Closed
Bug 770275
Opened 13 years ago
Closed 12 years ago
Possible DNSSEC issue with wildcard domains like *.bugzilla.mozilla.org
Categories
(Infrastructure & Operations :: Infrastructure: Other, task)
Infrastructure & Operations
Infrastructure: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: taras.mozilla, Assigned: fox2mike)
References
()
Details
(Whiteboard: Fixed upstream by Comcast)
Attachments
(1 file)
|
102.68 KB,
image/png
|
Details |
screenshot
I've been suffering from this for 3 weeks on multiple browsers, operating systems, networks on my laptop. If I try again, occasionally the patches show. Frequency of failure goes from rare to failing 90% of the time. Not sure what affects it
|
||
Updated•13 years ago
|
Assignee: create-and-change → nobody
Component: Creating/Changing Bugs → General
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa → general
Version: unspecified → Production
|
||
Updated•13 years ago
|
Assignee: nobody → server-ops
Component: General → Server Operations
Product: bugzilla.mozilla.org → mozilla.org
QA Contact: general → phong
Version: Production → other
|
Assignee | |
Updated•13 years ago
|
Assignee: server-ops → server-ops-devservices
Component: Server Operations → Server Operations: Developer Services
QA Contact: phong → shyam
|
|
Assignee | |
Comment 1•13 years ago
|
||
What are your DNS resolvers? Which OS is this?
Assignee: server-ops-devservices → shyam
|
|
Assignee | |
Comment 2•13 years ago
|
||
Assuming the bugzilla field above is correct, Mac...I'll need to know what your DNS resolvers are to dig deeper.
(In reply to Shyam Mani [:fox2mike] from comment #2)
> Assuming the bugzilla field above is correct
fwiw works for me.
the frame's url is https://bug769191.bugzilla.mozilla.org/attachment.cgi?id=637423
|
Reporter | |
Comment 5•13 years ago
|
||
(In reply to Shyam Mani [:fox2mike] from comment #1)
> What are your DNS resolvers? Which OS is this?
This happens on mac and windows 7. What's a dns resolver?
|
|
Reporter | |
Comment 6•13 years ago
|
||
Byron this does not seem to be related to my specific internet provider. I was traveling and was getting the exact same problem on hotel and conference internet. I'm using comcast at home.
|
||
Comment 7•13 years ago
|
||
Problems three weeks ago could have been bug 765670. There were definitely intermittent issues with bugzilla DNS before then. Since then I haven't heard any reports aside from the ones here, though.
That it's affecting more than just Taras suggests it could be an intermittent/isolated issue with Dynect or something?
|
|
Assignee | |
Comment 9•13 years ago
|
||
(In reply to Taras Glek (:taras) from comment #5)
> (In reply to Shyam Mani [:fox2mike] from comment #1)
> > What are your DNS resolvers? Which OS is this?
>
> This happens on mac and windows 7. What's a dns resolver?
Open a terminal on mac and run cat /etc/resolv.conf and paste the output here?
|
|
Reporter | |
Comment 10•13 years ago
|
||
My LAN uses a local dnsmasq resolver that forwards to 75.75.75.75, 75.75.76.76(ie comcast)
|
|
Assignee | |
Comment 11•13 years ago
|
||
Dude, this is awesome information. Epic stuff :)
I'll look into this asap, I'm on pto most of this week, but this is serious enough for me to debug and fix. CC'ing some people for information.
The reason I'm so excited about this, is that's comcast's DNSSEC enabled DNS server..and this is an issue on our end with DNSSEC and wildcard domains.
Severity: normal → critical
Component: Server Operations: Developer Services → Server Operations: Infrastructure
QA Contact: shyam → jdow
|
|
Assignee | |
Comment 12•13 years ago
|
||
Another thing that I just thought of...this may be happening because of our delegation of these domains to dynect. I'll give it some more thought.
Summary: DNS keeps failing: "Firefox can't find the server at bug769191.bugzilla.mozilla.org." → Possible DNSSEC issue with wildcard domains like *.bugzilla.mozilla.org
|
||
Comment 13•13 years ago
|
||
(In reply to Shyam Mani [:fox2mike] from comment #12)
> Another thing that I just thought of...this may be happening because of our
> delegation of these domains to dynect. I'll give it some more thought.
https://bugzilla.mozilla.org/show_bug.cgi?id=771861#c6 indicates this was an end-user problem?
|
||
Updated•13 years ago
|
Severity: critical → blocker
|
||
Comment 14•13 years ago
|
||
My comcast dns nameservers are also: 75.75.76.76, 75.75.75.75
I am also getting a "server not found" when trying to view any attachment.
I've also had some issues with viewing attachments since moving to San Jose a few weeks ago and switching to Comcast's internet service.
My nameservers are also 75.75.75.75 and 75.75.76.76
|
||
Comment 16•13 years ago
|
||
I'm on Comcast at home. My nameservers are 75.75.75.75, 75.75.76.76
While I get the "server not found" message on my PC, when I access it through my phone (which is on 4G), I am able to successfully view the attachment.
|
||
Comment 17•13 years ago
|
||
you can use http://dns.comcast.net/dig-tool.php to query comcast's dns.
using a bugzilla wildcard hostname results in failure most of the time (it worked once out of twelve attempts for me).
the error message when it fails is "Invalid request sent.".
the success response returned:
wild.bugzilla.dynect.mozilla.net.
bugzilla-wild.zlb.phx.mozilla.net.
63.245.217.61
resolving wild.bugzilla.dynect.mozilla.net always works.
testing with other domains that appear to use dns wildcards (such as *.blogspot.com) doesn't show result in failure.
|
||
Comment 18•13 years ago
|
||
H
|
|
||
Comment 19•12 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #17)
> you can use http://dns.comcast.net/dig-tool.php to query comcast's dns.
>
> using a bugzilla wildcard hostname results in failure most of the time (it
> worked once out of twelve attempts for me).
Anyway to get this to work? I am having a tough time using bugzilla with this happening.
> resolving wild.bugzilla.dynect.mozilla.net always works.
This still fails for me:
https://bug773535.bugzilla.dynect.mozilla.net/attachment.cgi?id=641720
|
|
||
Updated•12 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
|
|
||
Comment 20•12 years ago
|
||
(In reply to Mark Finkle (:mfinkle) from comment #19)
> Anyway to get this to work? I am having a tough time using bugzilla with
> this happening.
the only work around i'm aware of is using different dns servers.
|
|
||
Comment 21•12 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #20)
> (In reply to Mark Finkle (:mfinkle) from comment #19)
> > Anyway to get this to work? I am having a tough time using bugzilla with
> > this happening.
>
> the only work around i'm aware of is using different dns servers.
Yep and I switch to Google's DNS servers. Things are working now.
|
|
Assignee | |
Comment 22•12 years ago
|
||
I'm back and will need sometime to confirm that the issue isn't on our end. I'll keep the bug updated.
|
||
Comment 23•12 years ago
|
||
Just for the record, this also seems to happen with *.etherpad.mozilla.org (had a report of this today, and confirmed it with the tool in comment 17). This is different in that it does not go through mozilla.net or Dynect or 3crowd... it is a simple wildcard A record in mozilla.org.
|
|
Assignee | |
Comment 24•12 years ago
|
||
This seems to be an issue on Comcast's end. We're working with them to see if we can pinpoint and resolve the issue.
|
|
Assignee | |
Updated•12 years ago
|
Whiteboard: Waiting on Comcast
|
|
||
Comment 25•12 years ago
|
||
And also for *.pastebin.mozilla.org
|
||
Comment 26•12 years ago
|
||
I tried switching to Google's DNS. That fixed Bugzilla attachments, but broke resolving pvtbuilds2.dmz.scl3.mozilla.com when connected to MPT VPN with Tunnelblick.
|
|
Assignee | |
Comment 27•12 years ago
|
||
To elaborate some more, the issue is with Comcast's DNS servers and the way they treat NSEC3 responses. I'm still waiting for a response from them.
|
|
Assignee | |
Comment 28•12 years ago
|
||
Comcast says this is resolved now. If someone on Comcast can check and verify that the following query returns an IP :
dig +dnssec @75.75.75.75 bug770275.bugzilla.mozilla.org
We're good to go.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: Waiting on Comcast → Fixed upstream by Comcast
$ dig +dnssec @75.75.75.75 bug770275.bugzilla.mozilla.org
; <<>> DiG 9.8.1-P1 <<>> +dnssec @75.75.75.75 bug770275.bugzilla.mozilla.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54709
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;bug770275.bugzilla.mozilla.org. IN A
;; ANSWER SECTION:
bug770275.bugzilla.mozilla.org. 25 IN CNAME wild.bugzilla.dynect.mozilla.net.
bug770275.bugzilla.mozilla.org. 25 IN RRSIG CNAME 7 3 60 20120816195310 20120717200111 63920 mozilla.org. M5CU+laA/rD90Z/07LiM14WKf6owxX4ZKg/hmDjqjJxSxAe7MaVc4PVi l+fR4O/GLCkkPWKN6gH+7i653EJTAMmavn+MYm9rjlPtvWZ93LIBMXpO mdcD8ymfINu1v2gKkQMd0RWGJeY5IRqsoB031rgI3rpcMUptMVD8K1P4 kV0=
wild.bugzilla.dynect.mozilla.net. 900 IN CNAME bugzilla-wild.zlb.phx.mozilla.net.
bugzilla-wild.zlb.phx.mozilla.net. 300 IN A 63.245.217.61
;; Query time: 85 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sat Jul 21 15:25:15 2012
;; MSG SIZE rcvd: 328
|
||
Updated•12 years ago
|
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in
before you can comment on or make changes to this bug.
Description
•