Crosscheck this with DNSSEC Debugger from Verisign: https://dnssec-analyzer.verisignlabs.com/extranet.aro.army.mil
 No DS records found for akamai.csd.disa.mil in the csd.disa.mil zone  All Queries to dns3.akamai.csd.disa.mil for akamai.csd.disa.mil/DNSKEY timed out or failed  All Queries to dns1.akamai.csd.disa.mil for akamai.csd.disa.mil/DNSKEY timed out or failed  All Queries to dns2.akamai.csd.disa.mil for akamai.csd.disa.mil/DNSKEY timed out or failed  All Queries to dns4.akamai.csd.disa.mil for akamai.csd.disa.mil/DNSKEY timed out or failed  Failed to get DNSKEY RR set for zone akamai.csd.disa.mil  All Queries to dns2.akamai.csd.disa.mil for aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed  All Queries to dns4.akamai.csd.disa.mil for aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed  All Queries to dns3.akamai.csd.disa.mil for aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed  All Queries to dns1.akamai.csd.disa.mil for aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed  No response from akamai.csd.disa.mil nameservers -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 17. 12. 2024, at 21:16, Ondřej Surý <ond...@isc.org> wrote: > > disa.mil servers are timing out on me over IPv6: > > $ dig IN NS gcds.disa.mil. @DNS1.DISA.MIL. > ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out > ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out > ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out > > ; <<>> DiG 9.21.3-1+0~20241211.133+debian12~1.gbp5b5fe5-Debian <<>> IN NS > gcds.disa.mil. @DNS1.DISA.MIL. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55426 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;gcds.disa.mil. IN NS > > ;; ANSWER SECTION: > gcds.disa.mil. 12699 IN NS dns1.disa.mil. > gcds.disa.mil. 12699 IN NS dns3.disa.mil. > gcds.disa.mil. 12699 IN NS dns5.disa.mil. > gcds.disa.mil. 12699 IN NS dns2.disa.mil. > gcds.disa.mil. 12699 IN NS dns4.disa.mil. > > ;; ADDITIONAL SECTION: > dns1.disa.mil. 7151 IN AAAA > 2608:125:0:1811:1001:9012:f00:20 > dns2.disa.mil. 7151 IN AAAA > 2608:102:0:182d:1001:9012:c00:20 > dns3.disa.mil. 7151 IN AAAA > 2608:145:0:180b:1001:9012:d00:20 > dns4.disa.mil. 6608 IN AAAA > 2608:c182:0:1012:1001:9012:1400:20 > dns4.disa.mil. 6608 IN AAAA 2608:c182::1001:9012:1600:20 > dns5.disa.mil. 7151 IN AAAA > 2608:4122:0:1012:1001:9012:1400:20 > > ;; Query time: 252 msec > ;; SERVER: 152.229.110.232#53(DNS1.DISA.MIL.) (UDP) > ;; WHEN: Tue Dec 17 21:09:53 CET 2024 > ;; MSG SIZE rcvd: 305 > > And given there's so many delegations and so many redirections, the result is > inevitable... > > There's at least 4 queries that need to be done against disa.mil servers and > if they all end up with timeout over IPv6, the whole query times out because > it will run out of the time. > > gdcs.disa.mil IN NS > apps.gdcs.disa.mil IN NS > cds.disa.mil IN NS > e1008.d.akamaiedge.akamai.csd.disa.mil. IN A > > Ondřej > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > >> On 17. 12. 2024, at 20:56, Clark, Roger <roc...@wm.edu> wrote: >> >> I have a user who is unsuccessfully trying to resolve >> ‘extranet.aro.army.mil’ using our BIND resolvers. The query is failing with >> a 'shut down hung fetch while resolving’ error message with some DNSSEC >> warning as well. The name resolves without issue querying other external >> resolvers and also is successful using dig +trace. I did notice there was >> an issue with an error produced by one of the names in the CNAMe chain ( >> https://gitlab.isc.org/isc-projects/bind9/-/issues/4797 ). >> >> Do I have something misconfigured or is there something wrong on the >> authoritative side? >> >> Thank you! >> >> Roger >> >> Query: >> # dig extranet.aro.army.mil @localhost >> ;; communications error to 127.0.0.1#53: timed out >> ;; communications error to 127.0.0.1#53: timed out >> ;; communications error to 127.0.0.1#53: timed out >> ;; communications error to 127.0.0.1#53: timed out >> ;; communications error to 127.0.0.1#53: timed out >> >> ; <<>> DiG 9.18.32 <<>> extranet.aro.army.mil @localhost >> ;; global options: +cmd >> ;; no servers could be reached >> >> Logs: >> 17-Dec-2024 16:05:59.558 client @0x7fae4b99e230 127.0.0.1#55089 >> (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) >> 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure >> response; parent indicates it should be secure >> 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure >> response; parent indicates it should be secure >> 17-Dec-2024 16:06:00.518 validating apps.gcds.disa.mil/NS: no valid >> signature found >> 17-Dec-2024 16:06:00.594 validating apps.gcds.disa.mil/SOA: no valid >> signature found >> 17-Dec-2024 16:06:00.594 validating >> Q3C76IBKTMFUF8PMSHSSCOPM8LOKJKK2.apps.gcds.disa.mil/NSEC3: no valid >> signature found >> 17-Dec-2024 16:06:00.642 validating apps.gcds.disa.mil/SOA: no valid >> signature found >> 17-Dec-2024 16:06:00.642 validating >> LP2F0U0VHJI70GSV9KTM3KC7HQDJKD9R.apps.gcds.disa.mil/NSEC3: no valid >> signature found >> 17-Dec-2024 16:06:00.678 validating aro.army.mil.apps.gcds.disa.mil/CNAME: >> no valid signature found >> 17-Dec-2024 16:06:01.558 client @0x7fae4b97e220 127.0.0.1#39052 >> (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) >> 17-Dec-2024 16:06:03.562 client @0x7fae4a551240 127.0.0.1#35234 >> (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) >> 17-Dec-2024 16:06:05.566 client @0x7fae4a54f260 127.0.0.1#58021 >> (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) >> 17-Dec-2024 16:06:07.566 client @0x7fae4a547290 127.0.0.1#52253 >> (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) >> 17-Dec-2024 16:06:12.678 shut down hung fetch while resolving >> 'aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A' >> 17-Dec-2024 16:06:12.678 client @0x7fae4b99e230 127.0.0.1#55089 >> (extranet.aro.army.mil): query failed (operation canceled) for >> extranet.aro.army.mil/IN/A at query.c:7877 >> 17-Dec-2024 16:06:12.678 client @0x7fae4b97e220 127.0.0.1#39052 >> (extranet.aro.army.mil): query failed (operation canceled) for >> extranet.aro.army.mil/IN/A at query.c:7877 >> 17-Dec-2024 16:06:12.678 client @0x7fae4a551240 127.0.0.1#35234 >> (extranet.aro.army.mil): query failed (operation canceled) for >> extranet.aro.army.mil/IN/A at query.c:7877 >> 17-Dec-2024 16:06:12.678 client @0x7fae4a54f260 127.0.0.1#58021 >> (extranet.aro.army.mil): query failed (operation canceled) for >> extranet.aro.army.mil/IN/A at query.c:7877 >> 17-Dec-2024 16:06:12.678 client @0x7fae4a547290 127.0.0.1#52253 >> (extranet.aro.army.mil): query failed (operation canceled) for >> extranet.aro.army.mil/IN/A at query.c:7877 >> >> Trace: >> >> # dig +trace extranet.aro.army.mil @localhost >> >> ; <<>> DiG 9.18.32 <<>> +trace extranet.aro.army.mil @localhost >> ;; global options: +cmd >> . 518092 IN NS b.root-servers.net. >> . 518092 IN NS g.root-servers.net. >> . 518092 IN NS f.root-servers.net. >> . 518092 IN NS k.root-servers.net. >> . 518092 IN NS a.root-servers.net. >> . 518092 IN NS d.root-servers.net. >> . 518092 IN NS c.root-servers.net. >> . 518092 IN NS m.root-servers.net. >> . 518092 IN NS e.root-servers.net. >> . 518092 IN NS i.root-servers.net. >> . 518092 IN NS h.root-servers.net. >> . 518092 IN NS j.root-servers.net. >> . 518092 IN NS l.root-servers.net. >> . 518092 IN RRSIG NS 8 0 518400 20241230050000 >> 20241217040000 61050 . >> rswM6OY8ylCNnmkfbUrdnNcTyPMuraztXrBbrrfTOO1M3vp9gCea+qj+ >> FKEPxb/M7EwJYthquLPfOX+5nkV2ROBFwXrTBYS4Zg6zLC40lNwPFqdY >> 9X2cYpfYW1ljr1LuW9bEyBYwCfZB8g7eg+v0nMyrX+uDLH2mneiwJhiZ >> orJTZqVegiHMlX5jNe+btW7uJdAD+05MkI8CP8uD4ZElZ4ghjAG77aZB >> DLD9Ra+SE4j/1ECrkWEwP543tlYq0mmLIDP3TDObTGFMy3qjjItQtM83 >> NmCWD8OAFNbl28AaYMDREpMryZDaxPXNEYiAF3JDfTyM1otJqd7C9kjm 9gM/qg== >> ;; Received 1137 bytes from 127.0.0.1#53(localhost) in 0 ms >> >> mil. 172800 IN NS con1.nipr.mil. >> mil. 172800 IN NS pac2.nipr.mil. >> mil. 172800 IN NS pac1.nipr.mil. >> mil. 172800 IN NS eur2.nipr.mil. >> mil. 172800 IN NS eur1.nipr.mil. >> mil. 172800 IN NS con2.nipr.mil. >> mil. 86400 IN DS 63500 8 2 >> 3BAA83867103D6604A124282063F295E1B15C87CC13CB875A42F5754 A912EBE0 >> mil. 86400 IN RRSIG DS 8 1 86400 20241230050000 >> 20241217040000 61050 . >> X2VVY9CekNpZhFq3x4ZIz8gI9nsCicqgJHzi1kEaRAW4hXzZGR+hAMNq >> 58680WjNluI/zaWt6eOpfkt+8XNEMJfc5cK5dmnOCs6jv9Blkv4moe6O >> 3Mr5F5Dm37m13Jw8pBIMJb2ylk1pzOsDQbWKjS+Ak3xXJH357YopmxVO >> fXQ6Zmu6VCmbiA9rhtI5fX2wuwzhcI5gAn4ARCTFVDo5XM8JKwc3vHs9 >> 9dtGZhJ2UZ9ryZk+ulxGabZ3czSWjof93zn9GHfKezUFeGOqEkdO3op/ >> 9Oift8tpAM+IDdZFaFgI3VU+SJpwX+5BgavHILio8YtB5wXZ1z1Wfp3r iZw/kw== >> ;; Received 802 bytes from 192.36.148.17#53(i.root-servers.net) in 44 ms >> >> ARMY.MIL. 21600 IN NS NS02.ARMY.MIL. >> ARMY.MIL. 21600 IN NS NS01.ARMY.MIL. >> ARMY.MIL. 21600 IN NS NS03.ARMY.MIL. >> ARMY.MIL. 10800 IN DS 34552 8 1 >> 2DFA605AE37365DC018249BC6E7FEB3EF55BAF85 >> ARMY.MIL. 10800 IN DS 34552 8 2 >> 77BF656C5361FF501D81AC4F7DAB185B5F8587AF0421283F7373956F 2DFA4543 >> ARMY.MIL. 10800 IN RRSIG DS 8 2 10800 20241224000431 >> 20241217000431 40843 mil. >> oGdnWjQd0HT+UP0o7ct3fbY/Ur/bcxWX6sYflvIZnGy5VlpEB8TF1xQG >> gtwtHUhfcPTHxUHIqnN+CDarvQTGSbfjCDOrHtYKt1kSSQD91Gz3efgP >> 4G68ACiGH7SbMUOpDGIBQ/MWzibBPnE1biJchhPuMALfz9GO2qM2Sb5c IIw= >> ;; Received 410 bytes from 199.252.154.234#53(eur1.nipr.mil) in 32 ms >> >> extranet.aro.army.mil. 3600 IN CNAME >> aro.army.mil.apps.gcds.disa.mil. >> extranet.aro.army.mil. 3600 IN RRSIG CNAME 8 4 3600 >> 20241220162507 20241216162111 44331 aro.army.mil. >> GQ8IGU9aMU6ZiVZrIAJJDv+kPU7YGYs66bpQiMtNw2VtoScz9uhhOs7M >> Nns1t8uClwMhVVr/NE0cPh5yK7Y0p4AQQWJT3IY07b+5Jy5HFf0bwEWs >> lBTjqvVOzaVdKXAW0SSTt8dd8phvIskmKDJDPeJx05HKd6cIExzvG1dG >> M+krqrGsltBQANXByi5koLfUWaxLGzoC676kBM4MhxRHYOXaCzdhIf1K >> VWaxLMptuhVke1pi8oMY/4FQREs8PEwRwPVRRD4lgMw6XshRpVuI9V65 >> r+JxiGI/kiwm9Z9ckr6nBEkkry/0/5G4NtcgzfncADRxUrUvJ5NNvd/E rHnhWw== >> aro.army.mil.apps.gcds.disa.mil. 3599 IN CNAME >> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. >> aro.army.mil.apps.gcds.disa.mil. 3599 IN RRSIG CNAME 8 7 3600 >> 20250108200421 20241209200421 57303 apps.gcds.disa.mil. >> Pw8WDBdIcSyZsOtYpuOw9/i2Bc4IfcPvel+/MU6GC7ekpS4ba7JZRv13 >> 7se5C1VEOxQlKc+Z/yLY5EhfJfrlJg9QmIKXhRj9h2rzjsjoFljzp0PQ >> joSo7J4eiWGCPi9TNLWMiC5A8Qj8JYYdOHC0RRFWUOjGQHeGPvStcUfj ROQ= >> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. 179 IN CNAME >> e1008.d.akamaiedge.akamai.csd.disa.mil. >> e1008.d.akamaiedge.akamai.csd.disa.mil. 14 IN A 214.48.248.31 >> ;; Received 669 bytes from 140.153.43.44#53(NS01.ARMY.MIL) in 80 ms >> >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
