This is what I see with diagnostics turned up: $ dig +bufsize=16384 +cd +dnssec shopdisney.co.uk @test-resolver .... shopdisney.co.uk. 0 IN TXT "shopdisney.co.uk categorization: None" shopdisney.co.uk. 0 IN TXT "cache_get shopdisney.co.uk/A: ttl=0 cache_flags=0x0 (NOTFOUND)" shopdisney.co.uk. 0 IN TXT "cache_get shopdisney.co.uk/NS: prefixlen=0 ttl=87746 cache_flags=0x1 (HAVEDATA)" shopdisney.co.uk. 0 IN TXT "RESOLVER: shopdisney.co.uk IN NS ns1.disneyinternational.net" shopdisney.co.uk. 0 IN TXT "RESOLVER: shopdisney.co.uk IN NS ns2.disneyinternational.net" shopdisney.co.uk. 0 IN TXT "RESOLVER: shopdisney.co.uk IN NS ns3.disneyinternational.net" shopdisney.co.uk. 0 IN TXT "RESOLVER: shopdisney.co.uk IN NS ns4.disneyinternational.net" shopdisney.co.uk. 0 IN TXT "cache_get ns3.disneyinternational.net/A: prefixlen=0 ttl=27772 cache_flags=0x1 (HAVEDATA)" shopdisney.co.uk. 0 IN TXT "cache_get ns3.disneyinternational.net/AAAA: prefixlen=0 ttl=27772 cache_flags=0x1 (HAVEDATA)" shopdisney.co.uk. 0 IN TXT "cache_get ns4.disneyinternational.net/A: prefixlen=0 ttl=27772 cache_flags=0x1 (HAVEDATA)" shopdisney.co.uk. 0 IN TXT "cache_get ns4.disneyinternational.net/AAAA: ttl=0 cache_flags=0x0 (NOTFOUND)" shopdisney.co.uk. 0 IN TXT "cache_get ns1.disneyinternational.net/A: prefixlen=0 ttl=27772 cache_flags=0x1 (HAVEDATA)" shopdisney.co.uk. 0 IN TXT "cache_get ns1.disneyinternational.net/AAAA: prefixlen=0 ttl=27772 cache_flags=0x1 (HAVEDATA)" shopdisney.co.uk. 0 IN TXT "cache_get ns2.disneyinternational.net/A: prefixlen=0 ttl=27772 cache_flags=0x2241 (HAVEDATA)" shopdisney.co.uk. 0 IN TXT "cache_get ns2.disneyinternational.net/AAAA: ttl=0 cache_flags=0x0 (NOTFOUND)" shopdisney.co.uk. 0 IN TXT "tx shopdisney.co.uk/A clientsubnet=enabled zone=shopdisney.co.uk level=0" shopdisney.co.uk. 0 IN TXT "Sending EDNS0 with bufsize 1410 and the DO bit" shopdisney.co.uk. 0 IN TXT "Sending 45 bytes to [2001:500:94:1::144]:53 using UDP, timeout 350ms" shopdisney.co.uk. 0 IN TXT "Received EDNS0 with bufsize 4096 and the DO bit" shopdisney.co.uk. 0 IN TXT "AUTH server 2001:500:94:1::144 returned REFUSED - abandoned" shopdisney.co.uk. 0 IN TXT "Sending EDNS0 with bufsize 1410 and the DO bit" shopdisney.co.uk. 0 IN TXT "Sending 45 bytes to 208.78.70.144:53 using UDP, timeout 350ms" shopdisney.co.uk. 0 IN TXT "Received EDNS0 with bufsize 4096 and the DO bit" shopdisney.co.uk. 0 IN TXT "AUTH server 208.78.70.144 returned REFUSED - abandoned" shopdisney.co.uk. 0 IN TXT "Sending EDNS0 with bufsize 1410 and the DO bit" shopdisney.co.uk. 0 IN TXT "Sending 45 bytes to 204.13.250.144:53 using UDP, timeout 350ms" shopdisney.co.uk. 0 IN TXT "Received EDNS0 with bufsize 4096 and the DO bit" shopdisney.co.uk. 0 IN TXT "AUTH server 204.13.250.144 returned REFUSED - abandoned" shopdisney.co.uk. 0 IN TXT "Sending EDNS0 with bufsize 1410 and the DO bit" shopdisney.co.uk. 0 IN TXT "Sending 45 bytes to [2001:500:90:1::144]:53 using UDP, timeout 350ms" shopdisney.co.uk. 0 IN TXT "Received EDNS0 with bufsize 4096 and the DO bit" shopdisney.co.uk. 0 IN TXT "AUTH server 2001:500:90:1::144 returned REFUSED - abandoned" shopdisney.co.uk. 0 IN TXT "Sending EDNS0 with bufsize 1410 and the DO bit" shopdisney.co.uk. 0 IN TXT "Sending 45 bytes to 204.13.251.144:53 using UDP, timeout 350ms" shopdisney.co.uk. 0 IN TXT "Received EDNS0 with bufsize 4096 and the DO bit" shopdisney.co.uk. 0 IN TXT "AUTH server 204.13.251.144 returned REFUSED - abandoned" shopdisney.co.uk. 0 IN TXT "Sending EDNS0 with bufsize 1410 and the DO bit" shopdisney.co.uk. 0 IN TXT "Sending 45 bytes to 208.78.71.144:53 using UDP, timeout 350ms" shopdisney.co.uk. 0 IN TXT "Received EDNS0 with bufsize 4096 and the DO bit" shopdisney.co.uk. 0 IN TXT "AUTH server 208.78.71.144 returned REFUSED - abandoned" shopdisney.co.uk. 0 IN TXT "No authoritative answers for shopdisney.co.uk/A" .... shopdisney.co.uk. 0 IN TXT "servfail shopdisney.co.uk/A” ….
HTH — Brian > On Apr 2, 2020, at 12:56 PM, Doug Barton <[email protected]> wrote: > > Howdy, > > I redelegated shopdisney.co.uk this morning. I can see that all of the > Nominet authorities are returning the correct new NS set, however I have a > number of reports of resolution failures. There are resolvers from OpenDNS, > Google, Virgin, O2, and others that are not finding any name servers at all, > and refusing to re-query. This is causing address record resolution failures > for users behind those resolvers. > > What is odd to me is that earlier this week we cross-pollinated the old and > new zone files with both the old and new sets of name servers. I have seen > situations in the past where cutting cleanly from one set of name servers to > a completely different set has caused problems, so we take this extra step of > updating the zones so that no matter what point in the process we're at the > resolving name servers will always have at least one good set to query. It's > always worked for me in the past. > > What's even more strange is that we also did shopdisney.it this morning, > having done the same preparation, and it's solid as a rock. It's only the > CO.UK name that is failing. When querying OpenDNS or Google directly I get > the same result when it fails: > > dig @8.8.4.4 shopdisney.co.uk ns > ; <<>> DiG 9.10.6 <<>> @8.8.4.4 shopdisney.co.uk ns > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1587 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;shopdisney.co.uk. IN NS > > ;; Query time: 501 msec > ;; SERVER: 8.8.4.4#53(8.8.4.4) > ;; WHEN: Thu Apr 02 12:28:46 PDT 2020 > ;; MSG SIZE rcvd: 45 > > The flags are the same for the OpenDNS servers. > > Has anyone seen this happen before? I've seen plenty of cases where resolvers > have hung onto the old NS set for too long (following the parent TTL instead > of the child), which is why I have been adding both sets of name servers to > both zones in advance of the redelegation. But I have literally never seen a > case where a resolver not only has no NS records, but also will not re-query. > > My first thought was that Nominet withdrew the delegation for a short period, > and the resolvers have a negative cache entry, but when doing the UAT this > morning I happened to catch the exact point at which they changed. In serial > number 1308977661 they had the old NS set, and in 1308977662 they had the new > one. So that doesn't seem to be the problem. > > If anyone from OpenDNS and/or Google can take a look at a resolver that is > failing for shopdisney.co.uk and tell me what's in the logs I would deeply > appreciate it. Since I can't figure out what happened, I'm not sure how to > mitigate it for the next change. > > In the past I've taken the intermediate step of also updating the parent > delegation to include both NS sets, which I plan to do for the next set of > updates just to be on the safe side, but given this fun new failure mode it's > not clear to me that even doing that will insulate us. > > Any thoughts/help/advice welcome, > > Doug > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
