remote lookup problem
Brad Knowles
brad.knowles at skynet.be
Mon Jul 23 08:32:47 UTC 2001
At 11:16 PM -0500 7/22/01, Joel Uckelman wrote:
> Sorry for the long message, but this has me stumped.
>
> I'm having some trouble doing remote lookups for one of my domains,
> ellipsis.cx. When I query my nameserver, charybdis.ellipsis.cx, everything
> seems to work fine:
>
> % dig @charybdis.ellipsis.cx scylla.ellipsis.cx any
>
> ; <<>> DiG 9.1.0 <<>> @charybdis.ellipsis.cx scylla.ellipsis.cx any
You need to update the version of BIND you are using -- 9.1.0 has
known bugs. I suggest that you update to 9.1.3-REL.
> But when I query any other server, e.g. ns1.ameritech.net, on the same
> thing the lookup fails. (Yet ns1.ameritech.net can still resolve
> ellipsis.cx and charybdis.ellipsis.cx with no trouble!)
Let's look at your domain with automated DNS debugging tools.
First, we have doc:
% doc -d ellipsis.cx
Doc-2.2.2: doc -d ellipsis.cx
Doc-2.2.2: Starting test of ellipsis.cx. parent is cx.
Doc-2.2.2: Test date - Mon Jul 23 04:04:33 EDT 2001
DEBUG: digging @ns0.flirble.org. for soa of cx.
soa @ns0.flirble.org. for cx. has serial: 2107172222
DEBUG: digging @ns1.ccsrs.net. for soa of cx.
soa @ns1.ccsrs.net. for cx. has serial: 2107172222
DEBUG: digging @ns2.ccsrs.net. for soa of cx.
soa @ns2.ccsrs.net. for cx. has serial: 2107172222
DEBUG: digging @ns2.cix.cx. for soa of cx.
soa @ns2.cix.cx. for cx. has serial: 2107172120
WARNING: non-authoritative answer for cx. from ns2.cix.cx.
DEBUG: digging @ns2.coconutcomputing.net. for soa of cx.
soa @ns2.coconutcomputing.net. for cx. has serial:
WARNING: no SOA record for cx. from ns2.coconutcomputing.net.
DEBUG: digging @ns5.netdns.co.nz. for soa of cx.
soa @ns5.netdns.co.nz. for cx. has serial: 2107172222
SOA serial #'s agree for cx. domain
Found 3 NS and 3 glue records for ellipsis.cx. @ns0.flirble.org. (non-AUTH)
Found 3 NS and 3 glue records for ellipsis.cx. @ns1.ccsrs.net. (non-AUTH)
Found 3 NS and 3 glue records for ellipsis.cx. @ns2.ccsrs.net. (non-AUTH)
Found 3 NS and 3 glue records for ellipsis.cx. @ns5.netdns.co.nz. (non-AUTH)
DNServers for cx.
=== 0 were also authoritatve for ellipsis.cx.
=== 4 were non-authoritative for ellipsis.cx.
Servers for cx. (not also authoritative for ellipsis.cx.)
=== agree on NS records for ellipsis.cx.
DEBUG: domserv = charybdis.ellipsis.cx. ns1.granitecanyon.com.
ns2.granitecanyon.com.
NS list summary for ellipsis.cx. from parent (cx.) servers
== charybdis.ellipsis.cx. ns1.granitecanyon.com. ns2.granitecanyon.com.
digging @charybdis.ellipsis.cx. for soa of ellipsis.cx.
soa @charybdis.ellipsis.cx. for ellipsis.cx. serial: 3
digging @ns1.granitecanyon.com. for soa of ellipsis.cx.
soa @ns1.granitecanyon.com. for ellipsis.cx. serial:
ERROR: no SOA record for ellipsis.cx. from ns1.granitecanyon.com.
digging @ns2.granitecanyon.com. for soa of ellipsis.cx.
soa @ns2.granitecanyon.com. for ellipsis.cx. serial:
ERROR: no SOA record for ellipsis.cx. from ns2.granitecanyon.com.
ERROR: NS list from ellipsis.cx. authoritative servers does not
=== match NS list from parent (cx.) servers
NS list summary for ellipsis.cx. from authoritative servers
== charybids.ellipsis.cx. ns1.granitecanyon.com. ns2.granitecanyon.com.
ERROR: charybdis.ellipsis.cx. claims to be authoritative, but does
not appear in
NS list from authoritative servers
Checking 1 potential addresses for hosts at ellipsis.cx.
== 64.109.29.57
in-addr PTR record found for 64.109.29.57
Summary:
ERRORS found for ellipsis.cx. (count: 4)
WARNINGS issued for ellipsis.cx. (count: 2)
Done testing ellipsis.cx. Mon Jul 23 04:05:05 EDT 2001
Next, we have dnswalk:
% dnswalk -alF ellipsis.cx.
Checking ellipsis.cx.
Getting zone transfer of ellipsis.cx. from ns1.granitecanyon.com...failed
FAIL: Zone transfer of ellipsis.cx. from ns1.granitecanyon.com failed: REFUSED
Getting zone transfer of ellipsis.cx. from ns2.granitecanyon.com...failed
FAIL: Zone transfer of ellipsis.cx. from ns2.granitecanyon.com
failed: couldn't connect
Getting zone transfer of ellipsis.cx. from charybids.ellipsis.cx...failed
FAIL: Zone transfer of ellipsis.cx. from charybids.ellipsis.cx
failed: no nameservers
BAD: All zone transfer attempts of ellipsis.cx. failed!
3 failures, 0 warnings, 1 errors.
Finally, we have DNS Expert Professional 1.6:
DNS Expert
Detailed Report for ellipsis.cx.
7/23/01, 10:10 AM, using the analysis setting "Minimal"
======================================================================
Information
----------------------------------------------------------------------
Serial number: 3
Primary name server: ellipsis.cx.
Primary mail server: ellipsis.cx.
Number of records: 13 (3 NS, 2 MX, 5 A, 3 CNAME, 0 PTR, 0 Other)
Errors
----------------------------------------------------------------------
o Unable to resolve the host name "charybids.ellipsis.cx." used in
the NS record "ellipsis.cx."
It was not possible to resolve the host name
"charybids.ellipsis.cx." which is used in the NS record for
"ellipsis.cx." This indicates that a host with the name
"charybids.ellipsis.cx." does not exist.
o Non-authoritative data received from the server
"ns1.granitecanyon.com."
The server "ns1.granitecanyon.com." is listed as being
authoritative for the domain, but it does not contain
authoritative data for it.
o Non-authoritative data received from the server
"ns2.granitecanyon.com."
The server "ns2.granitecanyon.com." is listed as being
authoritative for the domain, but it does not contain
authoritative data for it.
o The name server "charybdis.ellipsis.cx." is only listed in
delegation data
The server "charybdis.ellipsis.cx." is listed as being
authoritative for the zone according to the delegation data, but
there is no NS record for that server in the zone data.
Delegation data and zone data should always match.
o Unable to check the name server "charybids.ellipsis.cx."
It was not possible to check the name server
"charybids.ellipsis.cx.", because its address could not be
resolved.
o The server "charybdis.nomic.net." did not reply
The server "charybdis.nomic.net." did not reply when it was
queried for the name "57.56.29.109.64.in-addr.arpa.". This
indicates that the server is not running, or it is currently
unreachable.
Warnings
----------------------------------------------------------------------
o Server name in the SOA record differs from server name in an NS
record
The name server with the IP address 64.109.29.57 is identified by
the name "ellipsis.cx." in the SOA record but the NS record uses
the name "charybdis.ellipsis.cx." for the host.
----------------------------------------------------------------------
end of report
Finally, we directly query your machine, using the IP address you
told us about:
% dig @64.109.29.57 ellipsis.cx. any
; <<>> DiG 9.1.2 <<>> @64.109.29.57 ellipsis.cx. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33627
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;ellipsis.cx. IN ANY
;; ANSWER SECTION:
ellipsis.cx. 43200 IN SOA ellipsis.cx.
hostmaster.ellipsis.cx. 3 28800 7200 604800 43200
ellipsis.cx. 43200 IN NS charybids.ellipsis.cx.
ellipsis.cx. 43200 IN NS ns1.granitecanyon.com.
ellipsis.cx. 43200 IN NS ns2.granitecanyon.com.
ellipsis.cx. 43200 IN MX 10 ellipsis.cx.
ellipsis.cx. 43200 IN MX 20 jeffs.ath.cx.
ellipsis.cx. 43200 IN A 64.109.29.57
;; AUTHORITY SECTION:
ellipsis.cx. 43200 IN NS ns2.granitecanyon.com.
ellipsis.cx. 43200 IN NS charybids.ellipsis.cx.
ellipsis.cx. 43200 IN NS ns1.granitecanyon.com.
;; ADDITIONAL SECTION:
ns1.granitecanyon.com. 118334 IN A 205.166.226.38
ns2.granitecanyon.com. 76158 IN A 64.63.77.90
ellipsis.cx. 43200 IN A 64.109.29.57
;; Query time: 74 msec
;; SERVER: 64.109.29.57#53(64.109.29.57)
;; WHEN: Mon Jul 23 04:20:35 2001
;; MSG SIZE rcvd: 301
% dig @64.109.29.57 -x 64.109.29.57
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60901
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 4
;; QUESTION SECTION:
;57.29.109.64.in-addr.arpa. IN PTR
;; ANSWER SECTION:
57.29.109.64.in-addr.arpa. 7200 IN CNAME 57.56.29.109.64.in-addr.arpa.
57.56.29.109.64.in-addr.arpa. 43200 IN PTR charybdis.nomic.net.
;; AUTHORITY SECTION:
56.29.109.64.in-addr.arpa. 43200 IN NS ns1.ameritech.net.
56.29.109.64.in-addr.arpa. 43200 IN NS ns1.granitecanyon.com.
56.29.109.64.in-addr.arpa. 43200 IN NS ns2.ameritech.net.
56.29.109.64.in-addr.arpa. 43200 IN NS ns2.granitecanyon.com.
56.29.109.64.in-addr.arpa. 43200 IN NS charybdis.nomic.net.
;; ADDITIONAL SECTION:
ns1.ameritech.net. 161674 IN A 206.141.251.2
ns1.granitecanyon.com. 117710 IN A 205.166.226.38
ns2.granitecanyon.com. 75534 IN A 64.63.77.90
charybdis.nomic.net. 43200 IN A 64.109.29.57
;; Query time: 138 msec
;; SERVER: 64.109.29.57#53(64.109.29.57)
;; WHEN: Mon Jul 23 04:30:59 2001
;; MSG SIZE rcvd: 273
This is totally hosed. You do not have proper delegation
information being handed out by the .cx ccTLD nameservers. Moreover,
the granitecanyon nameservers (the only ones being delegated to by
the .cx ccTLD nameservers) are not handing out correct glue
information for the zone and are answering non-authoritatively
(presumably because your machine is hosed). Your own machine is not
even handing out glue for charybids.ellipsis.cx, even though this is
supposed to be one of your three authoritative nameservers. And then
there's the whole bizarre reverse DNS issue for 64.109.29.57.
You've got quite a lot of work to do.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list