Recently I found myself migrating a system to a new data centre. During that testing a user realized that their process for submitting data was not working.
Despite the website working, the submission to an ASP link over HTTPS kept returning errors that the specified file cannot be found.
After quite a bit of time, the root cause was addressed down to DNS. I missed an early-on fundamental question of whether or not they utilize the hosts file on their system they were submitting information with. As it turns out, there was a typo in the domain name entered in to the hosts file!
So what ultimately what led us back to that (It was reassured previously this was not the problem and the link was fine) was the use of Network Monitor to watch the SSL handshake.
The following link provided a nice rundown showing the mechanisms on a Windows Server:
http://support.microsoft.com/kb/257587
It was in the packet details that I realized that not only was the site certificate being sent, but it was also sending the parent Certificate Authority also. The sending of the parent CA only happens when the initial website SSL certificate does not get trusted by the connecting client. This can happen for any number of reasons, like out of date revocation lists, CA updates not applied, or, in my experience here, a typo in the LM Hosts file.
So, wait a minute, why didn't it just use DNS? Well, the specification of DNS in 1034/1035 (Forget which) has a DNS client follow a very specific method of resolving a name to an IP address.
1) Client checks the local hosts file
2) Client checks its local memory cache
3) Client queries a DNS server (a second one if no response)
(client may try to query a root server at this also depending configuration and definition of a DNS client)
4) Client waits for a response
So why does the hosts file get looked at first and not the local cache? This occurs because the history of DNS. Back before the hierarchial querying was established, ALL of the internet DNS was held in a hosts file. Once this became unmanageable, DNS in its current incarnation (more or less) was formed.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment