Dubugging question

[Kevin Darcy]

Bill Moseley wrote:

> I was trying to send mail to ci.cerritos.ca.us, and my DNS was failing to
> lookup the MX.  I was failing to connect to either listed name server (one
> had !H in a traceroute, and the other was just not responding).
>
> First, look up the names of their DNS servers:
> lii at mardy:~ > dig ci.cerritos.ca.us ns
> ;; ANSWER SECTION:
> ci.cerritos.ca.us.      14m11s IN NS    noc.cerf.net.
> ci.cerritos.ca.us.      14m11s IN NS    ns2.ci.cerritos.ca.us.
>
> Now try to get info from them:
> > dig ci.cerritos.ca.us @noc.cerf.net mx
> ;; res_nsend to server noc.cerf.net  192.153.156.22: Connection timed out
>
> > dig ci.cerritos.ca.us @ns2.ci.cerritos.ca.us mx
>
> ; <<>> DiG 8.2 <<>> ci.cerritos.ca.us @ns2.ci.cerritos.ca.us mx
> ;; res_nsend to server ns2.ci.cerritos.ca.us  192.6.4.2: Connection timed out
>
> Now the interesting thing was that mail was going to another domain that is
> hosted by ci.cerritos.ca.us - infopeople.org:
>
> > dig infopeople.org ns
>
> ;; ANSWER SECTION:
> infopeople.org.         23h58m34s IN NS  NOC.CERF.NET.
> infopeople.org.         23h58m34s IN NS  SMTP.CI.CERRITOS.CA.US.
>
> Ok now go back and try smtp.ci.cerritos.ca.us for ci.cerritos.ca.us and I
> get "aa" flag back, but note the NS RRs.
>
> > dig ci.cerritos.ca.us mx @smtp.ci.cerritos.ca.us
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
> ;; QUERY SECTION:
> ;;      ci.cerritos.ca.us, type = MX, class = IN
>
> ;; ANSWER SECTION:
> ci.cerritos.ca.us.      1H IN MX        10 mail.ci.cerritos.ca.us.
>
> ;; AUTHORITY SECTION:
> ci.cerritos.ca.us.      1H IN NS        ns2.ci.cerritos.ca.us.
> ci.cerritos.ca.us.      1H IN NS        noc.cerf.net.
>
> So SMTP is authoritative but not listed as a NS.  Is this considered a
> stealth slave?  What's the point of running like this since
> SMTP.ci.cerritos.ca.us is advertised in other zones?

As the name suggests, maybe the main function of smtp.ci.cerritos.ca.us is mail
rather than DNS. For whatever reason, they're hosting infopeople.org on
smtp.ci.cerritos.ca.us, but maybe they'd rather not spend the cycles and
bandwidth hosting any other domains. Why make it a stealth slave then? Perhaps
the zone is small and rather static, so it's more efficient to be a slave than
to constantly query the authoritative servers (bearing in mind the 1-hour TTL).

I suppose the "proper" thing to do then would be for smtp.ci.cerritos.ca.us to
refuse external queries of ci.cerritos.ca.us names. Maybe their nameserver
doesn't have the capability to be so fine-grained.


- Kevin