Re: Paging HP DNS admin
On 5/3/2014 9:10 PM, Christopher Morrow wrote: On Sat, May 3, 2014 at 11:13 PM, Chris Adams c...@cmadams.net wrote: Once upon a time, Christopher Morrow morrowc.li...@gmail.com said: ... Oddly, it seems to be specific to ; any other type request I send comes back NOERROR correctly. It is like somebody tried to handle special and screwed it up. I remember nytimes doing something like this for a while, I believe they said their GSLB was just not happy doing , or if not configured would display similar behaviour. Thanks for reporting this. I passed it on to the corp-IT people and the issue appears to be fixed. The problem was that someone forgot to override the F5 default of *NOT* enabling a NODATA/NOERROR response for queries. I have no idea why an opt-in would be required for proper interoperability with RFC 1034 from 1987. Then again, I have zero experience with operating a load balancer appliance. -- Andris
Re: Paging HP DNS admin
In message 5367fdce.6090...@hpl.hp.com, Andris Kalnozols writes: On 5/3/2014 9:10 PM, Christopher Morrow wrote: On Sat, May 3, 2014 at 11:13 PM, Chris Adams c...@cmadams.net wrote: Once upon a time, Christopher Morrow morrowc.li...@gmail.com said: ... Oddly, it seems to be specific to ; any other type request I send comes back NOERROR correctly. It is like somebody tried to handle special and screwed it up. I remember nytimes doing something like this for a while, I believe they said their GSLB was just not happy doing , or if not configured would display similar behaviour. Thanks for reporting this. I passed it on to the corp-IT people and the issue appears to be fixed. The problem was that someone forgot to override the F5 default of *NOT* enabling a NODATA/NOERROR response for queries. I have no idea why an opt-in would be required for proper interoperability with RFC 1034 from 1987. Then again, I have zero experience with operating a load balancer appliance. -- Andris Can you please log a bug report with F5 about the defaults. It should answer all queries unless a backing nameserver has been configured. It should also sanity check the negative responses to ensure that they have the correct SOA record from the backing server but that is another issue. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Paging HP DNS admin
Dear HP: If your not going to support IPv6 can you at least not return SRVFAIL when asked for an record: root@spoons:/etc/mail # dig onramp01.hpeprint.com ; DiG 9.8.3-P4 onramp01.hpeprint.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 61583 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;onramp01.hpeprint.com. IN And what genius thought that emailing documents to printers was a good idea in the first place? Nothing like taking graphics, turning it into 7 bit text, and sending it through a system never intended for the purpose. Supporting luser email is a big enough pain in the arse, now I have to deal with your idiotic printers as well? Gee thanks! Mark
Re: Paging HP DNS admin
On Sat, May 3, 2014 at 6:27 AM, Mark Radabaugh m...@amplex.net wrote: Dear HP: If your not going to support IPv6 can you at least not return SRVFAIL when asked for an record: They aren't. Your resolver is - or at least, that's what it looks like for me. Sending an query to their nameservers times out for me - no response at all. Sending the same query through certain resolvers (eg, Google) seems to result in the timeout being turned into a SERVFAIL. $ dig onramp01.hpeprint.com ; DiG 9.8.4-rpz2+rl005.12-P1 onramp01.hpeprint.com ;; global options: +cmd ;; connection timed out; no servers could be reached Same via Google : $ dig onramp01.hpeprint.com @8.8.8.8 ; DiG 9.8.4-rpz2+rl005.12-P1 onramp01.hpeprint.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 26319 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 Scott
Re: Paging HP DNS admin
Either way - it breaks Sendmail, some versions of Exchange, and possibly other MTA's. The proper answer to a non-existent record is NOERROR, with ANSWER 0. Hanging or refusing to answer doesn't result in another attempt to look for an A record since the name server failed to respond to a valid query. Given that the whole point of the domain is to enable email printing, HP isn't making it easy. Mark On 5/3/14, 4:18 PM, Scott Howard wrote: On Sat, May 3, 2014 at 6:27 AM, Mark Radabaugh m...@amplex.net mailto:m...@amplex.net wrote: Dear HP: If your not going to support IPv6 can you at least not return SRVFAIL when asked for an record: They aren't. Your resolver is - or at least, that's what it looks like for me. Sending an query to their nameservers times out for me - no response at all. Sending the same query through certain resolvers (eg, Google) seems to result in the timeout being turned into a SERVFAIL. $ dig onramp01.hpeprint.com http://onramp01.hpeprint.com ; DiG 9.8.4-rpz2+rl005.12-P1 onramp01.hpeprint.com http://onramp01.hpeprint.com ;; global options: +cmd ;; connection timed out; no servers could be reached Same via Google : $ dig onramp01.hpeprint.com http://onramp01.hpeprint.com @8.8.8.8 http://8.8.8.8 ; DiG 9.8.4-rpz2+rl005.12-P1 onramp01.hpeprint.com http://onramp01.hpeprint.com @8.8.8.8 http://8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 26319 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 Scott -- Mark Radabaugh Amplex m...@amplex.net 419.837.5015 x 1021
Re: Paging HP DNS admin
On Sat, May 3, 2014 at 10:02 PM, Mark Radabaugh m...@amplex.net wrote: Either way - it breaks Sendmail, some versions of Exchange, and possibly other MTA's. The proper answer to a non-existent record is NOERROR, with ANSWER 0. if I ask ns1/2/3/4/5/6.hp.com directly for for onramp01.hpeprint.com.: ; DiG 9.8.1-P1 onramp01.hpeprint.com. @ns6.hp.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30318 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;onramp01.hpeprint.com. IN (I get the same result for all ns hosts) if I ask my local bind (ubuntu package == 1:9.8.1.dfsg.P) though I get: $ dig onramp01.hpeprint.com @localhost ; DiG 9.8.1-P1 onramp01.hpeprint.com @localhost ;; global options: +cmd ;; connection timed out; no servers could be reached That's a bit weird and frustrating. Hanging or refusing to answer doesn't result in another attempt to look for an A record since the name server failed to respond to a valid query. Given that the whole point of the domain is to enable email printing, HP isn't making it easy. scott's request LOOKS like a request to 'some resolver' (not directly to them, perhaps his local bind instance? I wonder why 8.8.8.8 returns srvfail? I think one of the google-public-dns people reads nanog, perhaps he knows? (or could fix this which seems to be a bug, to me at least) -chris
Re: Paging HP DNS admin
Once upon a time, Christopher Morrow morrowc.li...@gmail.com said: if I ask ns1/2/3/4/5/6.hp.com directly for for onramp01.hpeprint.com.: ; DiG 9.8.1-P1 onramp01.hpeprint.com. @ns6.hp.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30318 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;onramp01.hpeprint.com. IN You left out the authority section that refers you to the correct DNS servers - ns[1-6].hp.com are not it. They delegate to another set of HP servers, which all time out (as stated by the OP) when asked for . Oddly, it seems to be specific to ; any other type request I send comes back NOERROR correctly. It is like somebody tried to handle special and screwed it up. -- Chris Adams c...@cmadams.net
Re: Paging HP DNS admin
On Sat, May 3, 2014 at 8:13 PM, Chris Adams c...@cmadams.net wrote: You left out the authority section that refers you to the correct DNS servers - ns[1-6].hp.com are not it. They delegate to another set of HP servers, which all time out (as stated by the OP) when asked for . Actually the OP said that it returned SERVFAIL, which the HP servers don't, but Googles public DNS server (and potentially others) does. Oddly, it seems to be specific to ; any other type request I send comes back NOERROR correctly. It is like somebody tried to handle special and screwed it up. This isn't new. RFC 4074 from 2005 covers this exact issue. From memory, this is/was the default behavior for DJBDNS. Scott
Re: Paging HP DNS admin
On Sat, May 3, 2014 at 11:13 PM, Chris Adams c...@cmadams.net wrote: Once upon a time, Christopher Morrow morrowc.li...@gmail.com said: if I ask ns1/2/3/4/5/6.hp.com directly for for onramp01.hpeprint.com.: ; DiG 9.8.1-P1 onramp01.hpeprint.com. @ns6.hp.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30318 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;onramp01.hpeprint.com. IN You left out the authority section that refers you to the correct DNS darned it :( yes. servers - ns[1-6].hp.com are not it. They delegate to another set of HP servers, which all time out (as stated by the OP) when asked for . yup :( Oddly, it seems to be specific to ; any other type request I send comes back NOERROR correctly. It is like somebody tried to handle special and screwed it up. I remember nytimes doing something like this for a while, I believe they said their GSLB was just not happy doing , or if not configured would display similar behaviour. -chris
