This is the problem: https://lists.isc.org/mailman/htdig/bind-users/2024-April/108469.html
Not a new problem. https://lists.isc.org/mailman/htdig/bind-users/2018-May/100229.html On Tue, Dec 17, 2024 at 12:19 PM Ondřej Surý <ond...@isc.org> wrote: > Crosscheck this with DNSSEC Debugger from Verisign: > > dnssec-analyzer.verisignlabs.com > <https://dnssec-analyzer.verisignlabs.com/extranet.aro.army.mil> > <https://dnssec-analyzer.verisignlabs.com/extranet.aro.army.mil> > <https://dnssec-analyzer.verisignlabs.com/extranet.aro.army.mil> > > > [image: red.png] No DS records found for akamai.csd.disa.mil in the > csd.disa.mil zone > [image: yellow.png] All Queries to dns3.akamai.csd.disa.mil for > akamai.csd.disa.mil/DNSKEY timed out or failed > [image: yellow.png] All Queries to dns1.akamai.csd.disa.mil for > akamai.csd.disa.mil/DNSKEY timed out or failed > [image: yellow.png] All Queries to dns2.akamai.csd.disa.mil for > akamai.csd.disa.mil/DNSKEY timed out or failed > [image: yellow.png] All Queries to dns4.akamai.csd.disa.mil for > akamai.csd.disa.mil/DNSKEY timed out or failed > [image: red.png] Failed to get DNSKEY RR set for zone akamai.csd.disa.mil > [image: yellow.png] All Queries to dns2.akamai.csd.disa.mil for > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed > [image: yellow.png] All Queries to dns4.akamai.csd.disa.mil for > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed > [image: yellow.png] All Queries to dns3.akamai.csd.disa.mil for > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed > [image: yellow.png] All Queries to dns1.akamai.csd.disa.mil for > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A timed out or failed > [image: red.png] No response from akamai.csd.disa.mil nameservers > > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 17. 12. 2024, at 21:16, Ondřej Surý <ond...@isc.org> wrote: > > disa.mil servers are timing out on me over IPv6: > > $ dig IN NS gcds.disa.mil. @DNS1.DISA.MIL. > ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out > ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out > ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out > > ; <<>> DiG 9.21.3-1+0~20241211.133+debian12~1.gbp5b5fe5-Debian <<>> IN NS > gcds.disa.mil. @DNS1.DISA.MIL. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55426 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;gcds.disa.mil. IN NS > > ;; ANSWER SECTION: > gcds.disa.mil. 12699 IN NS dns1.disa.mil. > gcds.disa.mil. 12699 IN NS dns3.disa.mil. > gcds.disa.mil. 12699 IN NS dns5.disa.mil. > gcds.disa.mil. 12699 IN NS dns2.disa.mil. > gcds.disa.mil. 12699 IN NS dns4.disa.mil. > > ;; ADDITIONAL SECTION: > dns1.disa.mil. 7151 IN AAAA > 2608:125:0:1811:1001:9012:f00:20 > dns2.disa.mil. 7151 IN AAAA > 2608:102:0:182d:1001:9012:c00:20 > dns3.disa.mil. 7151 IN AAAA > 2608:145:0:180b:1001:9012:d00:20 > dns4.disa.mil. 6608 IN AAAA > 2608:c182:0:1012:1001:9012:1400:20 > dns4.disa.mil. 6608 IN AAAA > 2608:c182::1001:9012:1600:20 > dns5.disa.mil. 7151 IN AAAA > 2608:4122:0:1012:1001:9012:1400:20 > > ;; Query time: 252 msec > ;; SERVER: 152.229.110.232#53(DNS1.DISA.MIL.) (UDP) > ;; WHEN: Tue Dec 17 21:09:53 CET 2024 > ;; MSG SIZE rcvd: 305 > > And given there's so many delegations and so many redirections, the result > is inevitable... > > There's at least 4 queries that need to be done against disa.mil servers > and if they all end up with timeout over IPv6, the whole query times out > because it will run out of the time. > > gdcs.disa.mil IN NS > apps.gdcs.disa.mil IN NS > cds.disa.mil IN NS > e1008.d.akamaiedge.akamai.csd.disa.mil. IN A > > Ondřej > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 17. 12. 2024, at 20:56, Clark, Roger <roc...@wm.edu> wrote: > > I have a user who is unsuccessfully trying to resolve ‘ > extranet.aro.army.mil’ using our BIND resolvers. The query is failing > with a 'shut down hung fetch while resolving’ error message with some > DNSSEC warning as well. The name resolves without issue querying other > external resolvers and also is successful using dig +trace. I did notice > there was an issue with an error produced by one of the names in the CNAMe > chain ( https://gitlab.isc.org/isc-projects/bind9/-/issues/4797 ). > > Do I have something misconfigured or is there something wrong on the > authoritative side? > > Thank you! > > Roger > > Query: > # dig extranet.aro.army.mil @localhost > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > > ; <<>> DiG 9.18.32 <<>> extranet.aro.army.mil @localhost > ;; global options: +cmd > ;; no servers could be reached > > Logs: > 17-Dec-2024 16:05:59.558 client @0x7fae4b99e230 127.0.0.1#55089 ( > extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K > (127.0.0.1) > 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure > response; parent indicates it should be secure > 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure > response; parent indicates it should be secure > 17-Dec-2024 16:06:00.518 validating apps.gcds.disa.mil/NS: no valid > signature found > 17-Dec-2024 16:06:00.594 validating apps.gcds.disa.mil/SOA: no valid > signature found > 17-Dec-2024 16:06:00.594 validating > Q3C76IBKTMFUF8PMSHSSCOPM8LOKJKK2.apps.gcds.disa.mil/NSEC3: no valid > signature found > 17-Dec-2024 16:06:00.642 validating apps.gcds.disa.mil/SOA: no valid > signature found > 17-Dec-2024 16:06:00.642 validating > LP2F0U0VHJI70GSV9KTM3KC7HQDJKD9R.apps.gcds.disa.mil/NSEC3: no valid > signature found > 17-Dec-2024 16:06:00.678 validating aro.army.mil.apps.gcds.disa.mil/CNAME: > no valid signature found > 17-Dec-2024 16:06:01.558 client @0x7fae4b97e220 127.0.0.1#39052 ( > extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K > (127.0.0.1) > 17-Dec-2024 16:06:03.562 client @0x7fae4a551240 127.0.0.1#35234 ( > extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K > (127.0.0.1) > 17-Dec-2024 16:06:05.566 client @0x7fae4a54f260 127.0.0.1#58021 ( > extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K > (127.0.0.1) > 17-Dec-2024 16:06:07.566 client @0x7fae4a547290 127.0.0.1#52253 ( > extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K > (127.0.0.1) > 17-Dec-2024 16:06:12.678 shut down hung fetch while resolving ' > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A' > 17-Dec-2024 16:06:12.678 client @0x7fae4b99e230 127.0.0.1#55089 ( > extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4b97e220 127.0.0.1#39052 ( > extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4a551240 127.0.0.1#35234 ( > extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4a54f260 127.0.0.1#58021 ( > extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4a547290 127.0.0.1#52253 ( > extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > > Trace: > > # dig +trace extranet.aro.army.mil @localhost > > ; <<>> DiG 9.18.32 <<>> +trace extranet.aro.army.mil @localhost > ;; global options: +cmd > . 518092 IN NS b.root-servers.net. > . 518092 IN NS g.root-servers.net. > . 518092 IN NS f.root-servers.net. > . 518092 IN NS k.root-servers.net. > . 518092 IN NS a.root-servers.net. > . 518092 IN NS d.root-servers.net. > . 518092 IN NS c.root-servers.net. > . 518092 IN NS m.root-servers.net. > . 518092 IN NS e.root-servers.net. > . 518092 IN NS i.root-servers.net. > . 518092 IN NS h.root-servers.net. > . 518092 IN NS j.root-servers.net. > . 518092 IN NS l.root-servers.net. > . 518092 IN RRSIG NS 8 0 518400 20241230050000 20241217040000 61050 . > rswM6OY8ylCNnmkfbUrdnNcTyPMuraztXrBbrrfTOO1M3vp9gCea+qj+ > FKEPxb/M7EwJYthquLPfOX+5nkV2ROBFwXrTBYS4Zg6zLC40lNwPFqdY > 9X2cYpfYW1ljr1LuW9bEyBYwCfZB8g7eg+v0nMyrX+uDLH2mneiwJhiZ > orJTZqVegiHMlX5jNe+btW7uJdAD+05MkI8CP8uD4ZElZ4ghjAG77aZB > DLD9Ra+SE4j/1ECrkWEwP543tlYq0mmLIDP3TDObTGFMy3qjjItQtM83 > NmCWD8OAFNbl28AaYMDREpMryZDaxPXNEYiAF3JDfTyM1otJqd7C9kjm 9gM/qg== > ;; Received 1137 bytes from 127.0.0.1#53(localhost) in 0 ms > > mil. 172800 IN NS con1.nipr.mil. > mil. 172800 IN NS pac2.nipr.mil. > mil. 172800 IN NS pac1.nipr.mil. > mil. 172800 IN NS eur2.nipr.mil. > mil. 172800 IN NS eur1.nipr.mil. > mil. 172800 IN NS con2.nipr.mil. > mil. 86400 IN DS 63500 8 2 > 3BAA83867103D6604A124282063F295E1B15C87CC13CB875A42F5754 A912EBE0 > mil. 86400 IN RRSIG DS 8 1 86400 20241230050000 20241217040000 61050 . > X2VVY9CekNpZhFq3x4ZIz8gI9nsCicqgJHzi1kEaRAW4hXzZGR+hAMNq > 58680WjNluI/zaWt6eOpfkt+8XNEMJfc5cK5dmnOCs6jv9Blkv4moe6O > 3Mr5F5Dm37m13Jw8pBIMJb2ylk1pzOsDQbWKjS+Ak3xXJH357YopmxVO > fXQ6Zmu6VCmbiA9rhtI5fX2wuwzhcI5gAn4ARCTFVDo5XM8JKwc3vHs9 > 9dtGZhJ2UZ9ryZk+ulxGabZ3czSWjof93zn9GHfKezUFeGOqEkdO3op/ > 9Oift8tpAM+IDdZFaFgI3VU+SJpwX+5BgavHILio8YtB5wXZ1z1Wfp3r iZw/kw== > ;; Received 802 bytes from 192.36.148.17#53(i.root-servers.net) in 44 ms > > ARMY.MIL. 21600 IN NS NS02.ARMY.MIL. > ARMY.MIL. 21600 IN NS NS01.ARMY.MIL. > ARMY.MIL. 21600 IN NS NS03.ARMY.MIL. > ARMY.MIL. 10800 IN DS 34552 8 1 2DFA605AE37365DC018249BC6E7FEB3EF55BAF85 > ARMY.MIL. 10800 IN DS 34552 8 2 > 77BF656C5361FF501D81AC4F7DAB185B5F8587AF0421283F7373956F 2DFA4543 > ARMY.MIL. 10800 IN RRSIG DS 8 2 10800 20241224000431 20241217000431 40843 > mil. oGdnWjQd0HT+UP0o7ct3fbY/Ur/bcxWX6sYflvIZnGy5VlpEB8TF1xQG > gtwtHUhfcPTHxUHIqnN+CDarvQTGSbfjCDOrHtYKt1kSSQD91Gz3efgP > 4G68ACiGH7SbMUOpDGIBQ/MWzibBPnE1biJchhPuMALfz9GO2qM2Sb5c IIw= > ;; Received 410 bytes from 199.252.154.234#53(eur1.nipr.mil) in 32 ms > > extranet.aro.army.mil. 3600 IN CNAME aro.army.mil.apps.gcds.disa.mil. > extranet.aro.army.mil. 3600 IN RRSIG CNAME 8 4 3600 20241220162507 > 20241216162111 44331 aro.army.mil. > GQ8IGU9aMU6ZiVZrIAJJDv+kPU7YGYs66bpQiMtNw2VtoScz9uhhOs7M > Nns1t8uClwMhVVr/NE0cPh5yK7Y0p4AQQWJT3IY07b+5Jy5HFf0bwEWs > lBTjqvVOzaVdKXAW0SSTt8dd8phvIskmKDJDPeJx05HKd6cIExzvG1dG > M+krqrGsltBQANXByi5koLfUWaxLGzoC676kBM4MhxRHYOXaCzdhIf1K > VWaxLMptuhVke1pi8oMY/4FQREs8PEwRwPVRRD4lgMw6XshRpVuI9V65 > r+JxiGI/kiwm9Z9ckr6nBEkkry/0/5G4NtcgzfncADRxUrUvJ5NNvd/E rHnhWw== > aro.army.mil.apps.gcds.disa.mil. 3599 IN CNAME > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. > aro.army.mil.apps.gcds.disa.mil. 3599 IN RRSIG CNAME 8 7 3600 > 20250108200421 20241209200421 57303 apps.gcds.disa.mil. > Pw8WDBdIcSyZsOtYpuOw9/i2Bc4IfcPvel+/MU6GC7ekpS4ba7JZRv13 > 7se5C1VEOxQlKc+Z/yLY5EhfJfrlJg9QmIKXhRj9h2rzjsjoFljzp0PQ > joSo7J4eiWGCPi9TNLWMiC5A8Qj8JYYdOHC0RRFWUOjGQHeGPvStcUfj ROQ= > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. 179 IN CNAME > e1008.d.akamaiedge.akamai.csd.disa.mil. > e1008.d.akamaiedge.akamai.csd.disa.mil. 14 IN A 214.48.248.31 > ;; Received 669 bytes from 140.153.43.44#53(NS01.ARMY.MIL) in 80 ms > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
