June 27, 2014
xbox.com IPv6 Broken, Buggy DNS to Blame
I've previously discussed the problems caused by buggy DNS servers that don't implement IPv6-related queries properly. The worst problem I've faced is that, by default, F5 Network's "BIG-IP GTM" appliance doesn't respond to AAAA queries for certain records, causing lengthy delays as IPv6-capable resolvers continue to send AAAA queries before finally timing out.
Now www.xbox.com
is exhibiting broken AAAA behavior, and it looks
like an F5 "GTM" appliance may be to blame. www.xbox.com
is a CNAME for www.gtm.xbox.com, which is itself a CNAME for
wildcard.xbox.com-c.edgekey.net (which is in turn a CNAME for another
CNAME, but that's not important here). The nameservers for gtm.xbox.com
({ns1-bn, ns1-qy, ns2-bn, ns2-qy}.gtm.xbox.com), contrary to the DNS
spec, do not return the CNAME record when queried for the AAAA record
for www.gtm.xbox.com:
Contrast to an A record query, which properly returns the CNAME:
$ dig www.gtm.xbox.com. A @ns1-bn.gtm.xbox.com. ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.gtm.xbox.com. A @ns1-bn.gtm.xbox.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 890 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.gtm.xbox.com. IN A ;; ANSWER SECTION: www.gtm.xbox.com. 30 IN CNAME wildcard.xbox.com-c.edgekey.net. ;; Query time: 115 msec ;; SERVER: 134.170.28.97#53(134.170.28.97) ;; WHEN: Tue Jun 24 15:04:34 2014 ;; MSG SIZE rcvd: 79
Consequentially, any IPv6-only host attempting to resolve www.xbox.com will fail,
even though www.xbox.com has IPv6 connectivity and ultimately (once you follow 4 CNAMEs) has an AAAA record.
You can witness this by
running ping6 www.xbox.com from a Linux box (but flush your DNS caches first).
Fortunately, IPv6-only hosts are rare, and dual-stack or IPv4-only hosts won't
have a problem resolving www.xbox.com because they'll try resolving the
A record. Nevertheless, this buggy behavior is extremely
troubling, especially when the bug is with such simple logic (it doesn't
matter what kind of record is being requested: if there's a CNAME, you return it),
and is bound to cause headaches during the IPv6 transition.
I can't tell for sure what DNS implementation is powering
the gtm.xbox.com nameservers, but considering that "GTM" stands for "Global
Traffic Manager," F5's DNS appliance product, which has a history of AAAA
record bugginess, I have a hunch...
Post a Comment
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Comments
Reader Thomas on 2014-11-28 at 15:34:
Hi,
thanks for this. I realized a few months back a slightly reverse problem. My domain was for ages available via IPv6, back then (and still) I decided to also make it available via a IPv6 NS - and an IPv6 GLUE record. And interestingly when I had an IPv6 GLUE record the Google NS 8.8.8.8 wasn't able to resolve it anymore. I saw requests coming in... it was properly responded, but at the client nothing was returned.
Funny enough, I just tried it and it seems to be working now... *g
Cheers
Thomas
PS: Keep up the good work, nice blog, great SSLMate... can't wait to have a look at that configuration management to be released.
Reply