Rogue Secondaries?
Brad Knowles
brad.knowles at skynet.be
Tue May 15 17:38:45 UTC 2001
At 12:42 PM -0400 5/15/01, Scott, Joshua wrote:
> Last week, after a disaster I had to move my DNS servers to a different
> subnet. I then went through the tedious process of updating Network
> Solutions, and all other entities which manage either a reverse zone or a
> secondary zone. All of these tasks were completed but some clients on the
> internet are still getting the old address. What could be causing this?
> Could it be secondary name servers that we do not know about? Our
> secondaries are hosted by Sprint and they claim that all secondaries have
> been modified to point to the new box. We don't have or know about any
> other secondaries. Is there a way to track down other possible secondary
> name servers?
This is for jacobs.com, right? Here's what the latest version of
doc tells us about this zone:
doc9 -d jacobs.com
Doc-2.2.2: doc9 -d jacobs.com
Doc-2.2.2: Starting test of jacobs.com. parent is com.
Doc-2.2.2: Test date - Tue May 15 13:35:32 EDT 2001
DEBUG: digging @a.gtld-servers.net. for soa of com.
soa @a.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @b.gtld-servers.net. for soa of com.
soa @b.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @c.gtld-servers.net. for soa of com.
soa @c.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @d.gtld-servers.net. for soa of com.
soa @d.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @e.gtld-servers.net. for soa of com.
soa @e.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @f.gtld-servers.net. for soa of com.
soa @f.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @g.gtld-servers.net. for soa of com.
soa @g.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @i.gtld-servers.net. for soa of com.
soa @i.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @j.gtld-servers.net. for soa of com.
soa @j.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @k.gtld-servers.net. for soa of com.
soa @k.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @l.gtld-servers.net. for soa of com.
soa @l.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @m.gtld-servers.net. for soa of com.
soa @m.gtld-servers.net. for com. has serial: 2001051401
SOA serial #'s agree for com. domain
Found 4 NS and 4 glue records for jacobs.com. @a.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @b.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @c.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @d.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @e.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @f.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @g.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @i.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @j.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @k.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @l.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @m.gtld-servers.net. (non-AUTH)
DNServers for com.
=== 0 were also authoritatve for jacobs.com.
=== 12 were non-authoritative for jacobs.com.
Servers for com. (not also authoritative for jacobs.com.)
=== agree on NS records for jacobs.com.
DEBUG: domserv = ns1-auth.sprintlink.net. ns1.crssc.com.
ns2-auth.sprintlink.net. ns3-auth.sprintlink.net.
NS list summary for jacobs.com. from parent (com.) servers
== ns1-auth.sprintlink.net. ns1.crssc.com. ns2-auth.sprintlink.net.
== ns3-auth.sprintlink.net.
digging @ns1-auth.sprintlink.net. for soa of jacobs.com.
soa @ns1-auth.sprintlink.net. for jacobs.com. serial: 930163482
digging @ns1.crssc.com. for soa of jacobs.com.
soa @ns1.crssc.com. for jacobs.com. serial: 930163482
digging @ns2-auth.sprintlink.net. for soa of jacobs.com.
soa @ns2-auth.sprintlink.net. for jacobs.com. serial: 930163482
digging @ns3-auth.sprintlink.net. for soa of jacobs.com.
soa @ns3-auth.sprintlink.net. for jacobs.com. serial: 930163482
SOA serial #'s agree for jacobs.com.
ERROR: Found 2 unique sets of NS records
=== from authoritative domain (jacobs.com.) servers
ERROR: NS list from jacobs.com. authoritative servers does not
=== match NS list from parent (com.) servers
NS list summary for jacobs.com. from authoritative servers
== dns.jacobs.com. dns1.jacobs.com. dns2.jacobs.com.
== dns3.jacobs.com. ns1-auth.sprintlink.net. ns2-auth.sprintlink.net.
== ns3-auth.sprintlink.net.
ERROR: ns1.crssc.com. claims to be authoritative, but does not appear in
NS list from authoritative servers
Checking 2 potential addresses for hosts at jacobs.com.
== 209.78.197.2 168.88.66.71
in-addr PTR record found for 209.78.197.2
in-addr PTR record found for 168.88.66.71
Summary:
ERRORS found for jacobs.com. (count: 3)
Done testing jacobs.com. Tue May 15 13:35:47 EDT 2001
Clearly, you need to update your delegations -- the .com gTLD
nameservers have a different list of nameservers for your domain than
the supposedly authoritative nameservers for jacobs.com, which is bad
news. Moreover, ns1.crssc.com would appear to be what I call an
"orphan" delegation -- it's listed in the parent (.com gTLD)
nameservers, it claims to be authoritative, but the other
authoritative nameservers do not list it as one of the known
authoritative nameservers.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list