Bug#1055632: bind9: needs restarting daily to resolve www.dumbingofage.com
Actually, I can answer that myself:
https://dnsviz.net/d/www.dumbingofage.com/dnssec/
They are not. So what happens is that on initial query, the NS from parents are
used to bootstrap and then named caches the child NSs and those are broken.
Not BIND 9’s fault.
Ondrej
--
Ondřej Surý (He/Him)
> On 9. 11. 2023, at 10:54, Ondřej Surý wrote:
>
> Hey,
>
> are the NS sets in parent and child in sync?
>
> Ondrej
> --
> Ondřej Surý (He/Him)
>
>> On 9. 11. 2023, at 10:30, Matthew Vernon wrote:
>>
>> Package: bind9
>> Version: 1:9.18.19-1~deb12u1
>> Severity: normal
>>
>> Hi,
>>
>> This is a weird one, but it's been happening daily for a few days now,
>> so I figured it was worth reporting.
>>
>> For the last few days, if I try and visit
>> https://www.dumbingofage.com/
>>
>> Firefox can't resolve the hostname, similarly on the CLI:
>> matthew@aragorn:~$ host www.dumbingofage.com
>> Host www.dumbingofage.com not found: 2(SERVFAIL)
>>
>> AFAICT the NSs work - I can do both
>> dig @23.226.68.75 www.dumbingofage.com
>> and
>> dig @23.226.68.76 www.dumbingofage.com
>>
>> And get a sensible answer back.
>>
>> If I restart bind9 then I am able to resolve the hostname fine, only for
>> the same problem to recur the following day.
>>
>> So _something_ is getting confused, and I'm pretty sure it's bind :)
>>
>> Regards,
>>
>> Matthew
>>
>> -- System Information:
>> Debian Release: 12.2
>> APT prefers stable-updates
>> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
>> 'stable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 6.1.0-13-amd64 (SMP w/8 CPU threads; PREEMPT)
>> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
>> LANGUAGE=en_GB:en
>> Shell: /bin/sh linked to /usr/bin/dash
>> Init: sysvinit (via /sbin/init)
>> LSM: AppArmor: enabled
>>
>> Versions of packages bind9 depends on:
>> ii adduser3.134
>> ii bind9-libs 1:9.18.19-1~deb12u1
>> ii bind9-utils1:9.18.19-1~deb12u1
>> ii debconf [debconf-2.0] 1.5.82
>> ii dns-root-data 2023010101
>> ii init-system-helpers1.65.2
>> ii iproute2 6.1.0-3
>> ii libc6 2.36-9+deb12u3
>> ii libcap21:2.66-4
>> ii libelogind0 [libsystemd0] 246.10-1debian1
>> ii libfstrm0 0.6.1-1
>> ii libjson-c5 0.16-2
>> ii liblmdb0 0.9.24-1
>> ii libmaxminddb0 1.7.1-1
>> ii libnghttp2-14 1.52.0-1
>> ii libprotobuf-c1 1.4.1-1+b1
>> ii libssl33.0.11-1~deb12u2
>> ii libuv1 1.44.2-1
>> ii libxml22.9.14+dfsg-1.3~deb12u1
>> ii lsb-base 11.6
>> ii netbase6.4
>> ii sysvinit-utils [lsb-base] 3.06-4
>> ii zlib1g 1:1.2.13.dfsg-1
>>
>> bind9 recommends no packages.
>>
>> Versions of packages bind9 suggests:
>> pn bind-doc
>> ii bind9-dnsutils [dnsutils] 1:9.18.19-1~deb12u1
>> ii dnsutils 1:9.18.19-1~deb12u1
>> pn resolvconf
>> pn ufw
>>
>> -- Configuration Files:
>> /etc/bind/db.127 changed:
>> ;
>> ; BIND reverse data file for local loopback interface
>> ;
>> $TTL604800
>> @INSOAns.empire.pick.ucam.org. hostmaster.pick.ucam.org. (
>> 3; Serial
>>604800; Refresh
>> 86400; Retry
>> 2419200; Expire
>>604800 ); Negative Cache TTL
>> ;
>> @INNSlocalhost.
>> 1.0.0INPTRlocalhost.
>>
>> /etc/bind/named.conf changed:
>> // This is the primary configuration file for the BIND DNS server named.
>> //
>> // Please read /usr/share/doc/bind/README.Debian for information on the
>> // structure of BIND configuration files in Debian for BIND versions 8.2.1
>> // and later, *BEFORE* you customize this configuration file.
>> //
>> options {
>> directory "/var/cache/bind";
>> check-names master warn;
>> // If there is a firewall between you and nameservers you want
>> // to talk to, you might need to uncomment the query-source
>> // directive below. Previous versions of BIND always asked
>> // questions using port 53, but BIND 8.1 and later use an unprivileged
>> // port by default.
>> // query-source address * port 53;
>> // If your ISP provided one or more IP addresses for stable
>> // nameservers, you probably want to use them as forwarders.
>> // Uncomment the following block, and insert the addresses replacing
>> // the all-0's placeholder.
>> //can't use this, since it would break the reverse zones we secondary
>> //forwarders {
>> //212.23.8.1; 212.23.8.6;
>> //};
>> };
>> // reduce log verbosity on issues outside our control
>> logging {
>> category lame-servers { null; };
>> //category cname { null; };
>>
Bug#1055632: bind9: needs restarting daily to resolve www.dumbingofage.com
Hey,
are the NS sets in parent and child in sync?
Ondrej
--
Ondřej Surý (He/Him)
> On 9. 11. 2023, at 10:30, Matthew Vernon wrote:
>
> Package: bind9
> Version: 1:9.18.19-1~deb12u1
> Severity: normal
>
> Hi,
>
> This is a weird one, but it's been happening daily for a few days now,
> so I figured it was worth reporting.
>
> For the last few days, if I try and visit
> https://www.dumbingofage.com/
>
> Firefox can't resolve the hostname, similarly on the CLI:
> matthew@aragorn:~$ host www.dumbingofage.com
> Host www.dumbingofage.com not found: 2(SERVFAIL)
>
> AFAICT the NSs work - I can do both
> dig @23.226.68.75 www.dumbingofage.com
> and
> dig @23.226.68.76 www.dumbingofage.com
>
> And get a sensible answer back.
>
> If I restart bind9 then I am able to resolve the hostname fine, only for
> the same problem to recur the following day.
>
> So _something_ is getting confused, and I'm pretty sure it's bind :)
>
> Regards,
>
> Matthew
>
> -- System Information:
> Debian Release: 12.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.1.0-13-amd64 (SMP w/8 CPU threads; PREEMPT)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_GB:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: sysvinit (via /sbin/init)
> LSM: AppArmor: enabled
>
> Versions of packages bind9 depends on:
> ii adduser3.134
> ii bind9-libs 1:9.18.19-1~deb12u1
> ii bind9-utils1:9.18.19-1~deb12u1
> ii debconf [debconf-2.0] 1.5.82
> ii dns-root-data 2023010101
> ii init-system-helpers1.65.2
> ii iproute2 6.1.0-3
> ii libc6 2.36-9+deb12u3
> ii libcap21:2.66-4
> ii libelogind0 [libsystemd0] 246.10-1debian1
> ii libfstrm0 0.6.1-1
> ii libjson-c5 0.16-2
> ii liblmdb0 0.9.24-1
> ii libmaxminddb0 1.7.1-1
> ii libnghttp2-14 1.52.0-1
> ii libprotobuf-c1 1.4.1-1+b1
> ii libssl33.0.11-1~deb12u2
> ii libuv1 1.44.2-1
> ii libxml22.9.14+dfsg-1.3~deb12u1
> ii lsb-base 11.6
> ii netbase6.4
> ii sysvinit-utils [lsb-base] 3.06-4
> ii zlib1g 1:1.2.13.dfsg-1
>
> bind9 recommends no packages.
>
> Versions of packages bind9 suggests:
> pn bind-doc
> ii bind9-dnsutils [dnsutils] 1:9.18.19-1~deb12u1
> ii dnsutils 1:9.18.19-1~deb12u1
> pn resolvconf
> pn ufw
>
> -- Configuration Files:
> /etc/bind/db.127 changed:
> ;
> ; BIND reverse data file for local loopback interface
> ;
> $TTL604800
> @INSOAns.empire.pick.ucam.org. hostmaster.pick.ucam.org. (
> 3; Serial
> 604800; Refresh
> 86400; Retry
>2419200; Expire
> 604800 ); Negative Cache TTL
> ;
> @INNSlocalhost.
> 1.0.0INPTRlocalhost.
>
> /etc/bind/named.conf changed:
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind/README.Debian for information on the
> // structure of BIND configuration files in Debian for BIND versions 8.2.1
> // and later, *BEFORE* you customize this configuration file.
> //
> options {
>directory "/var/cache/bind";
>check-names master warn;
>// If there is a firewall between you and nameservers you want
>// to talk to, you might need to uncomment the query-source
>// directive below. Previous versions of BIND always asked
>// questions using port 53, but BIND 8.1 and later use an unprivileged
>// port by default.
>// query-source address * port 53;
>// If your ISP provided one or more IP addresses for stable
>// nameservers, you probably want to use them as forwarders.
>// Uncomment the following block, and insert the addresses replacing
>// the all-0's placeholder.
>//can't use this, since it would break the reverse zones we secondary
>//forwarders {
>//212.23.8.1; 212.23.8.6;
>//};
> };
> // reduce log verbosity on issues outside our control
> logging {
>category lame-servers { null; };
> //category cname { null; };
> };
> // prime the server with knowledge of the root servers
> zone "." {
>type hint;
>file "/etc/bind/db.root";
> };
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
> zone "localhost" {
>type master;
>file "/etc/bind/db.local";
> };
> zone "127.in-addr.arpa" {
>type master;
>file "/etc/bind/db.127";
> };
> zone "0.in-addr.arpa" {
>type master;
>
Bug#1055632: bind9: needs restarting daily to resolve www.dumbingofage.com
Package: bind9
Version: 1:9.18.19-1~deb12u1
Severity: normal
Hi,
This is a weird one, but it's been happening daily for a few days now,
so I figured it was worth reporting.
For the last few days, if I try and visit
https://www.dumbingofage.com/
Firefox can't resolve the hostname, similarly on the CLI:
matthew@aragorn:~$ host www.dumbingofage.com
Host www.dumbingofage.com not found: 2(SERVFAIL)
AFAICT the NSs work - I can do both
dig @23.226.68.75 www.dumbingofage.com
and
dig @23.226.68.76 www.dumbingofage.com
And get a sensible answer back.
If I restart bind9 then I am able to resolve the hostname fine, only for
the same problem to recur the following day.
So _something_ is getting confused, and I'm pretty sure it's bind :)
Regards,
Matthew
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser3.134
ii bind9-libs 1:9.18.19-1~deb12u1
ii bind9-utils1:9.18.19-1~deb12u1
ii debconf [debconf-2.0] 1.5.82
ii dns-root-data 2023010101
ii init-system-helpers1.65.2
ii iproute2 6.1.0-3
ii libc6 2.36-9+deb12u3
ii libcap21:2.66-4
ii libelogind0 [libsystemd0] 246.10-1debian1
ii libfstrm0 0.6.1-1
ii libjson-c5 0.16-2
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.7.1-1
ii libnghttp2-14 1.52.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libssl33.0.11-1~deb12u2
ii libuv1 1.44.2-1
ii libxml22.9.14+dfsg-1.3~deb12u1
ii lsb-base 11.6
ii netbase6.4
ii sysvinit-utils [lsb-base] 3.06-4
ii zlib1g 1:1.2.13.dfsg-1
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind-doc
ii bind9-dnsutils [dnsutils] 1:9.18.19-1~deb12u1
ii dnsutils 1:9.18.19-1~deb12u1
pn resolvconf
pn ufw
-- Configuration Files:
/etc/bind/db.127 changed:
;
; BIND reverse data file for local loopback interface
;
$TTL604800
@ IN SOA ns.empire.pick.ucam.org. hostmaster.pick.ucam.org. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian for information on the
// structure of BIND configuration files in Debian for BIND versions 8.2.1
// and later, *BEFORE* you customize this configuration file.
//
options {
directory "/var/cache/bind";
check-names master warn;
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//can't use this, since it would break the reverse zones we secondary
//forwarders {
//212.23.8.1; 212.23.8.6;
//};
};
// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
// category cname { null; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
zone "empire.pick.ucam.org" {
type master;
file "/etc/bind/db.empire";
};
zone
