[Bug 1667] sshd slow connect with 'UseDNS yes'

Sat Oct 31 09:50:56 EST 2009

https://bugzilla.mindrot.org/show_bug.cgi?id=1667

--- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2009-10-31 09:50:55 EST ---
(In reply to comment #5)
> Created an attachment (id=1716)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1716) [details]
> pcap of one connection
> 
> pcap of one connection.  did not include disconnect.

I haven't gone through the other output yet but this seems suspicious. 
Go from the start:

03:37:12.425222 corvus.arc.nasa.gov.45215 > ns2.arc.nasa.gov.domain:
20988+ PTR? 139.109.232.143.in-addr.arpa. (46) (DF)
03:37:12.428942 ns2.arc.nasa.gov.domain > corvus.arc.nasa.gov.45215:
20988* 1/3/3 PTR flux.arc.nasa.gov. (179)

a reverse lookup of 143.232.109.139 (ipv4) and immediate response from
ns2.  Note the transaction ID "20988".

03:37:12.429217 corvus.arc.nasa.gov.44863 > ns2.arc.nasa.gov.domain:
55778+ A? flux.arc.nasa.gov. (35) (DF)
03:37:12.433199 ns2.arc.nasa.gov.domain > corvus.arc.nasa.gov.44863:
55778* 1/3/3 A flux.arc.nasa.gov (153)

A forward lookup of flux.arc.nasa.gov (ipv4).  Also answered
immediately by ns2.

03:37:15.155167 corvus.arc.nasa.gov.58329 > ns2.arc.nasa.gov.domain:
26977+ A? flux.arc.nasa.gov. (35) (DF)
03:37:15.155180 corvus.arc.nasa.gov.58329 > ns2.arc.nasa.gov.domain:
24837+ AAAA? flux.arc.nasa.gov. (35) (DF)

lookups of corvus.arc.nasa.gov for ipv4 (A) and ipv6 (AAAA) in
parallel.  no response, times out at 5sec.

03:37:20.154422 corvus.arc.nasa.gov.57585 > ns1.arc.nasa.gov.domain:
26977+ A? flux.arc.nasa.gov. (35) (DF)
03:37:20.154444 corvus.arc.nasa.gov.57585 > ns1.arc.nasa.gov.domain:
24837+ AAAA? flux.arc.nasa.gov. (35) (DF)
03:37:20.156796 ns1.arc.nasa.gov.domain > corvus.arc.nasa.gov.57585:
26977* 1/3/3 A flux.arc.nasa.gov (153)

retries the request on ns1, which responds only to the A (ipv4)
request.  this pattern is repeated later on ns2:

03:37:30.167249 corvus.arc.nasa.gov.57935 > ns2.arc.nasa.gov.domain:
39226+ A? flux.arc.nasa.gov. (35) (DF)
03:37:30.167283 corvus.arc.nasa.gov.57935 > ns2.arc.nasa.gov.domain:
59667+ AAAA? flux.arc.nasa.gov. (35) (DF)
03:37:30.170583 ns2.arc.nasa.gov.domain > corvus.arc.nasa.gov.57935:
39226* 1/3/3 A flux.arc.nasa.gov (153)
03:37:35.167403 corvus.arc.nasa.gov.57935 > ns2.arc.nasa.gov.domain:
39226+ A? flux.arc.nasa.gov. (35) (DF)

I susupect your nameservers are silently dropping AAAA lookups (this is
common enough that there's an RFC about it, RFC4074).  Try these:

host -t A flux.arc.nasa.gov. ns1.arc.nasa.gov.
host -t AAAA flux.arc.nasa.gov. ns1.arc.nasa.gov.
host -t A flux.arc.nasa.gov. ns2.arc.nasa.gov.
host -t AAAA flux.arc.nasa.gov. ns2.arc.nasa.gov.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.