[Yeti DNS Discuss] Five additional servers added to Yeti testbed & an bug finding on priming response

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed May 4 08:16:51 UTC 2016


On Wed, May 04, 2016 at 02:22:12PM +0800,
 Davey Song <ljsong at biigroup.cn> wrote 
 a message of 275 lines which said:

> Please update your hint file if you run a yeti resolver.

By the way, I did *not* update my hints file to see if priming works
fine, and it does, with Unbound. I do not even need to restart the
daemon.

% dig NS .

; <<>> DiG 9.9.5-12.1-Debian <<>> NS .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11081
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 24, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.			IN NS

;; ANSWER SECTION:
.			48087 IN NS yeti-ns.ix.ru.
.			48087 IN NS yeti-ns.conit.co.
.			48087 IN NS yeti-ns1.dns-lab.net.
.			48087 IN NS 3f79bb7b435b05321651daefd374cd.yeti-dns.net.
.			48087 IN NS yeti.ipv6.ernet.in.
.			48087 IN NS ca978112ca1bbdcafac231b39a23dc.yeti-dns.net.
.			48087 IN NS ns-yeti.bondis.org.
.			48087 IN NS 18ac3e7343f016890c510e93f93526.yeti-dns.net.
.			48087 IN NS yeti-dns01.dnsworkshop.org.
.			48087 IN NS yeti-ns.as59715.net.
.			48087 IN NS yeti.aquaray.com.
.			48087 IN NS yeti-ns.tisf.net.
.			48087 IN NS yeti-ns3.dns-lab.net.
.			48087 IN NS dahu2.yeti.eu.org.
.			48087 IN NS yeti-ns.switch.ch.
.			48087 IN NS dahu1.yeti.eu.org.
.			48087 IN NS bii.dns-lab.net.
.			48087 IN NS yeti-ns2.dns-lab.net.
.			48087 IN NS 3e23e8160039594a33894f6564e1b1.yeti-dns.net.
.			48087 IN NS 2e7d2c03a9507ae265ecf5b5356885.yeti-dns.net.
.			48087 IN NS yeti-ns.lab.nic.cl.
.			48087 IN NS yeti-ns.wide.ad.jp.
.			48087 IN NS yeti.bofh.priv.at.
.			48087 IN RRSIG NS 8 0 86400 (
				20160602180133 20160503180133 20454 .
				nFlj7VCx9mVGZPUPAp6r/+Cz60ihh1FZxMfaNbXT+nTC
				jury7kU+l+FVeSd59a4PenoIcD91VN+EUjdz+4mCZkkR
				I77Y5JnmBJUwlB6NAR3LZ9ViLejeO3etJxzhqXA2J1q7
				LIb3FT/xuRizzYeePVJLSTJhCMmJYy8p92px7VI= )

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed May 04 10:05:46 CEST 2016
;; MSG SIZE  rcvd: 914

> Now there are 23 severs in Yeti and the size of priming response is
> up to 1400.

As expected, this large response create problem if the "NS ." request
is done without EDNS (I discovered such a code in one of my old
programs). The proper way is either EDNS or
detect-TC-and-retries-with-TCP but some old and broken DNS clients
will fail to do it.

> For example, dahu1.yeti.eu.org. returned all 18 server in additional
> section with glue RR when the number of server is 18, but does not
> return the new server glue information after 5 servers added into
> the system.

It's a NSD 4.1.8 with the default value for ipv6-edns-size. I can try
to change it. (I just upgraded to 4.1.9.)

> The case for yeti-ns.conit.co. is wired. after this adding it
> returns nothing in answer and additional section no matter in UDP or
> TCP.

The new setup makes interesting lists :-)

% check-soa -i .
18ac3e7343f016890c510e93f93526.yeti-dns.net.
	2a05:78c0:0:2::3:6: OK: 2016050400 (103 ms)
2e7d2c03a9507ae265ecf5b5356885.yeti-dns.net.
	2400:8901:e001:39::6: OK: 2016050400 (184 ms)
3e23e8160039594a33894f6564e1b1.yeti-dns.net.
	2803:80:1004:63::1: OK: 2016050400 (217 ms)
3f79bb7b435b05321651daefd374cd.yeti-dns.net.
	2401:c900:1401:3b:c::6: OK: 2016050400 (290 ms)
bii.dns-lab.net.
	240c:f:1:22::6: OK: 2016050400 (282 ms)
ca978112ca1bbdcafac231b39a23dc.yeti-dns.net.
	2c0f:f530::6: OK: 2016050400 (197 ms)
dahu1.yeti.eu.org.
	2001:4b98:dc2:45:216:3eff:fe4b:8c5b: OK: 2016050400 (21 ms)
dahu2.yeti.eu.org.
	2001:67c:217c:6::2: OK: 2016050400 (2 ms)
ns-yeti.bondis.org.
	2a02:2810:0:405::250: OK: 2016050400 (50 ms)
yeti-dns01.dnsworkshop.org.
	2001:1608:10:167:32e::53: OK: 2016050400 (12 ms)
yeti-ns.as59715.net.
	2a02:cdc5:9715:0:185:5:203:53: OK: 2016042701 (44 ms)
yeti-ns.conit.co.
	2604:6600:2000:11::4854:a010: ERROR: SERVFAIL (136 ms)
yeti-ns.ix.ru.
	2001:6d0:6d06::53: OK: 2016050400 (56 ms)
yeti-ns.lab.nic.cl.
	2001:1398:1:21::8001: OK: 2016050400 (254 ms)
yeti-ns.switch.ch.
	2001:620:0:ff::29: OK: 2016050400 (25 ms)
yeti-ns.tisf.net.
	2001:559:8000::6: OK: 2016050400 (183 ms)
yeti-ns.wide.ad.jp.
	2001:200:1d9::35: OK: 2016050400 (256 ms)
yeti-ns1.dns-lab.net.
	2001:da8:a3:a027::6: OK: 2016050400 (313 ms)
yeti-ns2.dns-lab.net.
	2001:da8:268:4200::6: OK: 2016050400 (348 ms)
yeti-ns3.dns-lab.net.
	2400:a980:30ff::6: OK: 2016050400 (316 ms)
yeti.aquaray.com.
	2a02:ec0:200::1: OK: 2016050400 (17 ms)
yeti.bofh.priv.at.
	2a01:4f8:161:6106:1::10: OK: 2016050400 (15 ms)
yeti.ipv6.ernet.in.
	2001:e30:1c1e:1::333: OK: 2016050400 (159 ms)

Note the problem with yeti-ns.conit.co and the awful lateness of
yeti-ns.as59715.net (was the last one detected by the monitoring?)

It's not so good with TCP, which is more necessary now. TISF timeouts:

% check-soa -i -tcp .
18ac3e7343f016890c510e93f93526.yeti-dns.net.
	2a05:78c0:0:2::3:6: OK: 2016050400 (99 ms)
2e7d2c03a9507ae265ecf5b5356885.yeti-dns.net.
	2400:8901:e001:39::6: OK: 2016050400 (184 ms)
3e23e8160039594a33894f6564e1b1.yeti-dns.net.
	2803:80:1004:63::1: OK: 2016050400 (216 ms)
3f79bb7b435b05321651daefd374cd.yeti-dns.net.
	2401:c900:1401:3b:c::6: OK: 2016050400 (298 ms)
bii.dns-lab.net.
	240c:f:1:22::6: OK: 2016050400 (281 ms)
ca978112ca1bbdcafac231b39a23dc.yeti-dns.net.
	2c0f:f530::6: OK: 2016050400 (196 ms)
dahu1.yeti.eu.org.
	2001:4b98:dc2:45:216:3eff:fe4b:8c5b: OK: 2016050400 (21 ms)
dahu2.yeti.eu.org.
	2001:67c:217c:6::2: OK: 2016050400 (2 ms)
ns-yeti.bondis.org.
	2a02:2810:0:405::250: OK: 2016050400 (87 ms)
yeti-dns01.dnsworkshop.org.
	2001:1608:10:167:32e::53: OK: 2016050400 (11 ms)
yeti-ns.as59715.net.
	2a02:cdc5:9715:0:185:5:203:53: OK: 2016042701 (44 ms)
yeti-ns.conit.co.
	2604:6600:2000:11::4854:a010: ERROR: SERVFAIL (135 ms)
yeti-ns.ix.ru.
	2001:6d0:6d06::53: OK: 2016050400 (56 ms)
yeti-ns.lab.nic.cl.
	2001:1398:1:21::8001: OK: 2016050400 (252 ms)
yeti-ns.switch.ch.
	2001:620:0:ff::29: OK: 2016050400 (25 ms)
yeti-ns.tisf.net.
	2001:559:8000::6: ERROR: read tcp [2001:67c:1348:7::86:133]:55978->[2001:559:8000::6]:53: i/o timeout
yeti-ns.wide.ad.jp.
	2001:200:1d9::35: OK: 2016050400 (266 ms)
yeti-ns1.dns-lab.net.
	2001:da8:a3:a027::6: OK: 2016050400 (315 ms)
yeti-ns2.dns-lab.net.
	2001:da8:268:4200::6: OK: 2016050400 (517 ms)
yeti-ns3.dns-lab.net.
	2400:a980:30ff::6: OK: 2016050400 (316 ms)
yeti.aquaray.com.
	2a02:ec0:200::1: OK: 2016050400 (13 ms)
yeti.bofh.priv.at.
	2a01:4f8:161:6106:1::10: OK: 2016050400 (15 ms)
yeti.ipv6.ernet.in.
	2001:e30:1c1e:1::333: OK: 2016050400 (625 ms)


More information about the discuss mailing list