[dns-operations] dynect.net outage

Robert Edmonds edmonds at mycre.ws
Mon May 30 06:34:37 UTC 2022


Ralf Weber wrote:
> Moin!
> 
> On 30 May 2022, at 1:12, Robert Edmonds wrote:
> > Simon Arlott via dns-operations wrote:
> >> I currently have this cached list of nameservers for dynect.net:
> >>
> >> ;; AUTHORITY SECTION:
> >> dynect.net.		14931	IN	NS	cgydc01dnsext01.us.oracle.com.
> >> dynect.net.		14931	IN	NS	tvp02dnsext02.tvp.oracle.com.
> >> dynect.net.		14931	IN	NS	sydc01dns03.au.oracle.com.
> >> dynect.net.		14931	IN	NS	trdc01dnsext01.us.oracle.com.
> >> dynect.net.		14931	IN	NS	adc08dnsext02.us.oracle.com.
> >> dynect.net.		14931	IN	NS	rmdc02dnsext01.us.oracle.com.
> >> dynect.net.		14931	IN	NS	llg07dnsext02.llg.oracle.com.
> >> dynect.net.		14931	IN	NS	llg07dnsext01.llg.oracle.com.
> >> dynect.net.		14931	IN	NS	iad-dns-master.oraclecorp.com.
> >> dynect.net.		14931	IN	NS	adc08dnsext01.us.oracle.com.
> >> dynect.net.		14931	IN	NS	rmdc02dnsext02.us.oracle.com.
> >> ;; WHEN: Fri May 27 17:10:08 BST 2022
> >>
> >> All of these hostnames are NXDOMAIN in the oracle.com/oraclecorp.com
> >> zones. Looks like someone has reconfigured the nameservers for
> >> dynect.net and then immediately pulled the A/AAAA records for the old
> >> names without waiting out the TTL on the old NS records.
> >
> > This was https://www.dynstatus.com/incidents/1xlbp98xr3y2.
> So how do you expect the domain to be resolved if all of your out
> of bailiwick name server names no longer point to an IP address?

By using the working nameservers with resolvable names specified in the
delegation from the parent zone, which never changed in this particular
case. This is what Unbound's resolution algorithm does if there are not
too many nonexisting nameserver target names in the child's NS RRset,
and what other resolver algorithms do.

> >> Unbound gives up and returns SERVFAIL for anything using dynect.net
> >> because it exceeds the maximum number of NXDOMAIN responses for
> >> nameserver hostnames.
> Maybe this is happening where you still have the A/AAAA record
> cached for delegation, but you can’t rely on that. If a domain is
> not being able to be resolved from a cold/empty cache it is broken,
> and the domain owner has to deal with the consequences. End of story.

There is more than one resolver implementation, and they differ in the
results of resolving a zone with this type of misconfiguration, and none
of them are the reference implementation of DNS. So just looking at a
particular resolver algorithm returning SERVFAIL when encountering a
particular data pattern starting from a cold cache cannot tell us
whether the algorithm or the data is at fault.

RFC 1034 (section 5.3.3) recommends that the resolver implementer
prioritize the following:

   1. Bound the amount of work (packets sent, parallel processes
      started) so that a request can't get into an infinite loop or
      start off a chain reaction of requests or queries with other
      implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
      SOME DATA.

   2. Get back an answer if at all possible.

   3. Avoid unnecessary transmissions.

   4. Get the answer as quickly as possible.

(This list appears to be in order of most important to least important.
Amusingly, "Get the answer as correctly as possible" is not on the
list.)

This particular case seems to be a straight-forward trade-off between
#1, #2 and #3.

-- 
Robert Edmonds


More information about the dns-operations mailing list