Stale MX Records

Brad Knowles brad.knowles at skynet.be
Fri Jun 15 19:49:56 UTC 2001


At 3:16 PM -0400 6/15/01, Kris Haight wrote:

>>  - ns.mindsprung.net (208.176.94.126)
>>    does not answer authorativly for firespout.com

	In addition, it appears that this machine is running recursively 
and caching, so there is the chance of cache pollution problems. 
Worse, it appears that this machine is running BIND 8.2.2-P7, which 
would mean that it is vulnerable to known attacks to gain root 
privileges.  I would strongly encourage you to at least upgrade to 
BIND 8.2.4-REL, if not 9.1.2-REL or the latest release candidate for 
9.1.3.

>  And how can I make it authorative? I followed The O'Reilly Book DNS & BIND
>  to a T so now I am totally lost.

	It's hard to say.  What is in the log files for this machine 
about this zone?

>>  - Default TTL in firespout.com'a SOA is 1 hour, way to low
>
>  Recommendation? I am relatively new to DNS and I am learning as I go along.
>  I've had a home server setup for a while, but havent had issues with it, so
>  this is a first for me.

	Default TTLs for things like this should almost always be at 
least a day, and possibly as large as a week.  You should only exceed 
these values on one side or the other if you have a known reason that 
you need/want to do so.

>>  Your REAL problem seems to be that chhost.com still thinks they
>>  are auth for firespout.com, thus givin out faulty records :
>>  > dig firespout.com mx @NS2.cihost.com.

	From what I see, dns1.nhvt.net is a lame delegation from the gTLD servers:

% dig @a.gtld-servers.net. firespout.com. any

; <<>> DiG 9.1.2 <<>> @a.gtld-servers.net. firespout.com. any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17879
;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;firespout.com.                 IN      ANY

;; ANSWER SECTION:
firespout.com.          172800  IN      NS      NS.MINDSPRUNG.NET.
firespout.com.          172800  IN      NS      DNS1.NHVT.NET.
firespout.com.          172800  IN      NS      VOON.FS.MINDSPRUNG.NET.

;; AUTHORITY SECTION:
firespout.com.          172800  IN      NS      NS.MINDSPRUNG.NET.
firespout.com.          172800  IN      NS      DNS1.NHVT.NET.
firespout.com.          172800  IN      NS      VOON.FS.MINDSPRUNG.NET.

;; ADDITIONAL SECTION:
NS.MINDSPRUNG.NET.      172800  IN      A       208.176.94.126
DNS1.NHVT.NET.          172800  IN      A       216.107.205.2
VOON.FS.MINDSPRUNG.NET. 172800  IN      A       199.103.224.130

;; Query time: 7 msec
;; SERVER: 192.5.6.30#53(a.gtld-servers.net.)
;; WHEN: Fri Jun 15 15:47:25 2001
;; MSG SIZE  rcvd: 198

% dig @DNS1.NHVT.NET. DNS1.NHVT.NET. any

; <<>> DiG 9.1.2 <<>> @DNS1.NHVT.NET. DNS1.NHVT.NET. any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2967
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;DNS1.NHVT.NET.                 IN      ANY

;; ANSWER SECTION:
DNS1.NHVT.NET.          172800  IN      A       216.107.205.2

;; AUTHORITY SECTION:
NHVT.NET.               172800  IN      NS      DNS1.NHVT.NET.
NHVT.NET.               172800  IN      NS      ns1.seg.NET.

;; ADDITIONAL SECTION:
DNS1.NHVT.NET.          172800  IN      A       216.107.205.2
ns1.seg.NET.            156371  IN      A       206.34.181.15

;; Query time: 99 msec
;; SERVER: 216.107.205.2#53(DNS1.NHVT.NET.)
;; WHEN: Fri Jun 15 15:47:37 2001
;; MSG SIZE  rcvd: 115


	This would also be a problem that needs to be fixed.  In 
particular, the delegation records should be fixed at the 
InterNIC/Network Solutions, so that only the appropriate nameservers 
within mindsprung.net are referenced.

>  I think so too. I've asked them on several occasions to take us out of DNS
>  and they claim they've taken it out. Maybe they havent. I will give them a
>  call again.

	Change the delegation records, and this becomes a moot point.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


More information about the bind-users mailing list