RPZ and www.rackspace.com

Wed, 07 May 2014 07:07:34 -0700 

        We have just enabled RPZ with some NSDNAME checks and are seeing 
an issue resolving www.rackspace.com.

        The first lookup is successful and returns both the CNAME and the 
A record.  The second query, within a second of the first, will only 
return the CNAME.  It will only return the CNAME until the TTL of the A 
record times out.  The first query, when it actually has to go out and do 
recursion will always work.   Answering from cache will always fail. When 
you inspect the cache during the time that it is only returning the CNAME, 
the record in cache is "www.wip.rackspace.com  type ANY NXDOMAIN".    This 
only happens with RPZ's enabled and query hitting a RPZ zone with a 
NSDNAME line.   Turning off RPZ or whitelisting the lookup via RPZ before 
it hits a RPZ with NSDNAME allows the query to be successful 100% of the 
time.


        Can anyone else verify this behavior?   What is going on with 
www.rackspace.com?   If this is a miss configuration on Rackspace's DNS 
servers how are they not getting hit with support calls like crazy?



dig @redacted.cat.com www.rackspace.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @redacted.cat.com 
www.rackspace.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30337
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.rackspace.com.             IN      A

;; ANSWER SECTION:
www.rackspace.com.      300     IN      CNAME   www.wip.rackspace.com.
www.wip.rackspace.com.  30      IN      A       173.203.44.116

;; Query time: 193 msec
;; SERVER: redacted
;; WHEN: Wed May  7 08:53:08 2014
;; MSG SIZE  rcvd: 73



dig @redacted.cat.com www.rackspace.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @redacted.cat.com 
www.rackspace.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25905
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.rackspace.com.             IN      A

;; ANSWER SECTION:
www.rackspace.com.      298     IN      CNAME   www.wip.rackspace.com.

;; AUTHORITY SECTION:
wip.rackspace.com.      58      IN      SOA www-gtm-ord1.rackspace.com. 
hostmaster.305181-GTM1.rackspace.com. 86 10800 3600 604800 60

;; Query time: 2 msec
;; SERVER: redacted
;; WHEN: Wed May  7 08:53:10 2014
;; MSG SIZE  rcvd: 129


David A. Evans
Enterprise IP/DNS Management
Network Infrastructure Tools and Services
evans_davi...@cat.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to