The adobe servers are just plain broken.
Request a CNAME -> NXDOMAIN (Should return CNAME record)
Request a TXT -> NXDOMAIN (Should return CNAME record)
Request a NS -> NXDOMAIN (Should return CNAME record)
Add a EDNS option -> NXDOMAIN (Should return CNAME record)
I suspect load balancer is passing non A/AAAA queries through to a
backing server that doesn't have a fallback CNAME in the zone for
ardownload.wip4.adobe.com resulting in NXDOMAIN being returned.
That said, the load balancer should know that if it returning CNAME
to A and AAAA queries, that it should also return CNAME to all other
query types. This is basic RFC 1034 behaviour.
Mark
; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com cname
@du1gtm001.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 201
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ardownload.wip4.adobe.com. IN CNAME
;; AUTHORITY SECTION:
wip4.adobe.com. 30 IN SOA sj1gtm001.adobe.com.
hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
;; Query time: 486 msec
;; SERVER: 193.104.215.247#53(193.104.215.247)
;; WHEN: Tue Jul 08 12:15:41 EST 2014
;; MSG SIZE rcvd: 111
; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a
@du1gtm001.adobe.com +nsid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37308
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ardownload.wip4.adobe.com. IN A
;; AUTHORITY SECTION:
wip4.adobe.com. 30 IN SOA sj1gtm001.adobe.com.
hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
;; Query time: 422 msec
;; SERVER: 193.104.215.247#53(193.104.215.247)
;; WHEN: Tue Jul 08 12:17:30 EST 2014
;; MSG SIZE rcvd: 111
; <<>> DiG 9.11.0pre-alpha <<>> ardownload.wip4.adobe.com a @du1gtm001.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37210
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ardownload.wip4.adobe.com. IN A
;; ANSWER SECTION:
ardownload.wip4.adobe.com. 300 IN CNAME
ardownload.adobe.com.edgesuite.net.
;; Query time: 441 msec
;; SERVER: 193.104.215.247#53(193.104.215.247)
;; WHEN: Tue Jul 08 12:15:57 EST 2014
;; MSG SIZE rcvd: 102
In message <CAEKtLiQWZUifPX_bxGJh7uhQkRUiiG=+k-d54q2i_vebm6_...@mail.gmail.com>
, Casey Deccio writes:
>
> On Wed, Jul 2, 2014 at 2:51 PM, Carl Byington <c...@byington.org> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > version: 9.10.0-P2
> >
> > dig ardownload.adobe.com. @localhost
> >
> > ;; ANSWER SECTION:
> > ardownload.adobe.com. 8743 IN CNAME ardownload.wip4.adobe.com.
> >
> >
> What is the rest of the dig output? Specifically, what status is your
> resolver giving you (NOERROR or NXDOMAIN)?
>
> When queried for type NS, the adobe load balancer returns NXDOMAIN:
>
> $ dig @du1gtm001.adobe.com ardownload.wip4.adobe.com ns
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @du1gtm001.adobe.com
> ardownload.wip4.adobe.com ns
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42533
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com. IN NS
>
> ;; AUTHORITY SECTION:
> wip4.adobe.com. 30 IN SOA sj1gtm001.adobe.com.
> hostmaster.sj1gtm001.adobe.com. 1283 10800 3600 604800 60
>
> ;; Query time: 116 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Mon Jul 7 16:58:37 2014
> ;; MSG SIZE rcvd: 100
>
>
> Even though A queries yield NOERROR:
>
> $ dig @du1gtm001.adobe.com ardownload.wip4.adobe.com a
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @du1gtm001.adobe.com
> ardownload.wip4.adobe.com a
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21275
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;ardownload.wip4.adobe.com. IN A
>
> ;; ANSWER SECTION:
> ardownload.wip4.adobe.com. 300 IN CNAME
> ardownload.adobe.com.edgesuite.net.
>
> ;; Query time: 119 msec
> ;; SERVER: 193.104.215.247#53(193.104.215.247)
> ;; WHEN: Mon Jul 7 16:59:25 2014
> ;; MSG SIZE rcvd: 91
>
> Your cache might be adversely affected by this behavior if your cache is
> sending NS queries to authoritative servers (for example, RPZ with NS
> lookup), which would cause the name to be cached as NXDOMAIN.
>
> Casey
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
