I worked with Chris on this outside of the list. Replying here just to close the loop in case anyone else was interested. This situation is explained in this Case Study: http://support.citrix.com/article/CTX117947 The key sentence being: "In NetScaler software release 7.0, when the DNS server looks up AAAA records, the response was “0” and errors “0”. However, in NetScaler software release 8.0, with standard response “0”, the NetScaler appliance sends the delegation records to root. " To summarize, if you don't have your NS records in place on the Netscalers, you will see a loop for AAAA queries (root>auth>netscaler>root....), eventually resulting in a SERVFAIL. Christopher Morrow wrote:
On Sat, Sep 27, 2008 at 3:12 AM, Robert Manning <riches@about.com> wrote:
Hey Chris, I'll reply to you off list.
awesome, thanks!
Thanks for the heads up.
-rjb
On 9/26/08 10:13 PM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
Is there perhaps an about.com/nytimes.com admin around? I was wondering if they perhaps knew that their loadbalancer for www.nytimes.com is fairly broken wrt answering AAAA queries:
(who's NS for nytimes.com) dig NS nytimes.com +short ns1t.nytimes.com. nydns2.about.com. nydns1.about.com.
(who do they think is the NS for www.nytimes.com) dig www.nytimes.com @ns1t.nytimes.com. NS ;; QUESTION SECTION: ;www.nytimes.com. IN NS
;; AUTHORITY SECTION: www.nytimes.com. 60 IN NS nss1.sea1.nytimes.com. www.nytimes.com. 60 IN NS nss1.lga2.nytimes.com.
(what is the AAAA for www.nytimes.com ?? ) dig www.nytimes.com @nss1.sea1.nytimes.com. AAAA ;www.nytimes.com. IN AAAA
;; AUTHORITY SECTION: . 3600000 IN NS k.root-servers.net. . 3600000 IN NS l.root-servers.net. . 3600000 IN NS m.root-servers.net. . 3600000 IN NS a.root-servers.net. . 3600000 IN NS b.root-servers.net. . 3600000 IN NS c.root-servers.net. . 3600000 IN NS d.root-servers.net. . 3600000 IN NS e.root-servers.net. . 3600000 IN NS f.root-servers.net. . 3600000 IN NS g.root-servers.net. . 3600000 IN NS h.root-servers.net. . 3600000 IN NS i.root-servers.net. . 3600000 IN NS j.root-servers.net.
;; ADDITIONAL SECTION: k.root-servers.net. 3600000 IN A 193.0.14.129 l.root-servers.net. 3600000 IN A 198.32.64.12 m.root-servers.net. 3600000 IN A 202.12.27.33
;; Query time: 89 msec ;; SERVER: 170.149.172.35#53(170.149.172.35)
wha??? <ricky voice>Lucy, your loadbalancer is foobar'd</ricky voice>
In an effort to make v6 things work a tad better in this hostile world, could the NYTimes folks let us know what sort of LB that is? and why it wants to not be a good Intenet Citizen??
-Chris
-- -Brendan Cleary Senior Network Engineer NYTIMES.COM 212.556.8041