Saku Ytti saku at ytti.fi
Wed Mar 22 14:10:53 UTC 2023

On Wed, 22 Mar 2023 at 16:04, Alexander Huynh via NANOG <nanog at nanog.org> wrote:

> I'll take this feedback to our developers.

Many thanks.

> I took a look at the above tickets, and it seems that one of the egress
> ranges from that datacenter cannot connect to the authoritative
> nameservers of `www.moi.gov.cy`: `ns01.gov.cy` and `ns02.gov.cy`.
> Here's a redacted pcap for those who like details, showing no response:
>      IP a.b.c.d.56552 > 51873+ [1au] A? www.moi.gov.cy. (55)
>      IP a.b.c.d.51718 > 31021+ [1au] A? www.moi.gov.cy. (55)
> TCP behaves similarly.

The recursor response suggests a loop, so network problem is highly likely.

> I'm filing an internal ticket right now to investigate, but I'd
> appreciate if you could also help us on your end for any possible
> solutions regarding this connectivity failure.

Sure, you might also want to look into nlnog ring, which allows a
broad perspective to issues.

> As a general note regarding the two community posts: the straight deep
> dive into technical information makes it more difficult for others to
> interpret the request. As you said in a later post here:

This is a very difficult subject. How to get help. If I had made it
more genetic, we could refute it as it doesn't contain needed
information. If I made it longer we could refute that it's not terse
enough. However we submit it, we can argue it wasn't the right way.
As seen in the original post, I fully appreciate almost every single
case about is incorrect and user error. But I proposed a
mechanism to by-pass community forums and reach people who are able to
help and understand. If there is disagreement in, and then let humans analyse it. The ticket volume would be
trivial, if we look at community forums and see how many
complaints would bypass this filter.

> Not everyone in the Community Forum (nor our company) can pull out the
> specific datacenter used, the specific machine(s) used, and the source
> ASN from the `my.ip.fi` curl.

I gave the specific unicast ID for the DNS server in addition to my
IP. I cannot glean any other information.

I don't think we can fairly fault either of the cases in the community
forum. We must fault the process itself and look for ways to improve.

More information about the NANOG mailing list