Re: Dig shows wrong ip

2009-08-04 Thread Chris Thompson 

On Aug 3 2009, JINMEI Tatuya / 神明達哉 wrote:


At 03 Aug 2009 11:52:10 +0100,
Chris Thompson c...@cam.ac.uk wrote:

will believe this answer (and cache it). This would only be proper 
behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving)

potomacnetworks.com - which of course they aren't, but how is the poor
recursive nameserver to know that?


By seeing the aa bit of the response.  We're aware of this problem and
have a patch to fix the behavior at the resolver side.  The fix will
(hopefully) appear in next release versions of BIND9.


That will work nicely for the *.gtld-servers.net nameservers, but there
are others out there with even worse properties. I am thinking, for
example, of {a,b,c,d}.gtld.pro. To be honest, I don't know whether they
promote glue to answer, but like the *.gtld-servers.net lot they
certainly promote the delegation NS records to answer, and unlike
those they mark their responses as authoritative. Compare

$ dig +nocmd +nostats +norec ns advocaat.pro @a.gtld.pro
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 60662
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;advocaat.pro.  IN  NS

;; ANSWER SECTION:
advocaat.pro.   14400   IN  NS  a.xtld.cz.
advocaat.pro.   14400   IN  NS  a.xtld.se.
advocaat.pro.   14400   IN  NS  b.xtld.cz.
advocaat.pro.   14400   IN  NS  b.xtld.se.

with

$ dig +nocmd +nostats +norec ns stanford.edu  @a.gtld-servers.net
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 21908
;; flags: qr; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;stanford.edu.  IN  NS

;; ANSWER SECTION:
stanford.edu.   172800  IN  NS  aerathea.stanford.edu.
stanford.edu.   172800  IN  NS  argus.stanford.edu.
stanford.edu.   172800  IN  NS  atalante.stanford.edu.
stanford.edu.   172800  IN  NS  avallone.stanford.edu.

;; ADDITIONAL SECTION:
aerathea.stanford.edu.  172800  IN  A   152.3.104.250
argus.stanford.edu. 172800  IN  A   171.64.7.115
atalante.stanford.edu.  172800  IN  A   171.64.7.61
avallone.stanford.edu.  172800  IN  A   171.64.7.88

and with the correct behavior

$ dig +nocmd +nostats +norec ns ac.uk @ns1.nic.uk
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 2597
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;ac.uk. IN  NS

;; AUTHORITY SECTION:
ac.uk.  172800  IN  NS  ns.uu.net.
ac.uk.  172800  IN  NS  ws-fra1.win-ip.dfn.de.
ac.uk.  172800  IN  NS  ns0.ja.net.
ac.uk.  172800  IN  NS  ns3.ja.net.
ac.uk.  172800  IN  NS  sunic.sunet.se.
ac.uk.  172800  IN  NS  ns2.ja.net.
ac.uk.  172800  IN  NS  ns4.ja.net

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-08-03 Thread Chris Thompson 

On Aug 3 2009, Danny Mayer wrote:


Chris Thompson wrote:

[...]

You are misinterpreting what I said. Of course erroneous glue needs to be
corrected. But there is no need for the servers to return IP addresses
provided for glue as an *answer* to a query, as the *.gtld-servers.net ones
do, rather than giving a proper referral. (At least their answers are not
marked authoritative, unlike those from some other nameservers.)


It needs to be part of the answer if the nameserver is in the same
domain as the FQDN otherwise it won't know where to go for the answers.
That's the point of the glue.


It needs to be part of the *response*, not part of the *answer* (section).
In a referral, glue records appear in the additional section: the answer
section is empty.

When the *.gtld-servers.net servers are asked about dns3.potomacnetworks.com
(for example), they don't give a referral. They give an answer based on
what ought to be the glue record. This means that if the NS records for
potomacnetworks.com have not already been cached, a recursive nameserver
will believe this answer (and cache it). This would only be proper 
behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving)

potomacnetworks.com - which of course they aren't, but how is the poor
recursive nameserver to know that?

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-08-03 Thread JINMEI Tatuya / 神明達哉 
At 03 Aug 2009 11:52:10 +0100,
Chris Thompson c...@cam.ac.uk wrote:

 will believe this answer (and cache it). This would only be proper 
 behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving)
 potomacnetworks.com - which of course they aren't, but how is the poor
 recursive nameserver to know that?

By seeing the aa bit of the response.  We're aware of this problem and
have a patch to fix the behavior at the resolver side.  The fix will
(hopefully) appear in next release versions of BIND9.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-07-30 Thread Stephane Bortzmeyer 
On Tue, Jul 28, 2009 at 09:05:44PM +0100,
 Chris Thompson c...@cam.ac.uk wrote 
 a message of 24 lines which said:

 This is the wretched glue promoted to answer bug (we can call it a
 bug by now, surely?) which we are assured that the GTLD servers will
 be cured of this year, next year, sometime, or ...

Not all the GTLD servers, only .com and .net.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-07-29 Thread Danny Mayer 
Chris Thompson wrote:
 On Jul 28 2009, sth...@nethelp.no wrote:
 
 % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
 216.250.243.230

 As long as that host record exists, with an IP different from what
 your authoritative servers reply with, you are going to have problems,
 because queries will be answered by the GTLD servers and not your own
 authoritative servers.
 
 This is the wretched glue promoted to answer bug (we can call it a
 bug by now, surely?) which we are assured that the GTLD servers will
 be cured of this year, next year, sometime, or ...
 
 ... well, they will have to fix it before they can roll out DNSSEC,
 won't they?
 

No. The op always needs to notify the Registrar of their domain when the
address of any of their nameservers changes. That has always been a
requirement.

Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dig shows wrong ip

2009-07-28 Thread Bradley Caricofe 
Hi,

I recently migrated our old DNS servers to new hardware and BIND 9.6
installations. One domain is exhibiting some strangeness,
dns3.potomacnetworks.com. Our main DNS servers are authoritative for this
subdomain and it should point to 216.250.231.11, however, the whole world
sees it pointing to 216.250.243.230. Digs against our DNS servers show the
correct information. I'm stumped, please help me.

Thanks,
Brad
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-07-28 Thread sthaug 
 I recently migrated our old DNS servers to new hardware and BIND 9.6
 installations. One domain is exhibiting some strangeness,
 dns3.potomacnetworks.com. Our main DNS servers are authoritative for this
 subdomain and it should point to 216.250.231.11, however, the whole world
 sees it pointing to 216.250.243.230. Digs against our DNS servers show the
 correct information. I'm stumped, please help me.

Here's your 216.250.243.230 address:

% whois dns3.potomacnetworks.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to
http://www.internic.net
for detailed information.

   Server Name: DNS3.POTOMACNETWORKS.COM
   IP Address: 216.250.243.230
   Registrar: REGISTER.COM, INC.
   Whois Server: whois.register.com
   Referral URL: http://www.register.com

So - the GTLD-servers know about this host, and will return it when
asked about A for dns3.potomacnetworks.com.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-07-28 Thread sthaug 
  Here's your 216.250.243.230 address:
 
  % whois dns3.potomacnetworks.com
 
  Whois Server Version 2.0
 
  Domain names in the .com and .net domains can now be registered
  with many different competing registrars. Go to
  http://www.internic.net
  for detailed information.
 
Server Name: DNS3.POTOMACNETWORKS.COM
IP Address: 216.250.243.230
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
 
  So - the GTLD-servers know about this host, and will return it when
  asked about A for dns3.potomacnetworks.com.
 
  Steinar Haug, Nethelp consulting, sth...@nethelp.no
 
 
 My DNS servers are authoritative for the domain potomacnetworks.com, and
 contain an A record for the dns3 subdomain which should point it to a
 different address, 216.250.231.11. Are you saying the problem is with a GTLD
 server? Thanks!

Yes:

% dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
216.250.243.230

As long as that host record exists, with an IP different from what
your authoritative servers reply with, you are going to have problems,
because queries will be answered by the GTLD servers and not your own
authoritative servers.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-07-28 Thread Bradley Caricofe 
On Tue, Jul 28, 2009 at 3:00 PM, sth...@nethelp.no wrote:

   Here's your 216.250.243.230 address:
  
   % whois dns3.potomacnetworks.com
  
   Whois Server Version 2.0
  
   Domain names in the .com and .net domains can now be registered
   with many different competing registrars. Go to
   http://www.internic.net
   for detailed information.
  
 Server Name: DNS3.POTOMACNETWORKS.COM
 IP Address: 216.250.243.230
 Registrar: REGISTER.COM, INC.
 Whois Server: whois.register.com
 Referral URL: http://www.register.com
  
   So - the GTLD-servers know about this host, and will return it when
   asked about A for dns3.potomacnetworks.com.
  
   Steinar Haug, Nethelp consulting, sth...@nethelp.no
 
 
  My DNS servers are authoritative for the domain potomacnetworks.com, and
  contain an A record for the dns3 subdomain which should point it to a
  different address, 216.250.231.11. Are you saying the problem is with a
 GTLD
  server? Thanks!

 Yes:

 % dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
 216.250.243.230

 As long as that host record exists, with an IP different from what
 your authoritative servers reply with, you are going to have problems,
 because queries will be answered by the GTLD servers and not your own
 authoritative servers.

 Steinar Haug, Nethelp consulting, sth...@nethelp.no


Ahh, thank you, my brain understands now... :^ )
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dig shows wrong ip

2009-07-28 Thread Chris Thompson 

On Jul 28 2009, sth...@nethelp.no wrote:


% dig +short a dns3.potomacnetworks.com @a.gtld-servers.net
216.250.243.230

As long as that host record exists, with an IP different from what
your authoritative servers reply with, you are going to have problems,
because queries will be answered by the GTLD servers and not your own
authoritative servers.


This is the wretched glue promoted to answer bug (we can call it a
bug by now, surely?) which we are assured that the GTLD servers will
be cured of this year, next year, sometime, or ...

... well, they will have to fix it before they can roll out DNSSEC, 
won't they?


--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users