[BALUG-Admin] (forw) linuxmafia.com 2024-06-04 02:02 System Events

Michael Paoli michael.paoli@berkeley.edu
Tue Jun 4 23:21:41 UTC 2024 

There's two different issues (well, three, but 3rd is minor), not to
be confused:

There's the issue with Comcast Business on the [ns1.]linuxmafia.com.,
etc. side of things,
notably:
UDP port 5353 generally works on The Internet, but not from guido nor
linuxmafia, etc.
as clients - though works fine from other clients on The Internet.
Here's bit more detailed summary thus far:
-----
2024-06-03 11:26p-12:02a US/Pacific CR145359298
CR145359298 - issue appears to be on/towards other end,
different Comcast Business account, address:
1105 ALTSCHUL AVE UNIT HMOFC MENLO PARK CA 94025
issue, client IP:
96.95.217.98/29
communication fails with UDP to server: 96.86.170.229 UDP port 5353
Also observed:
Server receives and responds.
Response packets never make it to client (96.95.217.98).
If target port is changed to 53 or protocol changed to TCP,
then client successfully receives reply packets.
Also able to communicate from other Internet clients to
server: 96.86.170.229 UDP port 5353
-----
This can be tested relatively easily, e.g., note that it works with
TCP or port 53, but not UDP on 5353 (but works fine from other clients
on The Internet):
$ hostname
linuxmafia.com
$ time dig -p 5353 +tcp +nomultiline @96.86.170.229 +noall +answer
sflug.com. SOA && time dig -p 53 +notcp +ignore +nomultiline
@96.86.170.229 +noall +answer sflug.com. SOA && time dig -p 5353
+notcp +ignore +nomultiline @96.86.170.229 +noall +answer sflug.com.
SOA
sflug.com.              172800  IN      SOA     ns1.sf-lug.org.
jim.well.com. 1716775812 10800 3600 3600000 86400

real    0m0.076s
user    0m0.004s
sys     0m0.000s
sflug.com.              172800  IN      SOA     ns1.sf-lug.org.
jim.well.com. 1716775812 10800 3600 3600000 86400

real    0m0.046s
user    0m0.000s
sys     0m0.004s
;; connection timed out; no servers could be reached

real    0m15.012s
user    0m0.004s
sys     0m0.008s
$

So, that, (all) above is one issue.

The second - unrelated - issue.  I've got excess notifies being sent
from my server(s).
Now, not at all unusual that sometimes there may be bursts of activity
and updates and such,
at least some of that is to be expected.
What's quite unexpected and ought not be happening, but is,
is I've got server sending frequent (e.g. like every 90 seconds-ish -
or so) notifies
when basic zone DNS data hasn't changed - same SOA serial, etc.
So, something's still amis with that which I need to correct (doesn't
really break any
functionalities ... but rather wasteful all those excess notifies being sent,
also tends to cause needless traffic on both sending side,
and receiving servers checking and finding they've got nothing
to do because they're already current).
And, as I'd earlier mentioned, I suspect from some major upgrades I did
a few weeks ago ... well, that was off-list, so, let me include fair
bit more of it here
(but not the whole thing, it gets very long, especially with all the
earlier referenced):
-----
---------- Forwarded message ---------
From: Michael Paoli <michael.paoli@berkeley.edu>
Date: Mon, Jun 3, 2024 at 11:19 PM
Subject: Re: [BALUG-Admin] (forw) linuxmafia.com 2024-06-03 15:02 System Events
To: Al <aw009@sunnyside.com>
Cc: Rick Moen <rick@linuxmafia.com>

Yeah, ... something's still not quite right there.
Did upgrade on that host/server a couple weekends ago
Debian: buster 10 --> bullseye 11 --> bookworm 12
$ TZ=GMT0 stat -c '%z %Z %n' /etc/debian_version
2024-05-14 07:37:15.000000000 +0000 1715672235 /etc/debian_version
$
Some of ye olde(er) DNS configuration options, while still
(marginally?) functional, are quite deprecated, and I'm getting
warnings on that and one other minor issue ... anyway, need to do
some cleanup/reconfig with DNS server on that host.
Should all be fine after that.  Functional in the meantime, but ...
not yet optimal ... clearly.

On Mon, Jun 3, 2024 at 10:43 PM Al <aw009@sunnyside.com> wrote:
>
> I'm probably not reading those logs right but part of it looked like mpaoli was being signed every minute?  Only partial logs, not enough to be sure.  7:28, 7:29.
> Just a thought...
>
> On June 3, 2024 20:15:06 Michael Paoli via BALUG-Admin <balug-admin@lists.balug.org> wrote:
>
>> Well, under some circumstances, I'd expect a relative flury, or
>> "bursts" of notify
>> activity.  E.g. I do TLS(/"SSL") certs via LetsEncrypt.org (LE), using DNS
>> verification.  Some/many of those certs will have multiple
>> Subject Alternative Name (SAN) domains, and there may be fair number
>> of such certs.  So, adding the relevant records for verification, and then
>> removing them after having obtained the issued cert(s) - that can be a
>> fair burst of activity.  But those generally wouldn't persist over a long
>> period of time.  E.g. every 90 seconds over many hours or days
>> or more ... then something else is going on.  So ... let me dig
>> (pun not quite intended but apt) a bit more and peek what's currently
>> goin' on there ...
...
----- End forwarded message -----
-----
I suspect it has to do with some changes in how DNSSEC is configured,
most notably a configuration syntax I'm using is (now) quite deprecated,
and it may be thus defaulting to some rather undesirable behavior(s)
which may include triggering the excess notifies.
Anyway, want to test it carefully and not break things, that's why I'm not
willy-nilly throwing things at it.  Goals being, to not only fix it, but if
feasible without causing further breakage along the way, and also not
disabling DNSSEC at any point (shouldn't need to) ... and while I'm at
it, also reviewing and checking/updating earlier documentation (much of which
I wrote):
Debian wiki: DNSSEC Howto for BIND 9.9+:
https://wiki.debian.org/DNSSEC%20Howto%20for%20BIND%209.9+
And, along the way, I've also got temporary zone and subdomain I'm
fiddling with: tmp.mpaoli.net. to test things, etc.  Anyway, it's still a work
in progress to get that all squared away (get issue fixed, not further
break things,
and update relevant documentation).
Anyway, as far as I'm aware, the excess notifies being sent don't have
anything to do with the Comcast issues.

And thirdly - relatively minor issue.  Al's got
(at least last I checked, yesterday or so) issues with
2603:3024:180d:f100:50:242:105:34 (nsx.sunnyside.com.)
not responding.

On Tue, Jun 4, 2024 at 3:12 PM Rick Moen <rick@linuxmafia.com> wrote:
>
> More of same, involving back-to-back NOTIFY traffic about mpaoli.net,
> allegedly originating from master nameserver 96.86.170.226 .  Michael, I
> greatly doubt your nameserver is doing this.  mpaoli.net's zonefile is
> pretty unchanging.  I suspect Comcast middleman fsckery.  Thoughts?
>
> ----- Forwarded message from logcheck system account <logcheck@linuxmafia.com> -----
>
> Date: Tue, 04 Jun 2024 02:02:01 -0700
> From: logcheck system account <logcheck@linuxmafia.com>
> To: root@linuxmafia.com
> Subject: linuxmafia.com 2024-06-04 02:02 System Events
>
> System Events
> =-=-=-=-=-=-=
> Jun  4 01:47:15 linuxmafia named[15622]: zone mpaoli.net/IN: Transfer started.
> Jun  4 01:47:15 linuxmafia named[15622]: transfer of 'mpaoli.net/IN' from 96.86.170.226#53: connected using 96.95.217.99#52012
> Jun  4 01:47:15 linuxmafia named[15622]: zone mpaoli.net/IN: transferred serial 1717468800
> Jun  4 01:47:15 linuxmafia named[15622]: transfer of 'mpaoli.net/IN' from 96.86.170.226#53: Transfer completed: 1 messages, 6 records, 546 bytes, 0.064 secs (8531 bytes/sec)
> Jun  4 02:00:09 linuxmafia named[15622]: zone mpaoli.net/IN: Transfer started.
> Jun  4 02:00:09 linuxmafia named[15622]: transfer of 'mpaoli.net/IN' from 96.86.170.226#53: connected using 96.95.217.99#57758
> Jun  4 02:00:09 linuxmafia named[15622]: zone mpaoli.net/IN: transferred serial 1717491608
> Jun  4 02:00:09 linuxmafia named[15622]: transfer of 'mpaoli.net/IN' from 96.86.170.226#53: Transfer completed: 1 messages, 15 records, 1266 bytes, 0.072 secs (17583 bytes/sec)

More information about the BALUG-Admin mailing list