[dns-operations] dynect.net outage

Robert Edmonds edmonds at mycre.ws
Mon May 30 07:38:37 UTC 2022 

Ralf Weber wrote:
> Moin!
> 
> On 30 May 2022, at 8:34, Robert Edmonds wrote:
> >> So how do you expect the domain to be resolved if all of your out
> >> of bailiwick name server names no longer point to an IP address?
> >
> > By using the working nameservers with resolvable names specified in the
> > delegation from the parent zone, which never changed in this particular
> > case. This is what Unbound's resolution algorithm does if there are not
> > too many nonexisting nameserver target names in the child's NS RRset,
> > and what other resolver algorithms do.
> So you mean the parent provided additional records (A/AAAA) when issuing
> a referral? Otherwise I can not see how from an empty cache you can
> resolve this domain if all of the name server names supplied are NXDOMAIN.

Yes, in fact these particular records:

;; AUTHORITY SECTION:
dynect.net.             172800  IN      NS      ns1.dynamicnetworkservices.net.
dynect.net.             172800  IN      NS      ns2.dynamicnetworkservices.net.
dynect.net.             172800  IN      NS      ns3.dynamicnetworkservices.net.
dynect.net.             172800  IN      NS      ns4.dynamicnetworkservices.net.
dynect.net.             172800  IN      NS      ns5.dynamicnetworkservices.net.
dynect.net.             172800  IN      NS      ns6.dynamicnetworkservices.net.

;; ADDITIONAL SECTION:
ns1.dynamicnetworkservices.net. 172800 IN A     108.59.161.136
ns1.dynamicnetworkservices.net. 172800 IN AAAA  2600:2000:2210::136
ns2.dynamicnetworkservices.net. 172800 IN A     108.59.162.136
ns2.dynamicnetworkservices.net. 172800 IN AAAA  2600:2000:2220::136
ns3.dynamicnetworkservices.net. 172800 IN AAAA  2001:500:94:1::136
ns3.dynamicnetworkservices.net. 172800 IN A     208.78.71.136
ns4.dynamicnetworkservices.net. 172800 IN A     204.13.251.136
ns5.dynamicnetworkservices.net. 172800 IN A     108.59.161.136
ns5.dynamicnetworkservices.net. 172800 IN AAAA  2600:2000:2210::136
ns6.dynamicnetworkservices.net. 172800 IN AAAA  2001:500:94:1::136
ns6.dynamicnetworkservices.net. 172800 IN A     208.78.71.136

> > There is more than one resolver implementation, and they differ in the
> > results of resolving a zone with this type of misconfiguration, and none
> > of them are the reference implementation of DNS. So just looking at a
> > particular resolver algorithm returning SERVFAIL when encountering a
> > particular data pattern starting from a cold cache cannot tell us
> > whether the algorithm or the data is at fault.
> I agree on this, however the difference in implementation are less
> when it comes to resolving from a cold cache and all the explanations
> given so far for me point to the domain being unresolvable for all
> implementations from an empty cache.

I set up two simulations of this scenario in the zones nxdemo.mycre.ws
and nxdemosmall.mycre.ws (with wildcard TXT records '*.nxdemo.mycre.ws'
and '*.nxdemosmall.mycre.ws') in case anyone wants to test out a
particular implementation.

I get these results with Unbound:

$ for i in `seq 1 10`; do dig ${i}.nxdemosmall.mycre.ws -t TXT | grep status:; sleep 0.2; done
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 662
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45145
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61167
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39297
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31167
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53187
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2917
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37281
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15433
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63533

$ for i in `seq 1 10`; do dig ${i}.nxdemo.mycre.ws -t TXT | grep status:; sleep 0.2; done
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52593
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5778
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17835
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6077
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33311
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46376
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22646
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58220
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22294
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38712

-- 
Robert Edmonds

More information about the dns-operations mailing list