Maintained by: NLnet Labs

[Unbound-users] problems resolving akamai hosted domains with unbound?

W.C.A. Wijngaards
Sun Jun 8 11:20:58 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Robert,

An initial look, it seems there are no replies from akamai.
Looking at the pcap, I can see that akamai responds with weird answers,
that have a CNAME twice in there.

Answer section:
images-na.ssl-images-amazon.com. 300 IN CNAME
images-na.ssl-images-amazon.com.edgekey.net.
images-na.ssl-images-amazon.com. 300 IN CNAME
images-na.ssl-images-amazon.com.edgekey.net.

Currently, those akamai servers are responding with only one CNAME for me.

Unbound is dropping the return messages, as integrity checks are
failing.  Only one CNAME record is allowed at a name (otherwise, which
one do you follow?).

It drops all messages that try to have multiple CNAMEs for one name. The
reason for the check is to protect the internal logic of the recursor.

If the problem persists for you, I could try to 'fix it up' by seeing if
the CNAMEs are identical, and then merging them.

Thank you very much for both the unbound-host output (although even more
- -d's would have been nice; then it prints packets) and the pcap.

Best regards,
~   Wouter

Robert Edmonds wrote:
| I'm experiencing problems looking up "images-na.ssl-images-amazon.com"
| (an akamai hosted domain) using unbound -- could someone take a look at
| these traces?
|
| I attach here four files --
|
|   amazon-dnscache.pcap: the packets generated by a successful lookup
|   using dnscache
|
|   amazon-dnscache.txt: the dig output generated by a successful lookup
|   using dnscache
|
|   amazon-unbound-host.pcap: the packets generated by an unsuccessful
|   (SERVFAIL) lookup using unbound-host
|
|   amazon-unbound-host.txt: the output of `unbound-host -v -d -d -t a
|   images-na.ssl-images-amazon.com`
|
| any ideas?  are one or more of akamai, dnscache, or unbound at fault?
|
|
|
| ------------------------------------------------------------------------
|
| _______________________________________________
| Unbound-users mailing list
| Unbound-users at unbound.net
| http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhLpHoACgkQkDLqNwOhpPhXSACfX2Kob9tLAk7psK9F3sNEMQLq
DBkAoKNUnU+RvWTx6NAWLu6AW43PkMLu
=nSf9
-----END PGP SIGNATURE-----