[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt temporary failure resolving deb.debian.org

On Sun, 9 Apr 2023, Andy Smith wrote:


Hi Badli,

On Sun, Apr 09, 2023 at 07:59:32AM +0000, Badli Al Rashid wrote:

I got a temporary failure resolving deb.debian.org and
www.debian.org since last week thursday. I can resolve other sites
like www.kernel.org and others.


Broke last monday for me.


When I switch to other DNS servers I can resolve www.debian.org.


Any clue in the logs of your bind9 resolver?

If you are able to install "delv", what does that say?

$ delv -t cname deb.debian.org
; fully validated
deb.debian.org.         3567    IN      CNAME   debian.map.fastlydns.net.
deb.debian.org.         3567    IN      RRSIG   CNAME 8 3 3600 20230512040858 20230402034640 32728 debian.org. rFqk+TkAJPOXTbQl8irQJyMGjsL8yXMxFgxglzGC+7GaydpbQGEYaiOE FLHKy4dPshKq0pq5O8l+hw/gG3dgWg+fYkskltkGJyk8VNBnbgTM3Szm M2QjRR7x7hKitr61YrUkVCpZCroiKtZfat/0l42EWV24FewvatX9mBge VYzlUSrOchLHC7TjBOpxyA7Ta6ll4YIDDgMSZi4HxMMhjPdzGs2H/o8D CrKUmSE9VBhRoclczsBbMENUftKR0XOl

It does seem like your ;local resolver is at fault when it comes to
DNSSEC.

Cheers,
Andy




I suspect some weird pmtu issue or something like that

root@bind17:/etc/bind# delv -t cname www.microsoft.com  +rtrace
;; fetch: www.microsoft.com/CNAME
;; fetch: com/DS
;; fetch: ./DNSKEY
;; fetch: microsoft.com/DS
;; fetch: com/DNSKEY
; unsigned answer
www.microsoft.com.      2858    IN      CNAME
www.microsoft.com-c-3.edgekey.net.
root@bind17:/etc/bind# delv -t cname deb.debian.org +rtrace
;; fetch: deb.debian.org/CNAME
;; fetch: debian.org/DNSKEY
;; resolution failed: timed out
root@bind17:/etc/bind#

And here's the really weird bit: that was with bind using google as
forwarders but...

root@bind17:/etc/bind# delv -6 -t cname deb.debian.org +rtrace @2001:4860:4860::8888
;; fetch: deb.debian.org/CNAME
;; fetch: debian.org/DNSKEY
;; fetch: debian.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
deb.debian.org.         3284    IN      CNAME
debian.map.fastlydns.net.
deb.debian.org.         3284    IN      RRSIG   CNAME 8 3 3600
20230512040858 20230402034640 32728 debian.org.
rFqk+TkAJPOXTbQl8irQJyMGjsL8yXMxFgxglzGC+7GaydpbQGEYaiOE
FLHKy4dPshKq0pq5O8l+hw/gG3dgWg+fYkskltkGJyk8VNBnbgTM3Szm
M2QjRR7x7hKitr61YrUkVCpZCroiKtZfat/0l42EWV24FewvatX9mBge
VYzlUSrOchLHC7TjBOpxyA7Ta6ll4YIDDgMSZi4HxMMhjPdzGs2H/o8D
CrKUmSE9VBhRoclczsBbMENUftKR0XOl
root@bind17:/etc/bind#


firewall17:~# tcpdump -n -i isp port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on isp, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:24:02.676837 IP6 ****:****:****:**00::1.50280 > 2001:4860:4860::8888.53: 27939+% [1au] DNSKEY? debian.org. (51)
03:24:02.686347 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.50280: 27939| 0/0/1 (39)
03:24:02.687485 IP6 ****:****:****:**00::1.59395 > 2001:4860:4860::8888.53: Flags [S], seq 2532653124, win 64660, options [mss 1220,sackOK,TS val 1661813206 ecr 0,nop,wscale 5], length 0
03:24:02.697849 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.59395: Flags [S.], seq 2779959628, ack 2532653125, win 65535, options [mss 1440,sackOK,TS val 1178061358 ecr 1661813206,nop,wscale 8], length 0
03:24:02.698472 IP6 ****:****:****:**00::1.59395 > 2001:4860:4860::8888.53: Flags [.], ack 1, win 2021, options [nop,nop,TS val 1661813217 ecr 1178061358], length 0
03:24:02.698840 IP6 ****:****:****:**00::1.59395 > 2001:4860:4860::8888.53: Flags [P.], seq 1:54, ack 1, win 2021, options [nop,nop,TS val 1661813217 ecr 1178061358], length 53 16359+% [1au] DNSKEY? debian.org. (51)
03:24:02.708023 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.59395: Flags [.], ack 54, win 256, options [nop,nop,TS val 1178061368 ecr 1661813217], length 0
03:24:04.707378 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.59395: Flags [F.], seq 1636, ack 54, win 256, options [nop,nop,TS val 1178063367 ecr 1661813217], length 0
03:24:04.708333 IP6 ****:****:****:**00::1.59395 > 2001:4860:4860::8888.53: Flags [.], ack 1, win 2021, options [nop,nop,TS val 1661815227 ecr 1178061368,nop,nop,sack 1 {1636:1637}], length 0
03:24:07.698316 IP6 ****:****:****:**00::1.59395 > 2001:4860:4860::8888.53: Flags [F.], seq 54, ack 1, win 2021, options [nop,nop,TS val 1661818217 ecr 1178061368,nop,nop,sack 1 {1636:1637}], length 0
03:24:07.708269 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.59395: Flags [.], ack 55, win 256, options [nop,nop,TS val 1178066368 ecr 1661818217], length 0

The result isn't getting back to me. Google shuts down the connection after 2 seconds.


And here's talking to google directly

firewall17:/etc/firewall# tcpdump -n -i isp port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on isp, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:56:29.290782 IP6 ****:****:****:**00::1.48805 > 2001:4860:4860::8888.53: Flags [S], seq 3069515386, win 64660, options [mss 1220,sackOK,TS val 1663759806 ecr 0,nop,wscale 5], length 0
03:56:29.301791 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.48805: Flags [S.], seq 3127336889, ack 3069515387, win 65535, options [mss 1440,sackOK,TS val 3496932498 ecr 1663759806,nop,wscale 8], length 0
03:56:29.302332 IP6 ****:****:****:**00::1.48805 > 2001:4860:4860::8888.53: Flags [.], ack 1, win 2021, options [nop,nop,TS val 1663759818 ecr 3496932498], length 0
03:56:29.302809 IP6 ****:****:****:**00::1.48805 > 2001:4860:4860::8888.53: Flags [P.], seq 1:58, ack 1, win 2021, options [nop,nop,TS val 1663759818 ecr 3496932498], length 57 21502+ [1au] CNAME? deb.debian.org. (55)
03:56:29.311208 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.48805: Flags [.], ack 58, win 256, options [nop,nop,TS val 3496932508 ecr 1663759818], length 0
03:56:29.321544 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.48805: Flags [P.], seq 1:318, ack 58, win 256, options [nop,nop,TS val 3496932518 ecr 1663759818], length 317 21502$ 2/0/1 CNAME debian.map.fastlydns.net., RRSIG (315)
03:56:29.322083 IP6 ****:****:****:**00::1.48805 > 2001:4860:4860::8888.53: Flags [.], ack 318, win 2012, options [nop,nop,TS val 1663759838 ecr 3496932518], length 0
03:56:29.323547 IP6 ****:****:****:**00::1.48805 > 2001:4860:4860::8888.53: Flags [F.], seq 58, ack 318, win 2012, options [nop,nop,TS val 1663759839 ecr 3496932518], length 0
03:56:29.324299 IP6 ****:****:****:**00::1.37914 > 2001:4860:4860::8888.53: 43433+ [1au] DNSKEY? debian.org. (51)
03:56:29.331043 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.48805: Flags [F.], seq 318, ack 59, win 256, options [nop,nop,TS val 3496932528 ecr 1663759839], length 0
03:56:29.331613 IP6 ****:****:****:**00::1.48805 > 2001:4860:4860::8888.53: Flags [.], ack 319, win 2012, options [nop,nop,TS val 1663759847 ecr 3496932528], length 0
03:56:29.350983 IP6 ****:****:****:**00::1.37914 > 2001:4860:4860::8888.53: 18553+ [1au] DS? debian.org. (51)
03:56:29.371792 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.37914: 18553$ 2/0/1 DS, RRSIG (250)
03:56:29.374031 IP6 ****:****:****:**00::1.37914 > 2001:4860:4860::8888.53: 49374+ [1au] DNSKEY? org. (44)
03:56:29.383446 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.37914: 49374$ 4/0/1 DNSKEY, DNSKEY, DNSKEY, RRSIG (895)
03:56:29.385886 IP6 ****:****:****:**00::1.37914 > 2001:4860:4860::8888.53: 34706+ [1au] DS? org. (44)
03:56:29.395551 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.37914: 34706$ 2/0/1 DS, RRSIG (367)
03:56:29.397514 IP6 ****:****:****:**00::1.37914 > 2001:4860:4860::8888.53: 17976+ [1au] DNSKEY? . (40)
03:56:29.407502 IP6 2001:4860:4860::8888.53 > ****:****:****:**00::1.37914: 17976$ 4/0/1 DNSKEY, DNSKEY, DNSKEY, RRSIG (1139)
^C
19 packets captured
19 packets received by filter
0 packets dropped by kernel
firewall17:/etc/firewall#
Reply to: