Bad NS records??

Barry Margolin barmar at genuity.net
Fri Jul 20 12:47:55 UTC 2001


In article <9j96f2$mi9 at pub3.rc.vix.com>,
Martin Köhling  <mk at lw1.cc-computer.de> wrote:
>; <<>> DiG 8.2 <<>> balius.com @NS1.AMOTKEN.com. +norecurse ns
>; (1 server found)
>;; res options: init defnam dnsrch
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50414
>;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>;; QUERY SECTION:
>;;      balius.com, type = NS, class = IN
>
>;; ANSWER SECTION:
>balius.com.             4w2d IN NS      ns1.balius.com.
>balius.com.             4w2d IN NS      ns2.balius.com.
>
>;; ADDITIONAL SECTION:
>ns1.balius.com.         1D IN A         24.24.63.86
>ns2.balius.com.         1D IN A         24.24.63.87
>
>Obviously, the NS records do not match (even though they
>point to the same address) - is this the problem?

It's part of the problem.

Since these nameservers are in the domain, glue records are needed in the
parent domain.  But since the parent delegates to servers in a different
domain, it doesn't have these glue records.

>When I dump our local named database, I find this:
>
>balius  21324   IN      NS      ns2.balius.com. ;Cr=auth [24.24.63.86]
>        21324   IN      NS      ns1.balius.com. ;Cr=auth [24.24.63.86]
>
>OK, so the NS records on NS1.AMOTKEN.com have a *much* higher TTL
>than their corresponding A records; both get cached locally, and
>at some point the A record times out.
>
>But what happens next when (e.g.) a query for east.balius.com
>arrives?
>
>Does named query the root servers for balius.com, receive some
>NS records (NS1/2.AMOTKEN.com) and immediately discards them
>because the answer is not authoritative (and the cached data
>*is*)?

Actually, it queries the root servers for the A record ns1.balius.com or
ns2.balius.com.  Since it doesn't have them it will return the NS records,
but they'll be ignored because the answer is not authoritative.

>Or is the problem something else?
>
>(BTW: I just restarted the local nameserver, and the problem
>went away; but I suspect it will return in regular intervals... :-()

For 29 out of every 30 days, approximately.

>
>Any comments? *IS* this a configuration problem of balius.com?
>Can I do anything about it except to mail the zone admin (which
>I will do if I'm sure I know what's going on...)

Yes, it's their configuration problem.  They should change the NS records
to match what's in the root servers.  Or they should at least change the
TTLs so that the NS and A records time out in the same time.  However, the
latter isn't totally reliable because they could be cached at different
times.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


More information about the bind-users mailing list