Re: [RESOLVED] Conflicting glue records?
Problem solved. After passing this information on to the proper personnel, the domain has been modified to once again use self- referential name-servers. The glue-records were modified as a result. Thanks to all who assisted. :) -- Milo Hyson Chief Scientist CyberLife Labs On Jan 8, 2009, at 05:21, Milo Hyson wrote: We have a working hypothesis. It appears that glue-records are set only when one configures a self-referential domain (e.g. example.com --> ns.example.com), and they're only deleted if one explicitly asks the registrar to do so. In our particular case, it seems when the domain in question was moved to the new ISP, not only did the name-server IPs get changed at the registrar but so did the names. Previously they were self- referential, but now they are pointing to servers in another domain (i.e. example.com --> ns.myisp.com). I'll bet anything that the person who made the change didn't ask the registrar to delete the old glue-records. -- Milo Hyson Chief Scientist CyberLife Labs On Jan 8, 2009, at 03:33, Milo Hyson wrote: I would think that any server-name should be permissible for any domain. However, the IP should only be used in the case of a self- referential entry (your first case). Is there any legitimate reason for someone to give an IP for a name- server that differs from the authoritative source? That is, if the authoritative name-server for myisp.com resolves ns1.myisp.com to 1.2.3.4, is there any valid reason for someone to register example.com with a name-server of ns1.myisp.com and an IP of 4.5.6.7? -- Milo Hyson Chief Scientist CyberLife Labs On Jan 8, 2009, at 03:15, Matus UHLAR - fantomas wrote: If I register example.com, it's OK to register _anything_.example.com as glue. However, registering _anything_.example.net should not be accepted. I wonder how is it possible that anyone accepts that. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
We have a working hypothesis. It appears that glue-records are set only when one configures a self-referential domain (e.g. example.com -- > ns.example.com), and they're only deleted if one explicitly asks the registrar to do so. In our particular case, it seems when the domain in question was moved to the new ISP, not only did the name-server IPs get changed at the registrar but so did the names. Previously they were self-referential, but now they are pointing to servers in another domain (i.e. example.com --> ns.myisp.com). I'll bet anything that the person who made the change didn't ask the registrar to delete the old glue-records. -- Milo Hyson Chief Scientist CyberLife Labs On Jan 8, 2009, at 03:33, Milo Hyson wrote: I would think that any server-name should be permissible for any domain. However, the IP should only be used in the case of a self- referential entry (your first case). Is there any legitimate reason for someone to give an IP for a name- server that differs from the authoritative source? That is, if the authoritative name-server for myisp.com resolves ns1.myisp.com to 1.2.3.4, is there any valid reason for someone to register example.com with a name-server of ns1.myisp.com and an IP of 4.5.6.7? -- Milo Hyson Chief Scientist CyberLife Labs On Jan 8, 2009, at 03:15, Matus UHLAR - fantomas wrote: If I register example.com, it's OK to register _anything_.example.com as glue. However, registering _anything_.example.net should not be accepted. I wonder how is it possible that anyone accepts that. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
I would think that any server-name should be permissible for any domain. However, the IP should only be used in the case of a self- referential entry (your first case). Is there any legitimate reason for someone to give an IP for a name- server that differs from the authoritative source? That is, if the authoritative name-server for myisp.com resolves ns1.myisp.com to 1.2.3.4, is there any valid reason for someone to register example.com with a name-server of ns1.myisp.com and an IP of 4.5.6.7? -- Milo Hyson Chief Scientist CyberLife Labs On Jan 8, 2009, at 03:15, Matus UHLAR - fantomas wrote: If I register example.com, it's OK to register _anything_.example.com as glue. However, registering _anything_.example.net should not be accepted. I wonder how is it possible that anyone accepts that. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
In our particular case, we have stale glue records for our name- servers that appear to be coming from a domain we host that is owned by someone else. Despite our best efforts, we have not been able to reach the owners and thus have not been able to get the host records changed at the registrar. The net result is that any domains listing those server names fail to resolve as the old IPs are no longer in service. This raises a scary question. If this is really an undefined situation, could it be used as an attack vector? Although our particular situation involves no component of fraud, what is to stop someone from registering a domain and listing our server name with a bogus IP? -- Milo Hyson Chief Scientist CyberLife Labs On Jan 7, 2009, at 23:57, Doug Barton wrote: Milo Hyson wrote: If different registrars contain different host records for the same name server, what glue records are established in the root servers? Suppose two domains at different registrars both list ns1.mydomain.com as a nameserver but each gives a different IP. Are the results undefined? I'm not sure what the theoretically "correct" way for the reg*'s to resolve this is, but in practice you're right, the results are undefined. If these are all hosts and records that you control, the short answer is, "be careful not to do that." If you've run into a situation where a hostname for a domain you now control has stale glue your best point of contact is your registrar for com/net/org/info/biz/us. hth, Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Conflicting glue records?
If different registrars contain different host records for the same name server, what glue records are established in the root servers? Suppose two domains at different registrars both list ns1.mydomain.com as a nameserver but each gives a different IP. Are the results undefined? Is there some rule that is followed to resolve the conflict? -- Milo Hyson Chief Scientist CyberLife Labs ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stuck glue records in the GTLD servers??
Thanks for the tip. I've asked those with the proper authority to verify the registrar's records. I must admit that I find it unusual that this needs to be done. In my experience, the glue records automatically change when a domain's name servers are altered. However, I have never worked with this particular registrar before, so perhaps they do things differently. Regardless, thanks again. :) -- Milo Hyson Chief Scientist CyberLife Labs On Dec 15, 2008, at 16:05, Mark Andrews wrote: You need to contact the registar for netdentalcare.com and update the HOST record for ns.netdentalcare.com to have the new address record. This changes what GLUE is published in the COM zone. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stuck glue records in the GTLD servers??
They've been changed for days: > ns.netdentalcare.com. Server: ns1.idaserver.com. Address:207.178.132.75#53 QUESTIONS: ns.netdentalcare.com, type = A, class = IN ANSWERS: -> ns.netdentalcare.com internet address = 207.178.132.75 AUTHORITY RECORDS: ADDITIONAL RECORDS: Name: ns.netdentalcare.com Address: 207.178.132.75 -- Milo Hyson Chief Scientist CyberLife Labs On Dec 15, 2008, at 15:43, Mark Andrews wrote: You need to update the HOST records for the nameservers. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stuck glue records in the GTLD servers??
Absolutely. Note the listed authoritative servers in the snippet I included. Those are the new ones. -- Milo Hyson Chief Scientist CyberLife Labs On Dec 15, 2008, at 15:40, David Ford wrote: did you update the ns records with your registrar? Milo Hyson wrote: I'm seeing what looks like a stuck glue record in the GTLD servers and I'm hoping I've just overlooked something simple. There are several domains which list the following as their nameservers: ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Stuck glue records in the GTLD servers??
I'm seeing what looks like a stuck glue record in the GTLD servers and I'm hoping I've just overlooked something simple. There are several domains which list the following as their nameservers: ns.netdentalcare.com ns2.netdentalcare.com The zone for these (netdentalcare.com) was moved to a new ISP several days ago. The new servers are properly resolving the names and the old servers no longer are. Unfortunately, nobody can seem to resolve these names unless they directly ask the new servers. Upon investigation, I discovered the GTLD servers seem to be holding onto a stale glue record for the zone's prior server: > ns.netdentalcare.com. Server: h.gtld-servers.net. Address:192.54.112.30#53 QUESTIONS: ns.netdentalcare.com, type = A, class = IN ANSWERS: -> ns.netdentalcare.com internet address = 64.84.39.197 AUTHORITY RECORDS: -> netdentalcare.com nameserver = ns1.idaserver.com. -> netdentalcare.com nameserver = ns2.idaserver.com. ADDITIONAL RECORDS: -> ns1.idaserver.com internet address = 207.178.132.75 -> ns2.idaserver.com internet address = 207.178.132.76 Non-authoritative answer: Name: ns.netdentalcare.com Address: 64.84.39.197 I assumed this would have timed-out after two-days, but it hasn't. Nobody is resolving the name to that address anymore. I checked the old zone file to ensure it didn't have a long TTL and it didn't (86,400 seconds). If anybody has any insight into this issue it would be greatly appreciated. -- Milo Hyson Chief Scientist CyberLife Labs ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
