issue with gas.mcd.com

Hello,

a customer informed me about trouble with https://account.mcd.com
I found, the resolver had problems to get an IP for the related name "gas.mcd.com"

mcd.com return a CNAME gas.gslb.mcd.com:

$ kdig @pdns1.cscdns.net. gas.mcd.com. +norec +noall +answer

;; ANSWER SECTION:
gas.mcd.com. 180 IN CNAME gas.gslb.mcd.com.

gslb.mcd.com seem to be a subdomain.

$ kdig @pdns1.cscdns.net. gslb.mcd.com. NS +norec +noall +add

;; ADDITIONAL SECTION:
ELB-APSE-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 13.67.105.153
ELB-EUWE-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 13.73.228.106
ELB-USCN-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 52.176.102.138

13.67.105.153 and 13.73.228.106 are unresponsive on UDP and reject TCP
52.176.102.138 is alive and respond with complete other nameservers:

$ kdig @52.176.102.138 gslb.mcd.com. NS +norec +noall +answer +add

;; ANSWER SECTION:
gslb.mcd.com. 300 IN NS zewpgtsgslbdns.gslb.mcd.com.
gslb.mcd.com. 300 IN NS zucpgtsgslbdns.gslb.mcd.com.
gslb.mcd.com. 300 IN NS zappgtsgslbdns.gslb.mcd.com.

;; ADDITIONAL SECTION:
zewpgtsgslbdns.gslb.mcd.com. 900 IN A 152.142.150.180
zucpgtsgslbdns.gslb.mcd.com. 900 IN A 152.140.216.180
zappgtsgslbdns.gslb.mcd.com. 900 IN A 152.140.218.180

But all three nameservers don't answer on UDP and reject TCP

I verified this from different location. (SRC IP)

That means for me that no resolver ever have a chance to get an IP for the initial question.
But the CNAME above have a short TTL. So I retry some minutes later and sometimes I *do*
get an answer for a simple "dig gas.mcd.com. A" to my unbound. This is good, but I don't see, why !?

reproduced on unbound-1.12.0 and unbound-1.13.0

Any Ideas?
Andreas

Hello,

a customer informed me about trouble with https://account.mcd.com
I found, the resolver had problems to get an IP for the related name "gas.mcd.com"

mcd.com return a CNAME gas.gslb.mcd.com:

$ kdig @pdns1.cscdns.net. gas.mcd.com. +norec +noall +answer

;; ANSWER SECTION:
gas.mcd.com. 180 IN CNAME gas.gslb.mcd.com.

gslb.mcd.com seem to be a subdomain.

$ kdig @pdns1.cscdns.net. gslb.mcd.com. NS +norec +noall +add

;; ADDITIONAL SECTION:
ELB-APSE-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 13.67.105.153
ELB-EUWE-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 13.73.228.106
ELB-USCN-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 52.176.102.138

13.67.105.153 and 13.73.228.106 are unresponsive on UDP and reject TCP
52.176.102.138 is alive and respond with complete other nameservers:

$ kdig @52.176.102.138 gslb.mcd.com. NS +norec +noall +answer +add

;; ANSWER SECTION:
gslb.mcd.com. 300 IN NS zewpgtsgslbdns.gslb.mcd.com.
gslb.mcd.com. 300 IN NS zucpgtsgslbdns.gslb.mcd.com.
gslb.mcd.com. 300 IN NS zappgtsgslbdns.gslb.mcd.com.

;; ADDITIONAL SECTION:
zewpgtsgslbdns.gslb.mcd.com. 900 IN A 152.142.150.180
zucpgtsgslbdns.gslb.mcd.com. 900 IN A 152.140.216.180
zappgtsgslbdns.gslb.mcd.com. 900 IN A 152.140.218.180

But all three nameservers don't answer on UDP and reject TCP

I verified this from different location. (SRC IP)

That means for me that no resolver ever have a chance to get an IP for the initial question.
But the CNAME above have a short TTL. So I retry some minutes later and sometimes I *do*
get an answer for a simple "dig gas.mcd.com. A" to my unbound. This is good, but I
don't see, why !?

reproduced on unbound-1.12.0 and unbound-1.13.0

I'm guessing they're using failover (carp?), and their servers are swamped. It's
also possible your upstream BGP isn't current enough. Either way; if _they_ are having
problems answering authoritatively. There isn't much _you_ can do; aside from informing
them.

Hello,

a customer informed me about trouble with https://account.mcd.com
I found, the resolver had problems to get an IP for the related name "gas.mcd.com"

mcd.com return a CNAME gas.gslb.mcd.com:

$ kdig @pdns1.cscdns.net. gas.mcd.com. +norec +noall +answer

;; ANSWER SECTION:
gas.mcd.com. 180 IN CNAME gas.gslb.mcd.com.

gslb.mcd.com seem to be a subdomain.

$ kdig @pdns1.cscdns.net. gslb.mcd.com. NS +norec +noall +add

;; ADDITIONAL SECTION:
ELB-APSE-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 13.67.105.153
ELB-EUWE-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 13.73.228.106
ELB-USCN-PROD-GSLB-01-PIPDNS.gslb.mcd.com. 900 IN A 52.176.102.138

13.67.105.153 and 13.73.228.106 are unresponsive on UDP and reject TCP
52.176.102.138 is alive and respond with complete other nameservers:

$ kdig @52.176.102.138 gslb.mcd.com. NS +norec +noall +answer +add

;; ANSWER SECTION:
gslb.mcd.com. 300 IN NS zewpgtsgslbdns.gslb.mcd.com.
gslb.mcd.com. 300 IN NS zucpgtsgslbdns.gslb.mcd.com.
gslb.mcd.com. 300 IN NS zappgtsgslbdns.gslb.mcd.com.

;; ADDITIONAL SECTION:
zewpgtsgslbdns.gslb.mcd.com. 900 IN A 152.142.150.180
zucpgtsgslbdns.gslb.mcd.com. 900 IN A 152.140.216.180
zappgtsgslbdns.gslb.mcd.com. 900 IN A 152.140.218.180

But all three nameservers don't answer on UDP and reject TCP

I verified this from different location. (SRC IP)

That means for me that no resolver ever have a chance to get an IP for the initial question.
But the CNAME above have a short TTL. So I retry some minutes later and sometimes I *do*
get an answer for a simple "dig gas.mcd.com. A" to my unbound. This is good, but I
don't see, why !?

reproduced on unbound-1.12.0 and unbound-1.13.0

I'm guessing they're using failover (carp?), and their servers are swamped. It's
also possible your upstream BGP isn't current enough. Either way; if _they_ are having
problems answering authoritatively. There isn't much _you_ can do; aside from informing
them.

FWIW this is what I see:
udns# drill gas.mcd.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9379
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; gas.mcd.com. IN A

;; ANSWER SECTION:
gas.mcd.com. 300 IN CNAME gas.gslb.mcd.com.
gas.gslb.mcd.com. 300 IN A 40.122.111.34

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 344 msec
I mention it, because _my_ numbers are different than yours.