DNS problems and UUNET?
Michael Bilow
mike at bilow.com
Fri Jan 19 16:13:57 EST 2001
Your DNS is merely conventionally desynchronized. The root servers say:
; <<>> DiG 8.2 <<>> -t itworld.com. @a.root-servers.net
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;; itworld.com, type = NS, class = IN
;; ANSWER SECTION:
itworld.com. 2D IN NS SOL.ITWPUB1.COM.
itworld.com. 2D IN NS FUSION5.ITWPUB1.COM.
;; ADDITIONAL SECTION:
SOL.ITWPUB1.COM. 2D IN A 199.105.191.14
FUSION5.ITWPUB1.COM. 2D IN A 199.105.191.75
;; Total query time: 25 msec
;; FROM: colossus to SERVER: a.root-servers.net 198.41.0.4
;; WHEN: Fri Jan 19 15:53:14 2001
;; MSG SIZE sent: 29 rcvd: 112
Querying the first one of these listed shows that it does not have an NS
record referring to itself:
; <<>> DiG 8.2 <<>> -t itworld.com. @199.105.191.14
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5
;; QUERY SECTION:
;; itworld.com, type = NS, class = IN
;; ANSWER SECTION:
itworld.com. 1D IN NS ns.itworld.com.
itworld.com. 1D IN NS ns1.itworld.com.
itworld.com. 1D IN NS ns2.itworld.com.
itworld.com. 1D IN NS bor.itworld.com.
itworld.com. 1D IN NS orvieto.itworld.com.
;; ADDITIONAL SECTION:
ns.itworld.com. 1H IN A 199.105.191.137
ns1.itworld.com. 1H IN A 128.11.47.65
ns2.itworld.com. 1H IN A 206.204.84.2
bor.itworld.com. 1H IN A 208.184.36.147
orvieto.itworld.com. 1H IN A 199.105.191.75
;; Total query time: 43 msec
;; FROM: colossus to SERVER: 199.105.191.14
;; WHEN: Fri Jan 19 15:53:40 2001
;; MSG SIZE sent: 29 rcvd: 202
The second server listed with the root servers sends the same information,
but it does have an NS record referring to itself:
; <<>> DiG 8.2 <<>> -t itworld.com. @199.105.191.75
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5
;; QUERY SECTION:
;; itworld.com, type = NS, class = IN
;; ANSWER SECTION:
itworld.com. 1D IN NS bor.itworld.com.
itworld.com. 1D IN NS orvieto.itworld.com.
itworld.com. 1D IN NS ns.itworld.com.
itworld.com. 1D IN NS ns1.itworld.com.
itworld.com. 1D IN NS ns2.itworld.com.
;; ADDITIONAL SECTION:
bor.itworld.com. 1H IN A 208.184.36.147
orvieto.itworld.com. 1H IN A 199.105.191.75
ns.itworld.com. 1H IN A 199.105.191.137
ns1.itworld.com. 1H IN A 128.11.47.65
ns2.itworld.com. 1H IN A 206.204.84.2
;; Total query time: 48 msec
;; FROM: colossus to SERVER: 199.105.191.75
;; WHEN: Fri Jan 19 15:57:03 2001
;; MSG SIZE sent: 29 rcvd: 202
Now, one might think this is harmless, but in fact there is a very subtle
clue: the TTL on the NS records is 1 day, but the TTL on the A records is
1 hour. What is the effect?
I want to know something, say the MX, for the domain ITWORLD.COM. So I,
knowing nothing about anything, ask the root servers. They give me two
non-authoritative NS records and glue A records for the IP addresses of
those two NS machines. I query one of those two NS machines, and I get my
answer. It also gives me the five NS records authoritatively. All good.
Now, two hours later, I decide to ask a related question. I discover that
I have five NS records which came with the authoritative answer (AA) flag
set, so I have them in cache. But! I have no IP addresses for those
servers listed with NS records, since those A records were expired from
the cache an hour ago. I don't ask the root servers again, because I know
the NS records from my cache. I can't ask the listed NS servers, because
I don't know how to reach them.
Result: deadlock.
-- Mike
On 2001-01-19 at 15:20 -0500, John Abreau wrote:
> I'm starting to get some heat over some DNS problems at ITworld.com. Many
> of our people use mindspring to dial in, and mindspring's DNS servers
> aren't resolving our domain. I've checked our master DNS server, and
> everything seems fine there. I can't think of anything else to check.
>
> A few people suggested that the problem might be related to a recent
> outage at UUNET, but my boss wants some hard evidence to show his boss,
> and as far as his boss is concerned, what I've passed on so far is just
> vague speculation.
>
> Who else has been having these problems? Can anyone identify specifically
> what's been happening, or at least help to prove (or disprove) that the
> problem is widespread? If I can point my boss to a specific trouble-ticket
> describing the problem, that would be ideal. Or if nothing else, maybe a
> sufficiently large set of anecdotes of others having troubles this week
> would be of some help.
>
> For what it's worth, our ISP is CERFnet; I'm not sure how CERFnet relates
> to UUNET, but maybe it will prove relevant.
>
> Thanks.
>
> --
> John Abreau / Executive Director, Boston Linux & Unix
> ICQ#28611923 / AIM abreauj / Email jabr at blu.org
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list