Re: apt temporary failure resolving deb.debian.org
On Mon, 10 Apr 2023, Lee wrote:
Why are you using google as forwarders ?
To eliminate as many variables as possible.
delv talking to google works.
delv talking to bind talking to google fails.
When talking directly, delv is using udp to talk to google
When talking via bind, bind is using tcp.
And while google acks the DNSKEY request from bind, the data is not
received. The seqnence number jumps from 1 on the ACK of the query to
1636 on the FIN where google closes the connection.
Thats 1635 bytes of data gone missing.
The mss on the original SYN packet is 1220, so that ought to be two (or
more) packets gone missing.
Interestingly if I use tcp to google servers it still works:
(hmmm, capture suggest that it's only using TCP for the CNAME request,
not the DNSKEY requests)
delv -t cname deb.debian.org +rtrace +tcp @2001:4860:4860::8888
;; fetch: deb.debian.org/CNAME
;; fetch: debian.org/DNSKEY
;; fetch: debian.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
deb.debian.org.         3112    IN      CNAME   debian.map.fastlydns.net.
deb.debian.org.         3112    IN      RRSIG   CNAME 8 3 3600 20230512040858 20230402034640 32728 debian.org. rFqk+TkAJPOXTbQl8irQJyMGjsL8yXMxFgxglzGC+7GaydpbQGEYaiOE FLHKy4dPshKq0pq5O8l+hw/gG3dgWg+fYkskltkGJyk8VNBnbgTM3Szm M2QjRR7x7hKitr61YrUkVCpZCroiKtZfat/0l42EWV24FewvatX9mBge VYzlUSrOchLHC7TjBOpxyA7Ta6ll4YIDDgMSZi4HxMMhjPdzGs2H/o8D CrKUmSE9VBhRoclczsBbMENUftKR0XOl
while to my ISPs nameservers it doesn't!
root@bind17:~# delv -t cname deb.debian.org +rtrace +tcp @2001:730:3ec2::10
;; fetch: deb.debian.org/CNAME
;; fetch: debian.org/DNSKEY
;; resolution failed: timed out
and I see exactly the same in the capture, 1635 bytes missing.
bind works just fine for me with no forwarding:
$ delv -t cname deb.debian.org +rtrace
;; fetch: deb.debian.org/CNAME
;; fetch: debian.org/DNSKEY
;; fetch: debian.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
deb.debian.org.         3550    IN      CNAME   debian.map.fastlydns.net.
deb.debian.org.         3550    IN      RRSIG   CNAME 8 3 3600
20230512040858 20230402034640 32728 debian.org.
rFqk+TkAJPOXTbQl8irQJyMGjsL8yXMxFgxglzGC+7GaydpbQGEYaiOE
FLHKy4dPshKq0pq5O8l+hw/gG3dgWg+fYksklt8VNBnbgTM3Szm
M2QjRR7x7hKitr61YrUkVCpZCroiKtZfat/0l42EWV24FewvatX9mBge
VYzlUSrOchLHC7TjBOpxyA7Ta6ll4YIDDgMSZi4HxMMhjPdzGs2H/o8D
CrKUmSE9VBhRoclczsBbMENUftKR0XOl
Regards,
Lee
Reply to: