DNS problems and UUNET?

[mike at bilow.com (Michael Bilow)]

Your DNS is merely conventionally desynchronized.  The root servers say:

; <<>> DiG 8.2 <<>> -t itworld.com. @a.root-servers.net 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;;	itworld.com, type = NS, class = IN

;; ANSWER SECTION:
itworld.com.		2D IN NS	SOL.ITWPUB1.COM.
itworld.com.		2D IN NS	FUSION5.ITWPUB1.COM.

;; ADDITIONAL SECTION:
SOL.ITWPUB1.COM.	2D IN A		199.105.191.14
FUSION5.ITWPUB1.COM.	2D IN A		199.105.191.75

;; Total query time: 25 msec
;; FROM: colossus to SERVER: a.root-servers.net  198.41.0.4
;; WHEN: Fri Jan 19 15:53:14 2001
;; MSG SIZE  sent: 29  rcvd: 112

Querying the first one of these listed shows that it does not have an NS
record referring to itself:

; <<>> DiG 8.2 <<>> -t itworld.com. @199.105.191.14 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5
;; QUERY SECTION:
;;	itworld.com, type = NS, class = IN

;; ANSWER SECTION:
itworld.com.		1D IN NS	ns.itworld.com.
itworld.com.		1D IN NS	ns1.itworld.com.
itworld.com.		1D IN NS	ns2.itworld.com.
itworld.com.		1D IN NS	bor.itworld.com.
itworld.com.		1D IN NS	orvieto.itworld.com.

;; ADDITIONAL SECTION:
ns.itworld.com.		1H IN A		199.105.191.137
ns1.itworld.com.	1H IN A		128.11.47.65
ns2.itworld.com.	1H IN A		206.204.84.2
bor.itworld.com.	1H IN A		208.184.36.147
orvieto.itworld.com.	1H IN A		199.105.191.75

;; Total query time: 43 msec
;; FROM: colossus to SERVER: 199.105.191.14
;; WHEN: Fri Jan 19 15:53:40 2001
;; MSG SIZE  sent: 29  rcvd: 202

The second server listed with the root servers sends the same information,
but it does have an NS record referring to itself:

; <<>> DiG 8.2 <<>> -t itworld.com. @199.105.191.75 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5
;; QUERY SECTION:
;;	itworld.com, type = NS, class = IN

;; ANSWER SECTION:
itworld.com.		1D IN NS	bor.itworld.com.
itworld.com.		1D IN NS	orvieto.itworld.com.
itworld.com.		1D IN NS	ns.itworld.com.
itworld.com.		1D IN NS	ns1.itworld.com.
itworld.com.		1D IN NS	ns2.itworld.com.

;; ADDITIONAL SECTION:
bor.itworld.com.	1H IN A		208.184.36.147
orvieto.itworld.com.	1H IN A		199.105.191.75
ns.itworld.com.		1H IN A		199.105.191.137
ns1.itworld.com.	1H IN A		128.11.47.65
ns2.itworld.com.	1H IN A		206.204.84.2

;; Total query time: 48 msec
;; FROM: colossus to SERVER: 199.105.191.75
;; WHEN: Fri Jan 19 15:57:03 2001
;; MSG SIZE  sent: 29  rcvd: 202

Now, one might think this is harmless, but in fact there is a very subtle
clue: the TTL on the NS records is 1 day, but the TTL on the A records is
1 hour.  What is the effect?

I want to know something, say the MX, for the domain ITWORLD.COM.  So I,
knowing nothing about anything, ask the root servers.  They give me two
non-authoritative NS records and glue A records for the IP addresses of
those two NS machines.  I query one of those two NS machines, and I get my
answer.  It also gives me the five NS records authoritatively.  All good.

Now, two hours later, I decide to ask a related question.  I discover that
I have five NS records which came with the authoritative answer (AA) flag
set, so I have them in cache.  But!  I have no IP addresses for those
servers listed with NS records, since those A records were expired from
the cache an hour ago.  I don't ask the root servers again, because I know
the NS records from my cache.  I can't ask the listed NS servers, because
I don't know how to reach them.

Result: deadlock.

-- Mike


On 2001-01-19 at 15:20 -0500, John Abreau wrote:

> I'm starting to get some heat over some DNS problems at ITworld.com. Many
> of our people use mindspring to dial in, and mindspring's DNS servers
> aren't resolving our domain. I've checked our master DNS server, and
> everything seems fine there. I can't think of anything else to check.
> 
> A few people suggested that the problem might be related to a recent
> outage at UUNET, but my boss wants some hard evidence to show his boss,
> and as far as his boss is concerned, what I've passed on so far is just
> vague speculation.
> 
> Who else has been having these problems? Can anyone identify specifically
> what's been happening, or at least help to prove (or disprove) that the
> problem is widespread? If I can point my boss to a specific trouble-ticket
> describing the problem, that would be ideal. Or if nothing else, maybe a
> sufficiently large set of anecdotes of others having troubles this week
> would be of some help.
> 
> For what it's worth, our ISP is CERFnet; I'm not sure how CERFnet relates
> to UUNET, but maybe it will prove relevant.
> 
> Thanks.
> 
> --
> John Abreau / Executive Director, Boston Linux & Unix 
> ICQ#28611923 / AIM abreauj / Email jabr at blu.org

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).