Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-08 Thread Bjørn Mork 
John Crispin  writes:
> On 06/05/18 22:44, Joerg Jaspert wrote:
>> On 15029 March 1977, Bjørn Mork wrote:
>>
>>> 1) update the .org delegation to include *all* NS records for the
>>> openwrt.org zone
>> I added the soapstone one to the registrar for now, as thats an easy
>> step to do.

Great!

>>> 3) possibly consider adding/replacing DNS servers with more robust
>>>(anycasted?) solutions.  Adding or replacing secondaries should at
>>>least be a no-brainer
>> If *wanted*, SPI nameservers can be used as secondaries.
>>
>
> Hi Joerg,
>
> I am liasion to the SPI if I am not mistaken so i can just ask you to
> do that right ? If so, please add spi as secondary.
>
> We should also consider moving primary to the DO servers, but that
> would require a vote and a thread on the adm channels.

Looks like that just moved up to high priority:  Both the responding
slaves are now returning SERVFAIL, presumably because they've been out
of contact with the primary for too long.


bjorn@miraculix:~$ dig ns openwrt.org @belategeuse.dune.hu

; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @belategeuse.dune.hu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56745
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;openwrt.org.   IN  NS

;; Query time: 48 msec
;; SERVER: 81.0.124.200#53(81.0.124.200)
;; WHEN: Mon May 07 09:03:56 CEST 2018
;; MSG SIZE  rcvd: 40

bjorn@miraculix:~$ dig ns openwrt.org @soapstone.yuri.org.uk

; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @soapstone.yuri.org.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53523
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;openwrt.org.   IN  NS

;; Query time: 38 msec
;; SERVER: 78.47.151.105#53(78.47.151.105)
;; WHEN: Mon May 07 09:04:14 CEST 2018
;; MSG SIZE  rcvd: 40


And the primary is still dead:

bjorn@miraculix:~$ dig ns openwrt.org @arrakis.dune.hu

; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @arrakis.dune.hu
;; global options: +cmd
;; connection timed out; no servers could be reached




Bjørn

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-08 Thread Arjen de Korte 

Citeren John Crispin :


On 07/05/18 20:34, Arjen de Korte wrote:

Citeren Jo-Philipp Wich :


Hi Bjørn,

the current timings of the DO zone are:

;; ANSWER SECTION:
openwrt.org.    1800 IN    SOA ns1.digitalocean.com.  
hostmaster.openwrt.org. (

    1525688668 ; serial
    10800  ; refresh (3 hours)
    3600   ; retry (1 hour)
    604800 ; expire (1 week)
    1800   ; minimum (30 minutes)
    )


This all looks fine, but what slightly worries me that the  
nameservers listed in the Whois information for openwrt.org still  
mention the old ones:



whois openwrt.org


Domain Name: OPENWRT.ORG
Registry Domain ID: D104186352-LROR
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://www.tucows.com
Updated Date: 2018-05-06T20:40:09Z
[...]
Name Server: ARRAKIS.DUNE.HU
Name Server: BELATEGEUSE.DUNE.HU
Name Server: SOAPSTONE.YURI.ORG.UK

I've switched nameservers for several of my domains (including  
.org) and I recall this never took more than a few hours. It could  
be I'm impatient, but as of now, when running a trace, the above  
are still listed as the openwrt.org nameservers. Of course,  
*caches* would show stale data for up to a day, but running 'dig  
soa +trace openwrt.org' should resolve to the DO nameservers by now.

Hi,

nameservers were switched over to DO at 5 am CEST today. things  
should start smoothing out shortly.


Seems to be OK now:

https://www.dnsstuff.com/tools#dnsReport|type=domain&=openwrt.org

Only FAIL is mail.openwrt.org, which is to be expected since that's  
hosted on the same IP as the previous primary nameserver (which  
failure started this whole cascade).



 John

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev





___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-07 Thread John Crispin 



On 07/05/18 20:34, Arjen de Korte wrote:

Citeren Jo-Philipp Wich :


Hi Bjørn,

the current timings of the DO zone are:

;; ANSWER SECTION:
openwrt.org.    1800 IN    SOA ns1.digitalocean.com. 
hostmaster.openwrt.org. (

    1525688668 ; serial
    10800  ; refresh (3 hours)
    3600   ; retry (1 hour)
    604800 ; expire (1 week)
    1800   ; minimum (30 minutes)
    )


This all looks fine, but what slightly worries me that the nameservers 
listed in the Whois information for openwrt.org still mention the old 
ones:



whois openwrt.org


Domain Name: OPENWRT.ORG
Registry Domain ID: D104186352-LROR
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://www.tucows.com
Updated Date: 2018-05-06T20:40:09Z
[...]
Name Server: ARRAKIS.DUNE.HU
Name Server: BELATEGEUSE.DUNE.HU
Name Server: SOAPSTONE.YURI.ORG.UK

I've switched nameservers for several of my domains (including .org) 
and I recall this never took more than a few hours. It could be I'm 
impatient, but as of now, when running a trace, the above are still 
listed as the openwrt.org nameservers. Of course, *caches* would show 
stale data for up to a day, but running 'dig soa +trace openwrt.org' 
should resolve to the DO nameservers by now.

Hi,

nameservers were switched over to DO at 5 am CEST today. things should 
start smoothing out shortly.


 John

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-07 Thread Arjen de Korte 

Citeren Jo-Philipp Wich :


Hi Bjørn,

the current timings of the DO zone are:

;; ANSWER SECTION:
openwrt.org.1800 IN SOA ns1.digitalocean.com. 
hostmaster.openwrt.org. (
1525688668 ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
604800 ; expire (1 week)
1800   ; minimum (30 minutes)
)


This all looks fine, but what slightly worries me that the nameservers  
listed in the Whois information for openwrt.org still mention the old  
ones:



whois openwrt.org


Domain Name: OPENWRT.ORG
Registry Domain ID: D104186352-LROR
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://www.tucows.com
Updated Date: 2018-05-06T20:40:09Z
[...]
Name Server: ARRAKIS.DUNE.HU
Name Server: BELATEGEUSE.DUNE.HU
Name Server: SOAPSTONE.YURI.ORG.UK

I've switched nameservers for several of my domains (including .org)  
and I recall this never took more than a few hours. It could be I'm  
impatient, but as of now, when running a trace, the above are still  
listed as the openwrt.org nameservers. Of course, *caches* would show  
stale data for up to a day, but running 'dig soa +trace openwrt.org'  
should resolve to the DO nameservers by now.



dig +trace openwrt.org @resolver1.opendns.com


; <<>> DiG 9.11.2 <<>> +trace openwrt.org @resolver1.opendns.com
;; global options: +cmd
.   518400  IN  NS  a.root-servers.net.
.   518400  IN  NS  b.root-servers.net.
.   518400  IN  NS  c.root-servers.net.
.   518400  IN  NS  d.root-servers.net.
.   518400  IN  NS  e.root-servers.net.
.   518400  IN  NS  f.root-servers.net.
.   518400  IN  NS  g.root-servers.net.
.   518400  IN  NS  h.root-servers.net.
.   518400  IN  NS  i.root-servers.net.
.   518400  IN  NS  j.root-servers.net.
.   518400  IN  NS  k.root-servers.net.
.   518400  IN  NS  l.root-servers.net.
.   518400  IN  NS  m.root-servers.net.
;; Received 239 bytes from 208.67.222.222#53(resolver1.opendns.com) in 6 ms

org.172800  IN  NS  b2.org.afilias-nst.org.
org.172800  IN  NS  d0.org.afilias-nst.org.
org.172800  IN  NS  a2.org.afilias-nst.info.
org.172800  IN  NS  b0.org.afilias-nst.org.
org.172800  IN  NS  a0.org.afilias-nst.info.
org.172800  IN  NS  c0.org.afilias-nst.info.
org.86400   IN  DS  9795 7 2  
3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
org.86400   IN  DS  9795 7 1  
364DFAB3DAF254CAB477B5675B10766DDAA24982
org.86400   IN  RRSIG   DS 8 1 86400  
2018052017 2018050716 39570 .  
XKyDB9S0mMInUMOgX8U0H3/Kjvrj4AuiYRfnxyYUMD/LLOQhTSRv/xKQ  
OWl2jQB7wq3hQEecQn+Zd/410BxtWZ4xxv8dYRKqt8m9HEZzG/b0gDje  
wOqOANWZ8v7StnYlNWUFvS11q0rG0yFubSy+TO6aIQQ4aHA7ZmqPGfzq  
CbfqWv6ynMfNtdzQJS4+3kZlTmYKUqZrEAL3o3/7qD5cmSp7buqI8W5j  
/oTV3Ku74Xo1RDd6RXSZi8aYXKYu6PJ6N82o73OEPzqhWVgjX8KC4aOP  
VoQajzCX5YFAlYXpjtcgJti0/3HqeVqnpHtPF8sSroDCnUFIB+IlNBy2 b0M5lg==

;; Received 813 bytes from 2001:500:12::d0d#53(g.root-servers.net) in 37 ms

openwrt.org.86400   IN  NS  arrakis.dune.hu.
openwrt.org.86400   IN  NS  belategeuse.dune.hu.
openwrt.org.86400   IN  NS  soapstone.yuri.org.uk.
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB  
H9PARR669T6U8O1GSG9E1LMITK4DEM0T  NS SOA RRSIG DNSKEY NSEC3PARAM
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400  
20180528183058 20180507173058 1862 org.  
J1DhIPJyQfBjOpsQYwFcQC2vZcgxohyH+56fQvSKNKd86uvtk5szsjlS  
GpbkcA03uSqpNNuaj5lj+MzfedQvaHfxxVKQI+3cEsBqPVfN9oAvu2Lv  
wKVsIIaAm8sS0/l8DR4Xryz+5DAjZCfdjZq+sRNbDYc8dGpsQXkCZfRe StY=
6tvuefea073v78a07f9tbfq3d98qfrud.org. 86400 IN NSEC3 1 1 1 D399EAAB  
6U03DTEM7DQG048778H41JO23I0SKBJT  A RRSIG
6tvuefea073v78a07f9tbfq3d98qfrud.org. 86400 IN RRSIG NSEC3 7 2 86400  
20180522152438 20180501142438 1862 org.  
BuA1elggJfC0Gax9Rzfb+GKx5S9NWbleZKWskqIqjLsS6tVVqvB46Q/M  
OYg2kav8gBg2zOv7zNywOKuQH4W4hYfVwqTVnb/iE2r2pHefEDh21ZZD  
RcrdfqJ082D7tvPe+/31qZdtjwashQ+R3Gr0WZLRhA+o4NK2Gwp/8ZGX Irs=

;; Received 623 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 6 ms

;; Received 40 bytes from 78.47.151.105#53(soapstone.yuri.org.uk) in 16 ms

They still don't.


Regards,
Jo

___
Lede-dev mailing list

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-07 Thread Bjørn Mork 
Jo-Philipp Wich  writes:

> Hi Joerg, John.
>
> I created an openwrt.org zone on Digital Ocean now so you could delegate
> the name servers to ns1.digitalocean.com, ns2.digitalocean.com and
> ns3.digitalocean.com, maybe with one of the SPI machines thrown into the
> mix...

Good! I hope you implicitly fixed one important issue I missed
yesterday:

The openwrt.org SOA expire value was extremely low, greatly increasing
the risk of ending up where we are now - with all slaves failing due to
a failing master.  Scrolling back in one of my terminals I found this:

 openwrt.org.14400   IN  SOA arrakis.dune.hu. root.dune.hu. 
2018020702 3600 600 86400 3600


I am not entirely sure what the current best practice is, but I don't
think I've ever seen anyone recommending anyting less than a week.
Using 24 hours is ehhm risky is the most polite I can think of.

The lede-project.org SOA looks fine, so I'd recommend you just copy
those timeouts (which you probably already did?)



Bjørn

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-07 Thread John Crispin 



On 07/05/18 09:11, Jo-Philipp Wich wrote:

Hi Joerg, John.

I created an openwrt.org zone on Digital Ocean now so you could delegate
the name servers to ns1.digitalocean.com, ns2.digitalocean.com and
ns3.digitalocean.com, maybe with one of the SPI machines thrown into the
mix...

~ Jo




Hi Joerg,

We concluded as per vote on this ML that we would like to switch the DNS 
over to the machines Jow named above. Thanks alot for your help in 
getting this done !


    John

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-07 Thread Jo-Philipp Wich 
Hi Joerg, John.

I created an openwrt.org zone on Digital Ocean now so you could delegate
the name servers to ns1.digitalocean.com, ns2.digitalocean.com and
ns3.digitalocean.com, maybe with one of the SPI machines thrown into the
mix...

~ Jo



signature.asc
Description: OpenPGP digital signature
___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-06 Thread John Crispin 



On 06/05/18 22:44, Joerg Jaspert wrote:

On 15029 March 1977, Bjørn Mork wrote:


1) update the .org delegation to include *all* NS records for the
openwrt.org zone

I added the soapstone one to the registrar for now, as thats an easy
step to do.


3) possibly consider adding/replacing DNS servers with more robust
   (anycasted?) solutions.  Adding or replacing secondaries should at
   least be a no-brainer

If *wanted*, SPI nameservers can be used as secondaries.



Hi Joerg,

I am liasion to the SPI if I am not mistaken so i can just ask you to do 
that right ? If so, please add spi as secondary.


We should also consider moving primary to the DO servers, but that would 
require a vote and a thread on the adm channels.


    John

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-06 Thread Joerg Jaspert 
On 15029 March 1977, Bjørn Mork wrote:

> 1) update the .org delegation to include *all* NS records for the
>openwrt.org zone

I added the soapstone one to the registrar for now, as thats an easy
step to do.

> 3) possibly consider adding/replacing DNS servers with more robust
>   (anycasted?) solutions.  Adding or replacing secondaries should at
>   least be a no-brainer

If *wanted*, SPI nameservers can be used as secondaries.

-- 
bye, Joerg

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-06 Thread John Crispin 



On 06/05/18 17:44, David Woodhouse wrote:

Hello,

I apologize for bringing up this long-standing issue at a time where you
all have need to other issues to take care of.  But it's again become a
real pressing issue, at least seen from the networks I have a presence in.

We can host it (primary or just secondary) on ns[123].infradead.org if it
helps...


why not move primary to digital ocean ?
    John

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-06 Thread David Woodhouse 

> Hello,
>
> I apologize for bringing up this long-standing issue at a time where you
> all have need to other issues to take care of.  But it's again become a
> real pressing issue, at least seen from the networks I have a presence in.

We can host it (primary or just secondary) on ns[123].infradead.org if it
helps...

-- 
dwmw2


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] Lack of DNS robustness for openwrt.org

2018-05-06 Thread Bjørn Mork 
Hello,

I apologize for bringing up this long-standing issue at a time where you
all have need to other issues to take care of.  But it's again become a
real pressing issue, at least seen from the networks I have a presence in.

The main problem is that there still hasn't been any update to the
*technical* part of the .org delegation:

 bjorn@miraculix:~$ whois openwrt.org|grep Name
 Domain Name: OPENWRT.ORG
 Registrant Name: SPI Hostmaster
 Admin Name: SPI Hostmaster
 Tech Name: SPI Hostmaster
 Name Server: ARRAKIS.DUNE.HU
 Name Server: BELATEGEUSE.DUNE.HU

So those two listed name servers are still the *only* two servers making
a difference when following the tree from root:

bjorn@miraculix:~$ dig ns openwrt.org @a0.org.afilias-nst.info

; <<>> DiG 9.10.3-P4-Debian <<>> ns openwrt.org @a0.org.afilias-nst.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39054
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;openwrt.org.   IN  NS

;; AUTHORITY SECTION:
openwrt.org.86400   IN  NS  arrakis.dune.hu.
openwrt.org.86400   IN  NS  belategeuse.dune.hu.

;; Query time: 159 msec
;; SERVER: 2001:500:e::1#53(2001:500:e::1)
;; WHEN: Sun May 06 12:56:35 CEST 2018
;; MSG SIZE  rcvd: 95




That would not be an issue if those two servers were inependent and
stable.  But they are not. First of all, both depend on being able to
resolve dune.hu.  So we ask one of the hu servers:

bjorn@miraculix:~$ dig ns dune.hu @a.hu

; <<>> DiG 9.10.3-P4-Debian <<>> ns dune.hu @a.hu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53327
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dune.hu.   IN  NS

;; AUTHORITY SECTION:
dune.hu.86400   IN  NS  dns4.vietnamfree.com.
dune.hu.86400   IN  NS  arrakis.dune.hu.
dune.hu.86400   IN  NS  belategeuse.dune.hu.

;; ADDITIONAL SECTION:
arrakis.dune.hu.86400   IN  A   78.24.191.176
belategeuse.dune.hu.86400   IN  A   217.20.135.200

;; Query time: 51 msec
;; SERVER: 2001:738:4:8000::48#53(2001:738:4:8000::48)
;; WHEN: Sun May 06 12:58:10 CEST 2018
;; MSG SIZE  rcvd: 150




And naturally get glue for the two servers which are in that same zone.
But none of them are answering DNS requests at the moment, from none of
the networks I have access to (which each have millions of users AFAIK).


bjorn@miraculix:~$ dig ns dune.hu @78.24.191.176

; <<>> DiG 9.10.3-P4-Debian <<>> ns dune.hu @78.24.191.176
;; global options: +cmd
;; connection timed out; no servers could be reached
bjorn@miraculix:~$ dig ns dune.hu @217.20.135.200

; <<>> DiG 9.10.3-P4-Debian <<>> ns dune.hu @217.20.135.200
;; global options: +cmd
;; connection timed out; no servers could be reached


But there is also a third server for dune.hu, so let's try that one:


bjorn@miraculix:~$ dig ns vietnamfree.com @a.gtld-servers.net

; <<>> DiG 9.10.3-P4-Debian <<>> ns vietnamfree.com @a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1957
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vietnamfree.com.   IN  NS

;; AUTHORITY SECTION:
vietnamfree.com.172800  IN  NS  irc.vietnamfree.com.
vietnamfree.com.172800  IN  NS  dns4.vietnamfree.com.
vietnamfree.com.172800  IN  NS  ns.vietnamfree.com.
vietnamfree.com.172800  IN  NS  ns3.vietnamfree.com.
vietnamfree.com.172800  IN  NS  dns5.vietnamfree.com.

;; ADDITIONAL SECTION:
irc.vietnamfree.com.172800  IN  A   195.56.146.224
dns4.vietnamfree.com.   172800  IN  A   195.56.77.197
ns.vietnamfree.com. 172800  IN  A   195.56.146.224
ns3.vietnamfree.com.172800  IN  A   202.157.185.115
dns5.vietnamfree.com.   172800  IN  A   62.165.228.216

;; Query time: 147 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Sun May 06 13:02:43 CEST 2018
;; MSG SIZE  rcvd: 215

bjorn@miraculix:~$ dig a dns4.vietnamfree.com @195.56.77.197

; <<>> DiG 9.10.3-P4-Debian <<>> a dns4.vietnamfree.com @195.56.77.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42806
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION: