From owner-freebsd-questions@FreeBSD.ORG Wed Dec 24 16:49:04 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0AE30867 for ; Wed, 24 Dec 2014 16:49:04 +0000 (UTC) Received: from rr-iv.baywinds.org (50-196-187-251-static.hfc.comcastbusiness.net [50.196.187.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E603F2C38 for ; Wed, 24 Dec 2014 16:49:03 +0000 (UTC) Received: from [192.0.2.130] (rr-iii.baywinds.org [192.0.2.130]) by rr-iv.baywinds.org (8.14.7/8.14.7/SuSE Linux 0.8) with ESMTP id sBOGVsfX010521 for ; Wed, 24 Dec 2014 08:31:57 -0800 Message-ID: <549AEA7A.109@baywinds.org> Date: Wed, 24 Dec 2014 08:31:54 -0800 From: Bruce Ferrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: DNS resolution question References: <642699791.129.1419432044320.JavaMail.zimbra@phantombsd.org> In-Reply-To: <642699791.129.1419432044320.JavaMail.zimbra@phantombsd.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 16:49:04 -0000 On 12/24/2014 06:40 AM, Casey Scott wrote: > This issue surfaced when I noticed this entry in my servers daily security mail: > > Checking for packages with security vulnerabilities: > pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record > pkg: cannot fetch vulnxml file > > > I discovered that the server is not able to resolve vuxml.freebsd.org, or even www.freebsd.org. I'm sure the problem isn't specific to the freebsd.org zone, but that's where I focused my effort. I found that recursive queries failed, however if I directly queried a name server authoritative for freebsd.org (i.e. ns1.isc-sns.net.), the query successfully returned the CNAME. > > OS Details: > FreeBSD mustang 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r271930: Sun Sep 21 19:01:57 PDT 2014 root@mustang:/usr/src/sys/amd64/compile/Server amd64 > > > DNS lookup attempt > ******************************************************************************* > $ dig vuxml.freebsd.org +trace > ; <<>> DiG 9.9.6-P1 <<>> vuxml.freebsd.org +trace > ;; global options: +cmd > . 517326 IN NS e.root-servers.net. > . 517326 IN NS m.root-servers.net. > . 517326 IN NS c.root-servers.net. > . 517326 IN NS d.root-servers.net. > . 517326 IN NS b.root-servers.net. > . 517326 IN NS f.root-servers.net. > . 517326 IN NS g.root-servers.net. > . 517326 IN NS i.root-servers.net. > . 517326 IN NS k.root-servers.net. > . 517326 IN NS l.root-servers.net. > . 517326 IN NS a.root-servers.net. > . 517326 IN NS j.root-servers.net. > . 517326 IN NS h.root-servers.net. > . 517326 IN RRSIG NS 8 0 518400 20141231050000 20141224040000 22603 . OT3Uv0Krt43V999nh6ky8sK7Uob+Qb+M82BOS0uPTFxq1NL6m2XX7ri3 n/na4QyB/+iGTAlonAMVGyXEO1llrJt6iw7yucBriqy/xuGCwSY5Sllc Y3G7RdzerNgmAhfD2wiCwJPnVuGaD3O5318r2TLrsXdoQwGk7FNWiE1X GBE= > ;; Received 913 bytes from 192.168.1.1#53(192.168.1.1) in 0 ms > > org. 172800 IN NS b2.org.afilias-nst.org. > org. 172800 IN NS a2.org.afilias-nst.info. > org. 172800 IN NS d0.org.afilias-nst.org. > org. 172800 IN NS b0.org.afilias-nst.org. > org. 172800 IN NS a0.org.afilias-nst.info. > org. 172800 IN NS c0.org.afilias-nst.info. > org. 86400 IN DS 21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA > org. 86400 IN DS 21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2 > org. 86400 IN RRSIG DS 8 1 86400 20141231050000 20141224040000 22603 . IjE3Yi3yF8a12dOlLt13Grqs7c2tOXwgyyghAkeqy36N14VrAGxsQMxU RlOE5rYwzeg1cLi55wRxGShNBz0/KU229xWrRNluzLUkbo+eW98E6Fcw nT/DHrIy9J/3zjf6NRC+zUUcQTOJGWAkPF40TqaJGwI0Ag6/p6yxcBJ5 MDM= > ;; Received 691 bytes from 192.112.36.4#53(g.root-servers.net) in 73 ms > > freebsd.org. 86400 IN NS ns2.isc-sns.com. > freebsd.org. 86400 IN NS ns1.isc-sns.net. > freebsd.org. 86400 IN NS ns3.isc-sns.info. > freebsd.org. 86400 IN DS 32659 8 2 AF3B32E46DF2FC32C0110C7D6B808EE73E0411501AFAF9022D3DCD0A FA5B3ACD > freebsd.org. 86400 IN RRSIG DS 7 2 86400 20150109163356 20141219153356 11112 org. puF07NdtGtOY0uI3d789itchA2dEXz0URwCsckm7vjWoNIhdsMuG6jFc StzdAkvFDiDO/2C3x21spRrb7Y3ioDQpNJL2zJUn2S0L/8ueDbF9wJAT pEfAdMyUwlCQkVM45Ptf98z7iLTWWe2xQBhZZ1OGaPRW+VwKE0rCaz2d 1rg= > ;; Received 345 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 134 ms > > ;; connection timed out; no servers could be reached > ******************************************************************************* > > > tcpdump of the query above > ******************************************************************************* > listening on fxp0, link-type EN10MB (Ethernet), capture size 65535 bytes > 05:59:36.016640 IP x.x.x.x.54272 > 38.103.2.1.53: 18640 [1au] A? vuxml.freebsd.org. (46) > 05:59:36.127776 IP 38.103.2.1.53 > x.x.x.x.54272: 18640*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) > 05:59:38.021067 IP x.x.x.x.52431 > 38.103.2.1.53: 13086 [1au] AAAA? vuxml.freebsd.org. (46) > 05:59:38.051272 IP x.x.x.x.51125 > 63.243.194.1.53: 16824 [1au] A? vuxml.freebsd.org. (46) > 05:59:38.081819 IP 63.243.194.1.53 > x.x.x.x.51125: 16824*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) > 05:59:38.132821 IP 38.103.2.1.53 > x.x.x.x.52431: 13086*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) > 05:59:40.056275 IP x.x.x.x.62003 > 63.243.194.1.53: 41954 [1au] AAAA? vuxml.freebsd.org. (46) > 05:59:40.086597 IP 63.243.194.1.53 > x.x.x.x.62003: 41954*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) > 05:59:40.267272 IP x.x.x.x.61416 > 72.52.71.1.53: 32843 [1au] A? vuxml.freebsd.org. (46) > 05:59:40.297103 IP 72.52.71.1.53 > x.x.x.x.61416: 32843*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) > 05:59:42.272273 IP x.x.x.x.54674 > 72.52.71.1.53: 2755 [1au] AAAA? vuxml.freebsd.org. (46) > 05:59:42.302289 IP 72.52.71.1.53 > x.x.x.x.54674: 2755*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) > 05:59:42.487277 IP x.x.x.x.54239 > 38.103.2.1.53: 38272 [1au] A? vuxml.freebsd.org. (46) > 05:59:42.598927 IP 38.103.2.1.53 > x.x.x.x.54239: 38272*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) > 05:59:44.492281 IP x.x.x.x.59505 > 38.103.2.1.53: 22873 [1au] AAAA? vuxml.freebsd.org. (46) > 05:59:44.604217 IP 38.103.2.1.53 > x.x.x.x.59505: 22873*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) > 05:59:44.722266 IP x.x.x.x.61141 > 63.243.194.1.53: 50828 [1au] A? vuxml.freebsd.org. (46) > 05:59:44.753517 IP 63.243.194.1.53 > x.x.x.x.61141: 50828*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) > 05:59:46.727324 IP x.x.x.x.49803 > 63.243.194.1.53: 51222 [1au] AAAA? vuxml.freebsd.org. (46) > 05:59:46.757577 IP 63.243.194.1.53 > x.x.x.x.49803: 51222*- 4/4/11 CNAME wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) > 05:59:57.395692 IP x.x.x.x.60149 > 165.254.1.208.53: 31873 [1au] A? e6238.a.akamaiedge.net. (51) > 05:59:57.404644 IP 165.254.1.208.53 > x.x.x.x.60149: 31873*- 1/0/0 A 96.7.67.53 (56) > ******************************************************************************* > > BIND build options > ******************************************************************************* > # named -V > BIND 9.9.6-P1 (Extended Support Version) built by make with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-gost' '--without-idn' '--disable-ipv6' '--disable-largefile' '--disable-newstats' '--without-python' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-rrl' '--with-openssl=/usr/local' '--without-gssapi' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=amd64-portbld-freebsd9.3' 'build_alias=amd64-portbld-freebsd9.3' 'CC=cc' 'CFLAGS=-O2 -pipe -march=native -fstack-protector -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath,/usr/local/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CPP=cpp' > compiled by GCC 4.2.1 20070831 patched [FreeBSD] > using OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014 > using libxml2 version: 2.9.2 > ******************************************************************************* > > Any idea what's going on here? > > Thanks, > Casey > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Casey, think you're getting a correct response. dig @192.0.2.131 vuxml.freebsd.org ; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> @192.0.2.131 vuxml.freebsd.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54956 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;vuxml.freebsd.org. IN A ;; ANSWER SECTION: vuxml.freebsd.org. 497 IN CNAME wfe0.ysv.freebsd.org. wfe0.ysv.freebsd.org. 497 IN A 8.8.178.110 ;; AUTHORITY SECTION: freebsd.org. 497 IN NS ns3.isc-sns.info. freebsd.org. 497 IN NS ns2.isc-sns.com. freebsd.org. 497 IN NS ns1.isc-sns.net. ;; ADDITIONAL SECTION: ns1.isc-sns.net. 2488 IN A 72.52.71.1 ns1.isc-sns.net. 166365 IN AAAA 2001:470:1a::1 ns2.isc-sns.com. 2488 IN A 38.103.2.1 ns3.isc-sns.info. 2488 IN A 63.243.194.1 ns3.isc-sns.info. 79965 IN AAAA 2001:5a0:10::1 ;; Query time: 1 msec ;; SERVER: 192.0.2.131#53(192.0.2.131) ;; WHEN: Wed Dec 24 08:28:06 PST 2014 ;; MSG SIZE rcvd: 277 Notice in the answer section of my simplified query via my local nameserver, wfe0.ysv.freebsd.org is in the A record. I saw the same response in your query, it was just harder to see.