Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sporadic dns issue related to DNSSEC

    Scheduled Pinned Locked Moved DHCP and DNS
    22 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @johnpoz
      last edited by

      First things first : I just generated a new 'DNSSEC' report, as the latest on dnsviz.net was 3 months old :

      https://dnsviz.net/d/broadcom.com/YGFlsg/dnssec/

      which doesn't show a nice clean result.

      @stoffix said in Sporadic dns issue related to DNSSEC:

      ;; connection timed out; no servers could be reached

      unbound getting restarted by an incoming DHCP lease ?

      Check the resolver log : how many time it restarts per day ? hour ? minute ?
      Just to be sure, uncheck :

      35e86b74-73dc-472d-856e-c01e79e7e5de-image.png

      Btw : I did a new test on dnsviz.net, 2 minutes later.
      https://dnsviz.net/d/broadcom.com/YGFoPg/dnssec/
      This time : no red 'fatal' error messages - just 4 warnings. Looks like they are in the middle of some KSK shift.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Gertjan
        last edited by

        @gertjan said in Sporadic dns issue related to DNSSEC:

        atest on dnsviz.net was 3 months old :

        No because I updated it when I did it - so not sure how that was possible.

        But yeah failure to talk to someone is not a dnssec failure..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          stoffix @Gertjan
          last edited by

          @gertjan
          dhcp registration was on, i've turned it off last night.
          At the moment the log fills so quicly i can't see how often it restarted, but it's off now anyway. Thanks.

          my options box now reads:

          server:
log-queries: yes
log-replies: yes
do-ip6: no

          My wan is a pppoe, and I don't have a public ipv6 address. I checked the interface status page and for my wan it shows a link-local ipv6, maybe that's why the resolver was trying ipv6 as well?
          For now dig only seems to show a timeout checking www.broadcom.com
          I got some more detailed logs from the resolver in the attatched file: log.txt
          It's too large to write it in the post.

          Some entries looks interesting:

          Mar 29 14:57:01 	unbound 	99799 	[99799:1] debug: Cache reply: unchecked entry needs validation

Mar 29 14:56:56 	unbound 	99799 	[99799:1] info: mesh_run: end 2 recursion states (1 with reply, 0 detached), 1 waiting replies, 239 recursion replies sent, 0 replies dropped, 0 states jostled out
Mar 29 14:56:56 	unbound 	99799 	[99799:1] debug: mesh_run: iterator module exit state is module_wait_reply

Mar 29 14:56:56 	unbound 	99799 	[99799:1] debug: timeout udp

Mar 29 14:57:00 	unbound 	99799 	[99799:1] debug: query response was timeout

Mar 29 14:57:11 	unbound 	99799 	[99799:1] debug: out of query targets -- returning SERVFAIL

Mar 29 14:57:42 	unbound 	99799 	[99799:1] info: Missing DNSKEY RRset in response to DNSKEY query.

Mar 29 14:57:42 	unbound 	99799 	[99799:1] debug: not validating response, is valrec(validation recursion lookup)

          And the responses I see in the log doesn't show the 'ad' flag either.
          If I should guess it looks like unbound is unable to validate (dnssec) www.broadcom.com by not getting some query responsens, and therefore timeouts while waiting for said responses. It looks like unbound keeps trying for a little while after dig gives up -not that it makes a difference.

          Could there be an ipv4 specific issue somewhere?
          Or maye a "geographical" issue? (I'm located in northern Norway)

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @stoffix
            last edited by johnpoz

            @stoffix said in Sporadic dns issue related to DNSSEC:

            Or maye a "geographical" issue?

            Possible - when you resolve you have to talk to the authoritative nameservers for a domain or tld, etc. So yeah its possible that isp peering issues, or just geographic issues related to latency could cause pain in resolving.

            So if unbound has issues talking to specific NS returned, then it should try not to talk to those and choose more the NS with better response times, etc. But if your cache was clearing all the time because of unbound restarts.. Then it wouldn't know which ns it was having issues with, etc.

            Now that you have unbound not restarting all the time, see if you settle down for resolving that fqdn.. You can always look up details of how a specific fqdn would be looked up.

            [21.02-RELEASE][admin@sg4860.local.lan]/: unbound-control -c /var/unbound/unbound.conf lookup www.broadcom.com
The following name servers are used for lookup of www.broadcom.com.
;rrset 7932 13 0 2 0
com.    7932    IN      NS      a.gtld-servers.net.
com.    7932    IN      NS      b.gtld-servers.net.
com.    7932    IN      NS      c.gtld-servers.net.
com.    7932    IN      NS      d.gtld-servers.net.
com.    7932    IN      NS      e.gtld-servers.net.
com.    7932    IN      NS      f.gtld-servers.net.
com.    7932    IN      NS      g.gtld-servers.net.
com.    7932    IN      NS      h.gtld-servers.net.
com.    7932    IN      NS      i.gtld-servers.net.
com.    7932    IN      NS      j.gtld-servers.net.
com.    7932    IN      NS      k.gtld-servers.net.
com.    7932    IN      NS      l.gtld-servers.net.
com.    7932    IN      NS      m.gtld-servers.net.
;rrset 7932 1 1 11 5
com.    7932    IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.    7932    IN      RRSIG   DS 8 1 86400 20210410050000 20210328040000 42351 . jHnh+pTanx1cXVQCLOzD1VMZ/aDZYQWIN6mGvldH233rd5wBXvrHFA7la5osDjKb12bETey69jObKgCeEIKx5eq3ILxlKRBMcKdrl/GFjjobuFZHxvSlUbjzUhy0YIUx5d9mNBrpDdiCoOx8870VbKCub22VN5SE2td0Iz3Sbz4RP382hFq2xylU6TrEnIYduXDA6pr7uFs8ItjXmZKgMkFSZbDAERIpjBbUYYoWReREol9PoQOm/0Pku9ohOvVzubNtRtVqAcQ2YC0iPQjy/cY4At7GfDYm20bBI26M9j2MHKmXWbkjBUp822YN2NPc30YZfcJiMLazJuPQmCQQuA== ;{id = 42351}
;rrset 7932 1 0 1 0
m.gtld-servers.net.     7932    IN      A       192.55.83.30
;rrset 7932 1 0 1 0
m.gtld-servers.net.     7932    IN      AAAA    2001:501:b1f9::30
;rrset 7932 1 0 1 0
l.gtld-servers.net.     7932    IN      A       192.41.162.30
;rrset 7932 1 0 1 0
l.gtld-servers.net.     7932    IN      AAAA    2001:500:d937::30
;rrset 7932 1 0 1 0
k.gtld-servers.net.     7932    IN      A       192.52.178.30
;rrset 7932 1 0 1 0
k.gtld-servers.net.     7932    IN      AAAA    2001:503:d2d::30
;rrset 7932 1 0 1 0
j.gtld-servers.net.     7932    IN      A       192.48.79.30
;rrset 7932 1 0 1 0
j.gtld-servers.net.     7932    IN      AAAA    2001:502:7094::30
;rrset 7932 1 0 1 0
i.gtld-servers.net.     7932    IN      A       192.43.172.30
;rrset 7932 1 0 1 0
i.gtld-servers.net.     7932    IN      AAAA    2001:503:39c1::30
;rrset 7932 1 0 1 0
h.gtld-servers.net.     7932    IN      A       192.54.112.30
;rrset 7932 1 0 1 0
h.gtld-servers.net.     7932    IN      AAAA    2001:502:8cc::30
;rrset 7932 1 0 1 0
g.gtld-servers.net.     7932    IN      A       192.42.93.30
;rrset 7932 1 0 1 0
g.gtld-servers.net.     7932    IN      AAAA    2001:503:eea3::30
;rrset 7932 1 0 1 0
f.gtld-servers.net.     7932    IN      A       192.35.51.30
;rrset 7932 1 0 1 0
f.gtld-servers.net.     7932    IN      AAAA    2001:503:d414::30
;rrset 7932 1 0 1 0
e.gtld-servers.net.     7932    IN      A       192.12.94.30
;rrset 7932 1 0 1 0
e.gtld-servers.net.     7932    IN      AAAA    2001:502:1ca1::30
;rrset 7932 1 0 1 0
d.gtld-servers.net.     7932    IN      A       192.31.80.30
;rrset 7932 1 0 1 0
d.gtld-servers.net.     7932    IN      AAAA    2001:500:856e::30
;rrset 7932 1 0 1 0
c.gtld-servers.net.     7932    IN      A       192.26.92.30
;rrset 7932 1 0 1 0
c.gtld-servers.net.     7932    IN      AAAA    2001:503:83eb::30
;rrset 7932 1 0 1 0
b.gtld-servers.net.     7932    IN      A       192.33.14.30
;rrset 7932 1 0 1 0
b.gtld-servers.net.     7932    IN      AAAA    2001:503:231d::2:30
;rrset 7932 1 0 1 0
a.gtld-servers.net.     7932    IN      A       192.5.6.30
;rrset 7932 1 0 1 0
a.gtld-servers.net.     7932    IN      AAAA    2001:503:a83e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:a83e::2:30     not in infra cache.
192.5.6.30              expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2001:503:231d::2:30     not in infra cache.
192.33.14.30            expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2001:503:83eb::30       not in infra cache.
192.26.92.30            expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2001:500:856e::30       not in infra cache.
192.31.80.30            rto 320 msec, ttl 717, ping 4 var 79 rtt 320, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:1ca1::30       not in infra cache.
192.12.94.30            not in infra cache.
2001:503:d414::30       not in infra cache.
192.35.51.30            not in infra cache.
2001:503:eea3::30       not in infra cache.
192.42.93.30            not in infra cache.
2001:502:8cc::30        not in infra cache.
192.54.112.30           not in infra cache.
2001:503:39c1::30       not in infra cache.
192.43.172.30           not in infra cache.
2001:502:7094::30       not in infra cache.
192.48.79.30            not in infra cache.
2001:503:d2d::30        not in infra cache.
192.52.178.30           not in infra cache.
2001:500:d937::30       not in infra cache.
192.41.162.30           not in infra cache.
2001:501:b1f9::30       not in infra cache.
192.55.83.30            not in infra cache.
[21.02-RELEASE][admin@sg4860.local.lan]/:

            Keeping in mind that you have more than those to contend with because the cname points to cloudflare as well.

            [21.02-RELEASE][admin@sg4860.local.lan]/: unbound-control -c /var/unbound/unbound.conf lookup www.broadcom.com.cdn.cloudflare.net
The following name servers are used for lookup of www.broadcom.com.cdn.cloudflare.net.
;rrset 14314 5 0 2 0
cloudflare.net. 14314   IN      NS      ns1.cloudflare.net.
cloudflare.net. 14314   IN      NS      ns2.cloudflare.net.
cloudflare.net. 14314   IN      NS      ns3.cloudflare.net.
cloudflare.net. 14314   IN      NS      ns4.cloudflare.net.
cloudflare.net. 14314   IN      NS      ns5.cloudflare.net.
;rrset 14314 1 1 11 5
cloudflare.net. 14314   IN      DS      2371 13 2 90F710A107DA51ED78125D30A68704CF3C0308AFD01BFCD7057D4BD03B62C68B
cloudflare.net. 14314   IN      RRSIG   DS 8 2 86400 20210404052352 20210328041352 30944 net. JmDnk7yeQJZDVl5Fz1Ijo9tw7egwoRYaGP9kkwogFOkGUreJvF3LFocfKCnpAolV3692TrYCWoUVglgTm5Ye2KSAoEl8D7J58UTbczpeyncrNMjXe6E1WZBe02smwe6njOeRDM3mJBNt1AUVWNqMK4OMETYGyGPhs4QYUVFnzXK9ynxp+Be9YwMQJjyEfYO30uy6nL/hF9SYRrHTbf4QIQ== ;{id = 30944}
;rrset 14314 1 0 1 0
ns5.cloudflare.net.     14314   IN      A       198.41.223.31
;rrset 14314 1 0 1 0
ns5.cloudflare.net.     14314   IN      AAAA    2400:cb00:2049:1::c629:df1f
;rrset 14314 1 0 1 0
ns4.cloudflare.net.     14314   IN      A       198.41.223.131
;rrset 14314 1 0 1 0
ns4.cloudflare.net.     14314   IN      AAAA    2400:cb00:2049:1::c629:df83
;rrset 14314 1 0 1 0
ns3.cloudflare.net.     14314   IN      A       198.41.222.31
;rrset 14314 1 0 1 0
ns3.cloudflare.net.     14314   IN      AAAA    2400:cb00:2049:1::c629:de1f
;rrset 14314 1 0 1 0
ns2.cloudflare.net.     14314   IN      A       198.41.222.131
;rrset 14314 1 0 1 0
ns2.cloudflare.net.     14314   IN      AAAA    2400:cb00:2049:1::c629:de83
;rrset 14314 1 0 1 0
ns1.cloudflare.net.     14314   IN      A       173.245.59.31
;rrset 14314 1 0 1 0
ns1.cloudflare.net.     14314   IN      AAAA    2400:cb00:2049:1::adf5:3b1f
Delegation with 5 names, of which 0 can be examined to query further addresses.
It provides 10 IP addresses.
2400:cb00:2049:1::adf5:3b1f     not in infra cache.
173.245.59.31           expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2400:cb00:2049:1::c629:de83     not in infra cache.
198.41.222.131          expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2400:cb00:2049:1::c629:de1f     not in infra cache.
198.41.222.31           expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2400:cb00:2049:1::c629:df83     not in infra cache.
198.41.223.131          expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2400:cb00:2049:1::c629:df1f     not in infra cache.
198.41.223.31           expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
[21.02-RELEASE][admin@sg4860.local.lan]/:

            BTW - you might notice I have no ipv6 ns in the infra cache, because I have no-ip6 set as well.. Was playing with that from another thread a couple days back.. And hadn't yet removed it..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            S 1 Reply Last reply Reply Quote 0
            • S
              stoffix @johnpoz
              last edited by

              It's interesting that you have no-ip6 set as well, since we shouldn't percieve any difference then.

              When I look up the cloudflare fqdn It's almost letter by letter the same as yours:

              [2.5.0-RELEASE][root@slottet.doff1]/root: unbound-control -c /var/unbound/unbound.conf lookup www.broadcom.com.cdn.cloudflare.net
The following name servers are used for lookup of www.broadcom.com.cdn.cloudflare.net.
;rrset 82086 5 0 2 0
cloudflare.net. 82086   IN      NS      ns1.cloudflare.net.
cloudflare.net. 82086   IN      NS      ns2.cloudflare.net.
cloudflare.net. 82086   IN      NS      ns3.cloudflare.net.
cloudflare.net. 82086   IN      NS      ns4.cloudflare.net.
cloudflare.net. 82086   IN      NS      ns5.cloudflare.net.
;rrset 82086 1 1 11 5
cloudflare.net. 82086   IN      DS      2371 13 2 90F710A107DA51ED78125D30A68704CF3C0308AFD01BFCD7057D4BD03B62C68B
cloudflare.net. 82086   IN      RRSIG   DS 8 2 86400 20210404052352 20210328041352 30944 net. JmDnk7yeQJZDVl5Fz1Ijo9tw7egwoRYaGP9kkwogFOkGUreJvF3LFocfKCnpAolV3692TrYCWo                                  UVglgTm5Ye2KSAoEl8D7J58UTbczpeyncrNMjXe6E1WZBe02smwe6njOeRDM3mJBNt1AUVWNqMK4OMETYGyGPhs4QYUVFnzXK9ynxp+Be9YwMQJjyEfYO30uy6nL/hF9SYRrHTbf4QIQ== ;{id = 30944}
;rrset 82086 1 0 1 0
ns5.cloudflare.net.     82086   IN      A       198.41.223.31
;rrset 82086 1 0 1 0
ns5.cloudflare.net.     82086   IN      AAAA    2400:cb00:2049:1::c629:df1f
;rrset 82086 1 0 1 0
ns4.cloudflare.net.     82086   IN      A       198.41.223.131
;rrset 82086 1 0 1 0
ns4.cloudflare.net.     82086   IN      AAAA    2400:cb00:2049:1::c629:df83
;rrset 82086 1 0 1 0
ns3.cloudflare.net.     82086   IN      A       198.41.222.31
;rrset 82086 1 0 1 0
ns3.cloudflare.net.     82086   IN      AAAA    2400:cb00:2049:1::c629:de1f
;rrset 82086 1 0 1 0
ns2.cloudflare.net.     82086   IN      A       198.41.222.131
;rrset 82086 1 0 1 0
ns2.cloudflare.net.     82086   IN      AAAA    2400:cb00:2049:1::c629:de83
;rrset 82086 1 0 1 0
ns1.cloudflare.net.     82086   IN      A       173.245.59.31
;rrset 82086 1 0 1 0
ns1.cloudflare.net.     82086   IN      AAAA    2400:cb00:2049:1::adf5:3b1f
Delegation with 5 names, of which 0 can be examined to query further addresses.
It provides 10 IP addresses.
2400:cb00:2049:1::adf5:3b1f     not in infra cache.
173.245.59.31           not in infra cache.
2400:cb00:2049:1::c629:de83     not in infra cache.
198.41.222.131          expired, rto 3390592 msec, tA 0 tAAAA 0 tother 0.
2400:cb00:2049:1::c629:de1f     not in infra cache.
198.41.222.31           rto 233 msec, ttl 553, ping 9 var 56 rtt 233, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2400:cb00:2049:1::c629:df83     not in infra cache.
198.41.223.131          rto 315 msec, ttl 553, ping 3 var 78 rtt 315, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2400:cb00:2049:1::c629:df1f     not in infra cache.
198.41.223.31           rto 271 msec, ttl 553, ping 7 var 66 rtt 271, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
[2.5.0-RELEASE][root@slottet.doff1]/root:

              For broadcom.com I only get two nameservers, and they're different than yours:

              [2.5.0-RELEASE][root@slottet.doff1]/root: unbound-control -c /var/unbound/unbound.conf lookup www.broadcom.com
The following name servers are used for lookup of www.broadcom.com.
;rrset 86355 2 0 2 0
broadcom.com.   86355   IN      NS      pdns1.cscdns.net.
broadcom.com.   86355   IN      NS      pdns2.cscdns.net.
;rrset 86355 2 1 11 5
broadcom.com.   86355   IN      DS      61210 8 1 6F0A9DF17ED6E1F31F2F184A038AF07D2D7DDF97
broadcom.com.   86355   IN      DS      61210 8 2 7A97793031AC4256DAEE3DCAC603519C4BE1283690CDA1636A5DC6CB27F2F188
broadcom.com.   86355   IN      RRSIG   DS 8 2 86400 20210402044422 20210326033422 58540 com. PYny3W5dKW0diYul/Rv1lUv6s60MdPIan2Fa2+DWFqBtYmAseik7/aPHdhTJoAxU3I1JtTT5uNEwpcAYrhL3giFj2ajJ9XQN95uXjlYpMdbm7Yhqw6YSi6myqLAGnxJP+EUV8DTf9xEDUF8hN9PeFIJ8Qa26Hw4iZWMs93p0dP8GP7PxpwHMG0sQviG3+LkPTrT6GJPHCXSyz2b94bwLeg== ;{id = 58540}
;rrset 14355 1 0 8 0
pdns2.cscdns.net.       14355   IN      A       156.154.131.100
;rrset 14355 1 0 8 0
pdns1.cscdns.net.       14355   IN      A       156.154.130.100
Delegation with 2 names, of which 2 can be examined to query further addresses.
It provides 2 IP addresses.
156.154.130.100         rto 119000 msec, ttl 855, ping 13 var 79 rtt 329, tA 0, tAAAA 0, tother 3, probedelay 21, EDNS 0 probed.
156.154.131.100         rto 119000 msec, ttl 856, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 3, probedelay 12, EDNS 0 assumed.
[2.5.0-RELEASE][root@slottet.doff1]/root:

              With DNSSEC disabled I get this:

              [2.5.0-RELEASE][root@slottet.doff1]/root: dig www.broadcom.com

; <<>> DiG 9.16.12 <<>> www.broadcom.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47615
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.broadcom.com.              IN      A

;; ANSWER SECTION:
www.broadcom.com.       94      IN      CNAME   cdn.broadcom.com.
cdn.broadcom.com.       3394    IN      CNAME   www.broadcom.com.cdn.cloudflare.net.
www.broadcom.com.cdn.cloudflare.net. 94 IN A    104.18.5.158
www.broadcom.com.cdn.cloudflare.net. 94 IN A    104.18.4.158

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 29 17:16:39 CEST 2021
;; MSG SIZE  rcvd: 144

              [2.5.0-RELEASE][root@slottet.doff1]/root: unbound-control -c /var/unbound/unbound.conf lookup www.broadcom.com
The following name servers are used for lookup of www.broadcom.com.
;rrset 85586 2 0 2 0
broadcom.com.   85586   IN      NS      pdns1.cscdns.net.
broadcom.com.   85586   IN      NS      pdns2.cscdns.net.
;rrset 85586 2 1 2 0
broadcom.com.   85586   IN      DS      61210 8 1 6F0A9DF17ED6E1F31F2F184A038AF07D2D7DDF97
broadcom.com.   85586   IN      DS      61210 8 2 7A97793031AC4256DAEE3DCAC603519C4BE1283690CDA1636A5DC6CB27F2F188
broadcom.com.   85586   IN      RRSIG   DS 8 2 86400 20210402044422 20210326033422 58540 com. PYny3W5dKW0diYul/Rv1lUv6s60MdPIan2Fa2+DWFqBtYmAseik7/aPHdhTJoAxU3I1JtTT5uNEwpcAYrhL3giFj2ajJ9XQN95uXjlYpMdbm7Yhqw6YSi6myqLAGnxJP+EUV8DTf9xEDUF8hN9PeFIJ8Qa26Hw4iZWMs93p0dP8GP7PxpwHMG0sQviG3+LkPTrT6GJPHCXSyz2b94bwLeg== ;{id = 58540}
;rrset 13587 1 0 8 0
pdns2.cscdns.net.       13587   IN      A       156.154.131.100
;rrset 13587 1 0 8 0
pdns1.cscdns.net.       13587   IN      A       156.154.130.100
Delegation with 2 names, of which 2 can be examined to query further addresses.
It provides 2 IP addresses.
156.154.130.100         rto 307 msec, ttl 87, ping 11 var 74 rtt 307, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
156.154.131.100         not in infra cache.

[2.5.0-RELEASE][root@slottet.doff1]/root:

              The only differences I notice betwenn dnssec support enabled/disabled is some of the rrset digits are different.
              Could it be an issue with "my" nameservers?

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @stoffix
                last edited by johnpoz

                Ah you had them cached, mine didn't so it just listed the NS it knew about that it would need to talk to to look that up.. Once I actually did a query for it, then the actual ns would be listed.

                [21.02-RELEASE][admin@sg4860.local.lan]/: unbound-control -c /var/unbound/unbound.conf lookup www.broadcom.com
The following name servers are used for lookup of www.broadcom.com.
;rrset 86396 2 0 2 0
broadcom.com.   86396   IN      NS      pdns1.cscdns.net.
broadcom.com.   86396   IN      NS      pdns2.cscdns.net.
;rrset 86396 2 1 11 5
broadcom.com.   86396   IN      DS      61210 8 1 6F0A9DF17ED6E1F31F2F184A038AF07D2D7DDF97
broadcom.com.   86396   IN      DS      61210 8 2 7A97793031AC4256DAEE3DCAC603519C4BE1283690CDA1636A5DC6CB27F2F188
broadcom.com.   86396   IN      RRSIG   DS 8 2 86400 20210402044422 20210326033422 58540 com. PYny3W5dKW0diYul/Rv1lUv6s60MdPIan2Fa2+DWFqBtYmAseik7/aPHdhTJoAxU3I1JtTT5uNEwpcAYrhL3giFj2ajJ9XQN95uXjlYpMdbm7Yhqw6YSi6myqLAGnxJP+EUV8DTf9xEDUF8hN9PeFIJ8Qa26Hw4iZWMs93p0dP8GP7PxpwHMG0sQviG3+LkPTrT6GJPHCXSyz2b94bwLeg== ;{id = 58540}
;rrset 14396 1 0 8 0
pdns2.cscdns.net.       14396   IN      A       156.154.131.100
;rrset 14396 1 0 8 0
pdns1.cscdns.net.       14396   IN      A       156.154.130.100
Delegation with 2 names, of which 2 can be examined to query further addresses.
It provides 2 IP addresses.
156.154.130.100         rto 191 msec, ttl 896, ping 3 var 47 rtt 191, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
156.154.131.100         not in infra cache.
[21.02-RELEASE][admin@sg4860.local.lan]/:

                Your "tother 3" could point to time outs for other records, ie your dnssec stuff..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  stoffix
                  last edited by

                  I (spending way too much time) found out "tother 3" means timeout other and 3 is the maximum value.

                  I guess there's not much more to do/find out about this. If the problem escalates I'll just have to turn off DNSSEC, at least now I know where to look.

                  Thank you for all your help!

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @stoffix
                    last edited by

                    tA and tAAAA and tother should all be zeros.. If they are not - then your having problems talking to that NS.. either network issues, or it just sucks as a NS and isn't answering.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      stoffix @johnpoz
                      last edited by

                      Hopefully it just sucks as a NS, since it works without DNSSEC and I don't want network issues!
                      It's been a great learning experience. For now I keep DNSSEC on, and have an exeption for broadcom and turned off ipv6 in unbound as you suggested.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @stoffix
                        last edited by

                        Them pointing cname to cname isn't best practice either. While its allowed - it causes extra lookups..

                        ;; QUESTION SECTION:
;www.broadcom.com.              IN      A

;; ANSWER SECTION:
www.broadcom.com.       300     IN      CNAME   cdn.broadcom.com.
cdn.broadcom.com.       3600    IN      CNAME   www.broadcom.com.cdn.cloudflare.net.

                        If they want www.broadcom.com to point to www.broadcom.com.cdn.cloudflare.net.

                        Then they should just do that, but they are pointing to cdn.broadcom.com first, which then points to the cloudflare.net cname..

                        Its not efficient to do that.. Just causes extra work..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.