On 1/6/16 16:10, Sotiris Tsimbonis wrote: > On 1/6/16 15:50, Nico CARTRON wrote: >> Hi Sotiris, >> >> On 1 June 2016 at 14:47:31, Sotiris Tsimbonis (sts...@forthnet.gr >> <mailto:sts...@forthnet.gr>) wrote: >> >>> On 1/6/16 15:30, Kevin Kretz wrote: >>>> There's also no reason to assume that the different responses have >>>> anything to do with the client network. They could, of course (with >>>> views), but that you get different responses from the same/similar IP >>>> is, again, not anything wrong. >>>> >>> >>> True, so below is probably the visualisation of load balancing ... which >>> most of the times gives me "the wrong logical answer". >>> >>> [root@syz3ns03 ~]# while true ; do sleep 0.1 ; echo "$(date) $(dig >>> +short A www.google.com. @ns3.google.com.)" ; done >>> ... >>> Wed Jun 1 15:42:31 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:32 EEST 2016 216.58.208.100 >>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:32 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:33 EEST 2016 216.58.208.100 >>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:33 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:34 EEST 2016 216.58.208.100 >>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:34 EEST 2016 172.217.16.36 >>> Wed Jun 1 15:42:35 EEST 2016 172.217.16.36 >>> ... >>> >>> So what I'm really trying to find out is if there's anything from my >>> side to influence the load balancer's decision.. >> >> >> Why would you want to influence the LB decision? >> Is there any difference between the different IP addresses you have as >> answers? >> >> You mentioned SSL errors in the browser, could you give more details? >> I don’t think you should have to fix that on your side, but rather find >> out what is happening. > > Because when google resolves to 172.217.16.*, browsers report an HSTS > violation and SEC_ERROR_UNKNOWN_ISSUER if firefox or > NET::ERR_CERT_AUTHORITY_INVALID in chrome. > > When google resolves to 216.58.208.* they work as intented (no error). >
We just found out that the router in front of our servers had a static route for 172.0.0.0/255.0.0.0 to some other interface. This has now been changed to 172.16.0.0/255.240.0.0 and routing to google subnet has been restored, browsers work as expected etc.. Thanks for your help to pinpoint this :) Sot. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
