
> into a single line and add ownernames for those records that inherit
> from the previous line.
> 
> % rndc dumpdb
> % awk -f junk < /var/named/named_dump.db |
>   awk '$3 == "A" || $3 == "AAAA" {print $1}' |
>   sort -u > junk1
> % dig AAAA -f junk1 | grep status | grep -v SERVFAIL | wc
>     1560   12480   90226
> % dig A -f junk1 | grep status | grep -v SERVFAIL | wc
>     1565   12520   90523
> % 
> 
> As you can see the success rate really doesn't vary much by type.
> If there is a address record in the cache named will query for it
> at some point.  This nameserver has a typical household set of
> queries being directed to it.  Facebook, twitter etc.

And the offending names are served from nameservers run by a
organisation that should know better.  (I had regenerated the list
so there are only 4 failures.)

ns1.pendingrenewaldeletion.com.
ns2.pendingrenewaldeletion.com.
ns4.apnic.com.
ns5.apnic.com.

AAAA queries for these names get this bogus no data response which
named correctly rejects.

.			1	IN	SOA	ns1.pendingrenewaldeletion.com. ns2.pendingrenewaldeletion.com. 2005092400 10800 3600 604800 7200
;; Received 97 bytes from 205.178.190.51#53(ns1.pendingrenewaldeletion.com) in 247 ms

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org