After TCP connect succeeds, resolver gets stuck if the authoritative doesn't send a reply
Currently resolution of tipsport.cz A
triggers this sometimes, so let's use it as example:
There are 8 authoritative server for tipsport.cz
:
$ dig @a.ns.nic.cz tipsport.cz NS
[…]
;; QUESTION SECTION:
;tipsport.cz. IN NS
;; AUTHORITY SECTION:
tipsport.cz. 3600 IN NS ns1.tipsport.cz.
tipsport.cz. 3600 IN NS ns2.tipsport.cz.
tipsport.cz. 3600 IN NS ns3.tipsport.cz.
tipsport.cz. 3600 IN NS ns4.tipsport.cz.
;; ADDITIONAL SECTION:
ns1.tipsport.cz. 3600 IN A 195.39.239.11
ns1.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::1
ns2.tipsport.cz. 3600 IN A 195.39.239.12
ns2.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::2
ns3.tipsport.cz. 3600 IN A 195.39.239.13
ns3.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::3
ns4.tipsport.cz. 3600 IN A 195.39.239.14
ns4.tipsport.cz. 3600 IN AAAA 2001:678:320:0:f5::4
None of the IPv6 will answer the query tipsport.cz A
but all will accept a TCP connection to them.
The reply to tipsport.cz A
is too big and the working servers will reply with TC=1.
So, if the resolver chooses one of the working servers first, gets a TC bit and then chooses to connect over TCP to one of the not working ones, the request will starve and eventually be cancelled by a timer and resolver replies with a SERVFAIL.
[16708.11][iter] 'tipsport.cz.' type 'A' new uid was assigned .14, parent uid .00
[16708.14][slct] => id: '27900' choosing: 'ns4.tipsport.cz.'@'195.39.239.14#00053' with timeout 1600 ms zone cut: 'tipsport.cz.'
[16708.14][resl] => id: '27900' querying: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' qname: 'tIPSpOrt.cZ.' qtype: 'A' proto: 'udp'
[16708.14][slct] => id: '27900' updating: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' with rtt 14 to srtt: 14 and variance: 7
[16708.14][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27900
;; Flags: qr aa tc QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
tipsport.cz. A
;; ADDITIONAL SECTION
[16708.14][iter] <= truncated response, failover to TCP
[16708.14][slct] => id: '27900' noting selection error: 'ns4.tipsport.cz.'@'195.39.239.14#00053' zone cut: 'tipsport.cz.' error: 12 TRUNCATED
[16708.14][iter] 'tipsport.cz.' type 'A' new uid was assigned .15, parent uid .00
[16708.15][slct] => id: '23152' choosing: 'ns4.tipsport.cz.'@'2001:678:320:0:f5::4#00053' with timeout 1600 ms zone cut: 'tipsport.cz.'
[16708.15][resl] => id: '23152' querying: 'ns4.tipsport.cz.'@'2001:678:320:0:f5::4#00053' zone cut: 'tipsport.cz.' qname: 'TipsPoRt.cz.' qtype: 'A' proto: 'tcp'
[16708.15][wrkr] => connecting to: '2001:678:320:0:f5::4#00053'
[wrkr]=> connected to '2001:678:320:0:f5::4#00053'
… long wait here, the whole request will timeout …
[16708.13][resl] AD: request NOT classified as SECURE
[16708.15][resl] finished in state: 8, queries: 3, mempool: 49200 B
[16708.00][dbg ] answer packet:
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 16708
;; Flags: qr rd ra QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION
tipsport.cz. A
;; ADDITIONAL SECTION
[io] => closing connection to '2001:678:320:0:f5::4#00053'