Re: Dig shows wrong ip
On Aug 3 2009, JINMEI Tatuya / 神明達哉 wrote: At 03 Aug 2009 11:52:10 +0100, Chris Thompson c...@cam.ac.uk wrote: will believe this answer (and cache it). This would only be proper behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving) potomacnetworks.com - which of course they aren't, but how is the poor recursive nameserver to know that? By seeing the aa bit of the response. We're aware of this problem and have a patch to fix the behavior at the resolver side. The fix will (hopefully) appear in next release versions of BIND9. That will work nicely for the *.gtld-servers.net nameservers, but there are others out there with even worse properties. I am thinking, for example, of {a,b,c,d}.gtld.pro. To be honest, I don't know whether they promote glue to answer, but like the *.gtld-servers.net lot they certainly promote the delegation NS records to answer, and unlike those they mark their responses as authoritative. Compare $ dig +nocmd +nostats +norec ns advocaat.pro @a.gtld.pro ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60662 ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;advocaat.pro. IN NS ;; ANSWER SECTION: advocaat.pro. 14400 IN NS a.xtld.cz. advocaat.pro. 14400 IN NS a.xtld.se. advocaat.pro. 14400 IN NS b.xtld.cz. advocaat.pro. 14400 IN NS b.xtld.se. with $ dig +nocmd +nostats +norec ns stanford.edu @a.gtld-servers.net ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21908 ;; flags: qr; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4 ;; QUESTION SECTION: ;stanford.edu. IN NS ;; ANSWER SECTION: stanford.edu. 172800 IN NS aerathea.stanford.edu. stanford.edu. 172800 IN NS argus.stanford.edu. stanford.edu. 172800 IN NS atalante.stanford.edu. stanford.edu. 172800 IN NS avallone.stanford.edu. ;; ADDITIONAL SECTION: aerathea.stanford.edu. 172800 IN A 152.3.104.250 argus.stanford.edu. 172800 IN A 171.64.7.115 atalante.stanford.edu. 172800 IN A 171.64.7.61 avallone.stanford.edu. 172800 IN A 171.64.7.88 and with the correct behavior $ dig +nocmd +nostats +norec ns ac.uk @ns1.nic.uk ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2597 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0 ;; QUESTION SECTION: ;ac.uk. IN NS ;; AUTHORITY SECTION: ac.uk. 172800 IN NS ns.uu.net. ac.uk. 172800 IN NS ws-fra1.win-ip.dfn.de. ac.uk. 172800 IN NS ns0.ja.net. ac.uk. 172800 IN NS ns3.ja.net. ac.uk. 172800 IN NS sunic.sunet.se. ac.uk. 172800 IN NS ns2.ja.net. ac.uk. 172800 IN NS ns4.ja.net -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
On Aug 3 2009, Danny Mayer wrote: Chris Thompson wrote: [...] You are misinterpreting what I said. Of course erroneous glue needs to be corrected. But there is no need for the servers to return IP addresses provided for glue as an *answer* to a query, as the *.gtld-servers.net ones do, rather than giving a proper referral. (At least their answers are not marked authoritative, unlike those from some other nameservers.) It needs to be part of the answer if the nameserver is in the same domain as the FQDN otherwise it won't know where to go for the answers. That's the point of the glue. It needs to be part of the *response*, not part of the *answer* (section). In a referral, glue records appear in the additional section: the answer section is empty. When the *.gtld-servers.net servers are asked about dns3.potomacnetworks.com (for example), they don't give a referral. They give an answer based on what ought to be the glue record. This means that if the NS records for potomacnetworks.com have not already been cached, a recursive nameserver will believe this answer (and cache it). This would only be proper behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving) potomacnetworks.com - which of course they aren't, but how is the poor recursive nameserver to know that? -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
At 03 Aug 2009 11:52:10 +0100, Chris Thompson c...@cam.ac.uk wrote: will believe this answer (and cache it). This would only be proper behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving) potomacnetworks.com - which of course they aren't, but how is the poor recursive nameserver to know that? By seeing the aa bit of the response. We're aware of this problem and have a patch to fix the behavior at the resolver side. The fix will (hopefully) appear in next release versions of BIND9. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
On Tue, Jul 28, 2009 at 09:05:44PM +0100, Chris Thompson c...@cam.ac.uk wrote a message of 24 lines which said: This is the wretched glue promoted to answer bug (we can call it a bug by now, surely?) which we are assured that the GTLD servers will be cured of this year, next year, sometime, or ... Not all the GTLD servers, only .com and .net. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
Chris Thompson wrote: On Jul 28 2009, sth...@nethelp.no wrote: % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net 216.250.243.230 As long as that host record exists, with an IP different from what your authoritative servers reply with, you are going to have problems, because queries will be answered by the GTLD servers and not your own authoritative servers. This is the wretched glue promoted to answer bug (we can call it a bug by now, surely?) which we are assured that the GTLD servers will be cured of this year, next year, sometime, or ... ... well, they will have to fix it before they can roll out DNSSEC, won't they? No. The op always needs to notify the Registrar of their domain when the address of any of their nameservers changes. That has always been a requirement. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dig shows wrong ip
Hi, I recently migrated our old DNS servers to new hardware and BIND 9.6 installations. One domain is exhibiting some strangeness, dns3.potomacnetworks.com. Our main DNS servers are authoritative for this subdomain and it should point to 216.250.231.11, however, the whole world sees it pointing to 216.250.243.230. Digs against our DNS servers show the correct information. I'm stumped, please help me. Thanks, Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
I recently migrated our old DNS servers to new hardware and BIND 9.6 installations. One domain is exhibiting some strangeness, dns3.potomacnetworks.com. Our main DNS servers are authoritative for this subdomain and it should point to 216.250.231.11, however, the whole world sees it pointing to 216.250.243.230. Digs against our DNS servers show the correct information. I'm stumped, please help me. Here's your 216.250.243.230 address: % whois dns3.potomacnetworks.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Server Name: DNS3.POTOMACNETWORKS.COM IP Address: 216.250.243.230 Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: http://www.register.com So - the GTLD-servers know about this host, and will return it when asked about A for dns3.potomacnetworks.com. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
Here's your 216.250.243.230 address: % whois dns3.potomacnetworks.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Server Name: DNS3.POTOMACNETWORKS.COM IP Address: 216.250.243.230 Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: http://www.register.com So - the GTLD-servers know about this host, and will return it when asked about A for dns3.potomacnetworks.com. Steinar Haug, Nethelp consulting, sth...@nethelp.no My DNS servers are authoritative for the domain potomacnetworks.com, and contain an A record for the dns3 subdomain which should point it to a different address, 216.250.231.11. Are you saying the problem is with a GTLD server? Thanks! Yes: % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net 216.250.243.230 As long as that host record exists, with an IP different from what your authoritative servers reply with, you are going to have problems, because queries will be answered by the GTLD servers and not your own authoritative servers. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
On Tue, Jul 28, 2009 at 3:00 PM, sth...@nethelp.no wrote: Here's your 216.250.243.230 address: % whois dns3.potomacnetworks.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Server Name: DNS3.POTOMACNETWORKS.COM IP Address: 216.250.243.230 Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: http://www.register.com So - the GTLD-servers know about this host, and will return it when asked about A for dns3.potomacnetworks.com. Steinar Haug, Nethelp consulting, sth...@nethelp.no My DNS servers are authoritative for the domain potomacnetworks.com, and contain an A record for the dns3 subdomain which should point it to a different address, 216.250.231.11. Are you saying the problem is with a GTLD server? Thanks! Yes: % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net 216.250.243.230 As long as that host record exists, with an IP different from what your authoritative servers reply with, you are going to have problems, because queries will be answered by the GTLD servers and not your own authoritative servers. Steinar Haug, Nethelp consulting, sth...@nethelp.no Ahh, thank you, my brain understands now... :^ ) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
On Jul 28 2009, sth...@nethelp.no wrote: % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net 216.250.243.230 As long as that host record exists, with an IP different from what your authoritative servers reply with, you are going to have problems, because queries will be answered by the GTLD servers and not your own authoritative servers. This is the wretched glue promoted to answer bug (we can call it a bug by now, surely?) which we are assured that the GTLD servers will be cured of this year, next year, sometime, or ... ... well, they will have to fix it before they can roll out DNSSEC, won't they? -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users