Re: [DNSOP] m.root-servers.net DNSSEC TCP failures
sthaug@nethelp.no Wed, 17 March 2010 14:01 UTC
Return-Path: <sthaug@nethelp.no>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABF003A6B60 for <dnsop@core3.amsl.com>; Wed, 17 Mar 2010 07:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgHy3bqTltLj for <dnsop@core3.amsl.com>; Wed, 17 Mar 2010 07:01:28 -0700 (PDT)
Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by core3.amsl.com (Postfix) with SMTP id A39773A6AC0 for <dnsop@ietf.org>; Wed, 17 Mar 2010 07:01:27 -0700 (PDT)
Received: (qmail 50924 invoked from network); 17 Mar 2010 14:01:35 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 17 Mar 2010 14:01:35 -0000
Date: Wed, 17 Mar 2010 15:01:33 +0100
Message-Id: <20100317.150133.74723796.sthaug@nethelp.no>
To: nweaver@ICSI.Berkeley.EDU
From: sthaug@nethelp.no
In-Reply-To: <E94DC708-008B-49C5-8728-3F9AD106BF5F@icsi.berkeley.edu>
References: <3DBA4D6ECA684CE0AB62B1760AB64B65@localhost> <CF3EE840-0D45-4321-ABC4-31F4D186F9E6@rfc1035.com> <E94DC708-008B-49C5-8728-3F9AD106BF5F@icsi.berkeley.edu>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: george.barwood@blueyonder.co.uk, dnsop@ietf.org
Subject: Re: [DNSOP] m.root-servers.net DNSSEC TCP failures
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2010 14:01:32 -0000
> >> It seems that m.root-servers.net is now serving DNSSEC, but does not have TCP, so the following queries all fail > > > > Well these queries work just fine for me. Perhaps your problems are caused by local misconfiguration such as a broken CPE/middleware box or DNS proxy? > > I think its that its agressively multihomed, and ONE of the instances is not working with TCP. > > My home net happily lets through anything on port 53, TCP or UDP, and I'm seeing the same symptoms, but a little more data: > > I think there may be something more wrong with that instance thats causing the TCP failures, so it might be something more general: I definitely see problems with m.root-servers.net and TCP from here (Oslo, Norway): % dig any . @202.12.27.33 ;; Truncated, retrying in TCP mode. ;; communications error to 202.12.27.33#53: connection reset % dig +tcp NS . @202.12.27.33 ;; communications error to 202.12.27.33#53: connection reset % dig any . @2001:dc3::35 ;; Truncated, retrying in TCP mode -> works, 1895 byte answer % dig +tcp NS . @2001:dc3::35 works, 632 byte answer So it looks like the IPv4 instance refuses TCP, while the IPv6 instance handles it okay. No filters in the way at my end. The m.root-servers.net instance looks like it is in Paris or thereabouts - but there is quite a bit of difference between the instances: IPv4 (highly variable ping, RTT 700 ms or more) and IPv6 (ping steady at RTT 44-45 ms). % traceroute 202.12.27.33 traceroute to 202.12.27.33 (202.12.27.33), 64 hops max, 40 byte packets 1 ge0-3-1-99.ar1.hmg9.no.cachbone.net (193.75.110.65) 0.412 ms 0.508 ms 0.782 ms 2 ge2-0-2.cr1.xa19.no.catchbone.net (193.75.1.217) 0.626 ms 0.635 ms 0.626 ms 3 te5-1-0.br1.xa19.no.catchbone.net (193.75.1.74) 0.464 ms 0.326 ms 0.287 ms 4 TenGigabitEthernet8-3.ar1.OSL2.gblx.net (64.211.83.13) 0.469 ms 0.476 ms 0.469 ms 5 pos2-0-0-10G.ar1.ARN3.gblx.net (67.17.106.86) 7.328 ms 7.344 ms 7.334 ms 6 tiscali-1.ar1.ARN3.gblx.net (64.208.110.130) 7.340 ms 7.342 ms 7.334 ms 7 xe-4-1-0.par20.ip4.tinet.net (89.149.184.18) 33.077 ms xe-0-2-0.par20.ip4.tinet.net (89.149.187.193) 33.081 ms xe-4-1-0.par20.ip4.tinet.net (89.149.184.18) 33.072 ms 8 213.200.76.38 (213.200.76.38) 53.975 ms 42.443 ms 42.284 ms 9 * M.ROOT-SERVERS.NET (202.12.27.33) 180.041 ms 995.786 ms % traceroute6 2001:dc3::35 traceroute6 to 2001:dc3::35 (2001:dc3::35) from 2001:8c0:8500:1::2, 64 hops max, 12 byte packets 1 ge0-3-1-99.ar1.hmg9.no.catchbone.net 81.250 ms 0.517 ms 0.502 ms 2 ge2-0-2.cr1.xa19.no.catchbone.net 0.477 ms 0.526 ms 0.475 ms 3 te7-1-0.cr1.fn3.no.catchbone.net 0.647 ms 0.661 ms 0.634 ms 4 te5-3-0.br1.fn3.no.catchbone.net 4.686 ms 0.674 ms 0.631 ms 5 ix-6-0-0.core2.OS1-Oslo.ipv6.as6453.net 0.943 ms 0.819 ms 0.789 ms 6 POS5-0-0.core1.AD1-Amsterdam.ipv6.as6453.net 26.062 ms 25.932 ms 25.914 ms 7 if-1-0-0.1663.core1.FV0-Frankfurt.ipv6.as6453.net 34.651 ms 34.520 ms 34.488 ms 8 POS10-0-0.core1.PV1-Paris.ipv6.as6453.net 43.541 ms 43.726 ms 43.699 ms 9 wide-m-root-server-2.sfinx.tm.fr 43.536 ms 141.217 ms 43.734 ms 10 M.ROOT-SERVERS.NET 44.020 ms 44.348 ms 44.338 ms Steinar Haug, Nethelp consulting, sthaug@nethelp.no
- [DNSOP] m.root-servers.net DNSSEC TCP failures George Barwood
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Jaap Akkerhuis
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Olafur Gudmundsson
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Gilles Massen
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Nicholas Weaver
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Jim Reid
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Nicholas Weaver
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures George Barwood
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures sthaug
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures sthaug
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Tony Finch
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Chris Thompson
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Gilles Massen
- Re: [DNSOP] m.root-servers.net DNSSEC TCP failures Mark Andrews