[dns-operations] socialsecurity.gov

Bill Owens owens at nysernet.org
Wed Sep 12 13:46:36 UTC 2012 

On Wed, Sep 12, 2012 at 10:12:37PM +0900, Randy Bush wrote:
> > I can't reach the v6 addresses of dns5 or dns6; I can reach dns1 and
> > dns2. I don't see anything in the log that indicates which transport
> > was being used, but that would be consistent with the problem if the
> > IIJ host is v6-enabled.
> 
> actually, both hosts are v6 enabled.  isn't everything?
> 
> so i disabled v6 on my tokyo host.  same result.
> 
>     rair.psg.com:/Users/randy> doc -p -w socialsecurity.gov.
>     Doc-2.2.3: doc -p -w socialsecurity.gov.
>     Doc-2.2.3: Starting test of socialsecurity.gov.   parent is gov.
>     Doc-2.2.3: Test date - Wed Sep 12 22:11:18 JST 2012
>     DIGERR (NOT_AUTHORIZED): dig @dns1.ssa.gov. for SOA of socialsecurity.gov. failed
>     DIGERR (NOT_AUTHORIZED): dig @dns2.ssa.gov. for SOA of socialsecurity.gov. failed
>     DIGERR (NOT_AUTHORIZED): dig @dns5.ssa.gov. for SOA of socialsecurity.gov. failed
>     DIGERR (NOT_AUTHORIZED): dig @dns6.ssa.gov. for SOA of socialsecurity.gov. failed
>     SYSerr: No servers for socialsecurity.gov. returned SOAs ...
>     Summary:
>        YIKES: doc aborted while testing socialsecurity.gov.  parent gov.
>        Incomplete test for socialsecurity.gov. (5)
>     Done testing socialsecurity.gov.  Wed Sep 12 22:12:06 JST 2012

Not exactly the same result - with v6 disabled, all four fail, before it was just 5 and 6:

from iij in tokyo

    rair.psg.com:/Users/randy> doc -p -w socialsecurity.gov.
    Doc-2.2.3: doc -p -w socialsecurity.gov.
    Doc-2.2.3: Starting test of socialsecurity.gov.   parent is gov.
    Doc-2.2.3: Test date - Wed Sep 12 19:00:44 JST 2012
    DIGERR (NOT_AUTHORIZED): dig @dns5.ssa.gov. for SOA of socialsecurity.gov. failed
    DIGERR (NOT_AUTHORIZED): dig @dns6.ssa.gov. for SOA of socialsecurity.gov. failed
    Summary:
       No errors or warnings issued for socialsecurity.gov.
       Incomplete test for socialsecurity.gov. (2)
    Done testing socialsecurity.gov.  Wed Sep 12 19:01:30 JST 2012

There's a 10-hour TTL on the AAAA records, is it possible that the client is still attempting v6 transport even though it's now disabled?

Bill.

More information about the dns-operations mailing list