Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
John Crispinwrites: > On 06/05/18 22:44, Joerg Jaspert wrote: >> On 15029 March 1977, Bjørn Mork wrote: >> >>> 1) update the .org delegation to include *all* NS records for the >>> openwrt.org zone >> I added the soapstone one to the registrar for now, as thats an easy >> step to do. Great! >>> 3) possibly consider adding/replacing DNS servers with more robust >>>(anycasted?) solutions. Adding or replacing secondaries should at >>>least be a no-brainer >> If *wanted*, SPI nameservers can be used as secondaries. >> > > Hi Joerg, > > I am liasion to the SPI if I am not mistaken so i can just ask you to > do that right ? If so, please add spi as secondary. > > We should also consider moving primary to the DO servers, but that > would require a vote and a thread on the adm channels. Looks like that just moved up to high priority: Both the responding slaves are now returning SERVFAIL, presumably because they've been out of contact with the primary for too long. bjorn@miraculix:~$ dig ns openwrt.org @belategeuse.dune.hu ; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @belategeuse.dune.hu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56745 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;openwrt.org. IN NS ;; Query time: 48 msec ;; SERVER: 81.0.124.200#53(81.0.124.200) ;; WHEN: Mon May 07 09:03:56 CEST 2018 ;; MSG SIZE rcvd: 40 bjorn@miraculix:~$ dig ns openwrt.org @soapstone.yuri.org.uk ; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @soapstone.yuri.org.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53523 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;openwrt.org. IN NS ;; Query time: 38 msec ;; SERVER: 78.47.151.105#53(78.47.151.105) ;; WHEN: Mon May 07 09:04:14 CEST 2018 ;; MSG SIZE rcvd: 40 And the primary is still dead: bjorn@miraculix:~$ dig ns openwrt.org @arrakis.dune.hu ; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @arrakis.dune.hu ;; global options: +cmd ;; connection timed out; no servers could be reached Bjørn ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
Citeren John Crispin: On 07/05/18 20:34, Arjen de Korte wrote: Citeren Jo-Philipp Wich : Hi Bjørn, the current timings of the DO zone are: ;; ANSWER SECTION: openwrt.org. 1800 IN SOA ns1.digitalocean.com. hostmaster.openwrt.org. ( 1525688668 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 1800 ; minimum (30 minutes) ) This all looks fine, but what slightly worries me that the nameservers listed in the Whois information for openwrt.org still mention the old ones: whois openwrt.org Domain Name: OPENWRT.ORG Registry Domain ID: D104186352-LROR Registrar WHOIS Server: whois.tucows.com Registrar URL: http://www.tucows.com Updated Date: 2018-05-06T20:40:09Z [...] Name Server: ARRAKIS.DUNE.HU Name Server: BELATEGEUSE.DUNE.HU Name Server: SOAPSTONE.YURI.ORG.UK I've switched nameservers for several of my domains (including .org) and I recall this never took more than a few hours. It could be I'm impatient, but as of now, when running a trace, the above are still listed as the openwrt.org nameservers. Of course, *caches* would show stale data for up to a day, but running 'dig soa +trace openwrt.org' should resolve to the DO nameservers by now. Hi, nameservers were switched over to DO at 5 am CEST today. things should start smoothing out shortly. Seems to be OK now: https://www.dnsstuff.com/tools#dnsReport|type=domain&=openwrt.org Only FAIL is mail.openwrt.org, which is to be expected since that's hosted on the same IP as the previous primary nameserver (which failure started this whole cascade). John ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
On 07/05/18 20:34, Arjen de Korte wrote: Citeren Jo-Philipp Wich: Hi Bjørn, the current timings of the DO zone are: ;; ANSWER SECTION: openwrt.org. 1800 IN SOA ns1.digitalocean.com. hostmaster.openwrt.org. ( 1525688668 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 1800 ; minimum (30 minutes) ) This all looks fine, but what slightly worries me that the nameservers listed in the Whois information for openwrt.org still mention the old ones: whois openwrt.org Domain Name: OPENWRT.ORG Registry Domain ID: D104186352-LROR Registrar WHOIS Server: whois.tucows.com Registrar URL: http://www.tucows.com Updated Date: 2018-05-06T20:40:09Z [...] Name Server: ARRAKIS.DUNE.HU Name Server: BELATEGEUSE.DUNE.HU Name Server: SOAPSTONE.YURI.ORG.UK I've switched nameservers for several of my domains (including .org) and I recall this never took more than a few hours. It could be I'm impatient, but as of now, when running a trace, the above are still listed as the openwrt.org nameservers. Of course, *caches* would show stale data for up to a day, but running 'dig soa +trace openwrt.org' should resolve to the DO nameservers by now. Hi, nameservers were switched over to DO at 5 am CEST today. things should start smoothing out shortly. John ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
Citeren Jo-Philipp Wich: Hi Bjørn, the current timings of the DO zone are: ;; ANSWER SECTION: openwrt.org.1800 IN SOA ns1.digitalocean.com. hostmaster.openwrt.org. ( 1525688668 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 1800 ; minimum (30 minutes) ) This all looks fine, but what slightly worries me that the nameservers listed in the Whois information for openwrt.org still mention the old ones: whois openwrt.org Domain Name: OPENWRT.ORG Registry Domain ID: D104186352-LROR Registrar WHOIS Server: whois.tucows.com Registrar URL: http://www.tucows.com Updated Date: 2018-05-06T20:40:09Z [...] Name Server: ARRAKIS.DUNE.HU Name Server: BELATEGEUSE.DUNE.HU Name Server: SOAPSTONE.YURI.ORG.UK I've switched nameservers for several of my domains (including .org) and I recall this never took more than a few hours. It could be I'm impatient, but as of now, when running a trace, the above are still listed as the openwrt.org nameservers. Of course, *caches* would show stale data for up to a day, but running 'dig soa +trace openwrt.org' should resolve to the DO nameservers by now. dig +trace openwrt.org @resolver1.opendns.com ; <<>> DiG 9.11.2 <<>> +trace openwrt.org @resolver1.opendns.com ;; global options: +cmd . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Received 239 bytes from 208.67.222.222#53(resolver1.opendns.com) in 6 ms org.172800 IN NS b2.org.afilias-nst.org. org.172800 IN NS d0.org.afilias-nst.org. org.172800 IN NS a2.org.afilias-nst.info. org.172800 IN NS b0.org.afilias-nst.org. org.172800 IN NS a0.org.afilias-nst.info. org.172800 IN NS c0.org.afilias-nst.info. org.86400 IN DS 9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5 org.86400 IN DS 9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982 org.86400 IN RRSIG DS 8 1 86400 2018052017 2018050716 39570 . XKyDB9S0mMInUMOgX8U0H3/Kjvrj4AuiYRfnxyYUMD/LLOQhTSRv/xKQ OWl2jQB7wq3hQEecQn+Zd/410BxtWZ4xxv8dYRKqt8m9HEZzG/b0gDje wOqOANWZ8v7StnYlNWUFvS11q0rG0yFubSy+TO6aIQQ4aHA7ZmqPGfzq CbfqWv6ynMfNtdzQJS4+3kZlTmYKUqZrEAL3o3/7qD5cmSp7buqI8W5j /oTV3Ku74Xo1RDd6RXSZi8aYXKYu6PJ6N82o73OEPzqhWVgjX8KC4aOP VoQajzCX5YFAlYXpjtcgJti0/3HqeVqnpHtPF8sSroDCnUFIB+IlNBy2 b0M5lg== ;; Received 813 bytes from 2001:500:12::d0d#53(g.root-servers.net) in 37 ms openwrt.org.86400 IN NS arrakis.dune.hu. openwrt.org.86400 IN NS belategeuse.dune.hu. openwrt.org.86400 IN NS soapstone.yuri.org.uk. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20180528183058 20180507173058 1862 org. J1DhIPJyQfBjOpsQYwFcQC2vZcgxohyH+56fQvSKNKd86uvtk5szsjlS GpbkcA03uSqpNNuaj5lj+MzfedQvaHfxxVKQI+3cEsBqPVfN9oAvu2Lv wKVsIIaAm8sS0/l8DR4Xryz+5DAjZCfdjZq+sRNbDYc8dGpsQXkCZfRe StY= 6tvuefea073v78a07f9tbfq3d98qfrud.org. 86400 IN NSEC3 1 1 1 D399EAAB 6U03DTEM7DQG048778H41JO23I0SKBJT A RRSIG 6tvuefea073v78a07f9tbfq3d98qfrud.org. 86400 IN RRSIG NSEC3 7 2 86400 20180522152438 20180501142438 1862 org. BuA1elggJfC0Gax9Rzfb+GKx5S9NWbleZKWskqIqjLsS6tVVqvB46Q/M OYg2kav8gBg2zOv7zNywOKuQH4W4hYfVwqTVnb/iE2r2pHefEDh21ZZD RcrdfqJ082D7tvPe+/31qZdtjwashQ+R3Gr0WZLRhA+o4NK2Gwp/8ZGX Irs= ;; Received 623 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 6 ms ;; Received 40 bytes from 78.47.151.105#53(soapstone.yuri.org.uk) in 16 ms They still don't. Regards, Jo ___ Lede-dev mailing list
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
Jo-Philipp Wichwrites: > Hi Joerg, John. > > I created an openwrt.org zone on Digital Ocean now so you could delegate > the name servers to ns1.digitalocean.com, ns2.digitalocean.com and > ns3.digitalocean.com, maybe with one of the SPI machines thrown into the > mix... Good! I hope you implicitly fixed one important issue I missed yesterday: The openwrt.org SOA expire value was extremely low, greatly increasing the risk of ending up where we are now - with all slaves failing due to a failing master. Scrolling back in one of my terminals I found this: openwrt.org.14400 IN SOA arrakis.dune.hu. root.dune.hu. 2018020702 3600 600 86400 3600 I am not entirely sure what the current best practice is, but I don't think I've ever seen anyone recommending anyting less than a week. Using 24 hours is ehhm risky is the most polite I can think of. The lede-project.org SOA looks fine, so I'd recommend you just copy those timeouts (which you probably already did?) Bjørn ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
On 07/05/18 09:11, Jo-Philipp Wich wrote: Hi Joerg, John. I created an openwrt.org zone on Digital Ocean now so you could delegate the name servers to ns1.digitalocean.com, ns2.digitalocean.com and ns3.digitalocean.com, maybe with one of the SPI machines thrown into the mix... ~ Jo Hi Joerg, We concluded as per vote on this ML that we would like to switch the DNS over to the machines Jow named above. Thanks alot for your help in getting this done ! John ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
Hi Joerg, John. I created an openwrt.org zone on Digital Ocean now so you could delegate the name servers to ns1.digitalocean.com, ns2.digitalocean.com and ns3.digitalocean.com, maybe with one of the SPI machines thrown into the mix... ~ Jo signature.asc Description: OpenPGP digital signature ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
On 06/05/18 22:44, Joerg Jaspert wrote: On 15029 March 1977, Bjørn Mork wrote: 1) update the .org delegation to include *all* NS records for the openwrt.org zone I added the soapstone one to the registrar for now, as thats an easy step to do. 3) possibly consider adding/replacing DNS servers with more robust (anycasted?) solutions. Adding or replacing secondaries should at least be a no-brainer If *wanted*, SPI nameservers can be used as secondaries. Hi Joerg, I am liasion to the SPI if I am not mistaken so i can just ask you to do that right ? If so, please add spi as secondary. We should also consider moving primary to the DO servers, but that would require a vote and a thread on the adm channels. John ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
On 15029 March 1977, Bjørn Mork wrote: > 1) update the .org delegation to include *all* NS records for the >openwrt.org zone I added the soapstone one to the registrar for now, as thats an easy step to do. > 3) possibly consider adding/replacing DNS servers with more robust > (anycasted?) solutions. Adding or replacing secondaries should at > least be a no-brainer If *wanted*, SPI nameservers can be used as secondaries. -- bye, Joerg ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
On 06/05/18 17:44, David Woodhouse wrote: Hello, I apologize for bringing up this long-standing issue at a time where you all have need to other issues to take care of. But it's again become a real pressing issue, at least seen from the networks I have a presence in. We can host it (primary or just secondary) on ns[123].infradead.org if it helps... why not move primary to digital ocean ? John ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org
> Hello, > > I apologize for bringing up this long-standing issue at a time where you > all have need to other issues to take care of. But it's again become a > real pressing issue, at least seen from the networks I have a presence in. We can host it (primary or just secondary) on ns[123].infradead.org if it helps... -- dwmw2 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] Lack of DNS robustness for openwrt.org
Hello, I apologize for bringing up this long-standing issue at a time where you all have need to other issues to take care of. But it's again become a real pressing issue, at least seen from the networks I have a presence in. The main problem is that there still hasn't been any update to the *technical* part of the .org delegation: bjorn@miraculix:~$ whois openwrt.org|grep Name Domain Name: OPENWRT.ORG Registrant Name: SPI Hostmaster Admin Name: SPI Hostmaster Tech Name: SPI Hostmaster Name Server: ARRAKIS.DUNE.HU Name Server: BELATEGEUSE.DUNE.HU So those two listed name servers are still the *only* two servers making a difference when following the tree from root: bjorn@miraculix:~$ dig ns openwrt.org @a0.org.afilias-nst.info ; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @a0.org.afilias-nst.info ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39054 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;openwrt.org. IN NS ;; AUTHORITY SECTION: openwrt.org.86400 IN NS arrakis.dune.hu. openwrt.org.86400 IN NS belategeuse.dune.hu. ;; Query time: 159 msec ;; SERVER: 2001:500:e::1#53(2001:500:e::1) ;; WHEN: Sun May 06 12:56:35 CEST 2018 ;; MSG SIZE rcvd: 95 That would not be an issue if those two servers were inependent and stable. But they are not. First of all, both depend on being able to resolve dune.hu. So we ask one of the hu servers: bjorn@miraculix:~$ dig ns dune.hu @a.hu ; <<>> DiG 9.10.3-P4-Debian <<>> ns dune.hu @a.hu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53327 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dune.hu. IN NS ;; AUTHORITY SECTION: dune.hu.86400 IN NS dns4.vietnamfree.com. dune.hu.86400 IN NS arrakis.dune.hu. dune.hu.86400 IN NS belategeuse.dune.hu. ;; ADDITIONAL SECTION: arrakis.dune.hu.86400 IN A 78.24.191.176 belategeuse.dune.hu.86400 IN A 217.20.135.200 ;; Query time: 51 msec ;; SERVER: 2001:738:4:8000::48#53(2001:738:4:8000::48) ;; WHEN: Sun May 06 12:58:10 CEST 2018 ;; MSG SIZE rcvd: 150 And naturally get glue for the two servers which are in that same zone. But none of them are answering DNS requests at the moment, from none of the networks I have access to (which each have millions of users AFAIK). bjorn@miraculix:~$ dig ns dune.hu @78.24.191.176 ; <<>> DiG 9.10.3-P4-Debian <<>> ns dune.hu @78.24.191.176 ;; global options: +cmd ;; connection timed out; no servers could be reached bjorn@miraculix:~$ dig ns dune.hu @217.20.135.200 ; <<>> DiG 9.10.3-P4-Debian <<>> ns dune.hu @217.20.135.200 ;; global options: +cmd ;; connection timed out; no servers could be reached But there is also a third server for dune.hu, so let's try that one: bjorn@miraculix:~$ dig ns vietnamfree.com @a.gtld-servers.net ; <<>> DiG 9.10.3-P4-Debian <<>> ns vietnamfree.com @a.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1957 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;vietnamfree.com. IN NS ;; AUTHORITY SECTION: vietnamfree.com.172800 IN NS irc.vietnamfree.com. vietnamfree.com.172800 IN NS dns4.vietnamfree.com. vietnamfree.com.172800 IN NS ns.vietnamfree.com. vietnamfree.com.172800 IN NS ns3.vietnamfree.com. vietnamfree.com.172800 IN NS dns5.vietnamfree.com. ;; ADDITIONAL SECTION: irc.vietnamfree.com.172800 IN A 195.56.146.224 dns4.vietnamfree.com. 172800 IN A 195.56.77.197 ns.vietnamfree.com. 172800 IN A 195.56.146.224 ns3.vietnamfree.com.172800 IN A 202.157.185.115 dns5.vietnamfree.com. 172800 IN A 62.165.228.216 ;; Query time: 147 msec ;; SERVER: 192.5.6.30#53(192.5.6.30) ;; WHEN: Sun May 06 13:02:43 CEST 2018 ;; MSG SIZE rcvd: 215 bjorn@miraculix:~$ dig a dns4.vietnamfree.com @195.56.77.197 ; <<>> DiG 9.10.3-P4-Debian <<>> a dns4.vietnamfree.com @195.56.77.197 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42806 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: