Rogue Secondaries?

Brad Knowles brad.knowles at skynet.be
Tue May 15 17:38:45 UTC 2001


At 12:42 PM -0400 5/15/01, Scott, Joshua wrote:

>  Last week, after a disaster I had to move my DNS servers to a different
>  subnet.  I then went through the tedious process of updating Network
>  Solutions, and all other entities which manage either a reverse zone or a
>  secondary zone.  All of these tasks were completed but some clients on the
>  internet are still getting the old address.  What could be causing this?
>  Could it be secondary name servers that we do not know about?  Our
>  secondaries are hosted by Sprint and they claim that all secondaries have
>  been modified to point to the new box.  We don't have or know about any
>  other secondaries.  Is there a way to track down other possible secondary
>  name servers?

	This is for jacobs.com, right?  Here's what the latest version of 
doc tells us about this zone:

doc9 -d jacobs.com
Doc-2.2.2: doc9 -d jacobs.com
Doc-2.2.2: Starting test of jacobs.com.   parent is com.
Doc-2.2.2: Test date - Tue May 15 13:35:32 EDT 2001
DEBUG: digging @a.gtld-servers.net. for soa of com.
soa @a.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @b.gtld-servers.net. for soa of com.
soa @b.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @c.gtld-servers.net. for soa of com.
soa @c.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @d.gtld-servers.net. for soa of com.
soa @d.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @e.gtld-servers.net. for soa of com.
soa @e.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @f.gtld-servers.net. for soa of com.
soa @f.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @g.gtld-servers.net. for soa of com.
soa @g.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @i.gtld-servers.net. for soa of com.
soa @i.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @j.gtld-servers.net. for soa of com.
soa @j.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @k.gtld-servers.net. for soa of com.
soa @k.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @l.gtld-servers.net. for soa of com.
soa @l.gtld-servers.net. for com. has serial: 2001051401
DEBUG: digging @m.gtld-servers.net. for soa of com.
soa @m.gtld-servers.net. for com. has serial: 2001051401
SOA serial #'s agree for com. domain
Found 4 NS and 4 glue records for jacobs.com. @a.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @b.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @c.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @d.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @e.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @f.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @g.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @i.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @j.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @k.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @l.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for jacobs.com. @m.gtld-servers.net. (non-AUTH)
DNServers for com.
    === 0 were also authoritatve for jacobs.com.
    === 12 were non-authoritative for jacobs.com.
Servers for com. (not also authoritative for jacobs.com.)
    === agree on NS records for jacobs.com.
DEBUG: domserv = ns1-auth.sprintlink.net. ns1.crssc.com. 
ns2-auth.sprintlink.net. ns3-auth.sprintlink.net.
NS list summary for jacobs.com. from parent (com.) servers
   == ns1-auth.sprintlink.net. ns1.crssc.com. ns2-auth.sprintlink.net.
   == ns3-auth.sprintlink.net.
digging @ns1-auth.sprintlink.net. for soa of jacobs.com.
soa @ns1-auth.sprintlink.net. for jacobs.com. serial: 930163482
digging @ns1.crssc.com. for soa of jacobs.com.
soa @ns1.crssc.com. for jacobs.com. serial: 930163482
digging @ns2-auth.sprintlink.net. for soa of jacobs.com.
soa @ns2-auth.sprintlink.net. for jacobs.com. serial: 930163482
digging @ns3-auth.sprintlink.net. for soa of jacobs.com.
soa @ns3-auth.sprintlink.net. for jacobs.com. serial: 930163482
SOA serial #'s agree for jacobs.com.
ERROR: Found 2 unique sets of NS records
    === from authoritative domain (jacobs.com.) servers
ERROR: NS list from jacobs.com. authoritative servers does not
   === match NS list from parent (com.) servers
NS list summary for jacobs.com. from authoritative servers
   == dns.jacobs.com. dns1.jacobs.com. dns2.jacobs.com.
   == dns3.jacobs.com. ns1-auth.sprintlink.net. ns2-auth.sprintlink.net.
   == ns3-auth.sprintlink.net.
ERROR: ns1.crssc.com. claims to be authoritative, but does not appear in
NS list from authoritative servers
Checking 2 potential addresses for hosts at jacobs.com.
   == 209.78.197.2 168.88.66.71
in-addr PTR record found for 209.78.197.2
in-addr PTR record found for 168.88.66.71
Summary:
    ERRORS found for jacobs.com. (count: 3)
Done testing jacobs.com.  Tue May 15 13:35:47 EDT 2001



	Clearly, you need to update your delegations -- the .com gTLD 
nameservers have a different list of nameservers for your domain than 
the supposedly authoritative nameservers for jacobs.com, which is bad 
news.  Moreover, ns1.crssc.com would appear to be what I call an 
"orphan" delegation -- it's listed in the parent (.com gTLD) 
nameservers, it claims to be authoritative, but the other 
authoritative nameservers do not list it as one of the known 
authoritative nameservers.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


More information about the bind-users mailing list