nslookup response ???

Andris Kalnozols andris at hpl.hp.com
Sat Sep 1 00:02:34 UTC 2001


Here is another view of the NS RRset issues that Michael has
pointed out:

h2n -V sarahwoody.com

Verifying zone data for domain 'sarahwoody.com.':
Getting NS RRset...
Transferring zone.... (from 'BERTHA.MYSP.NET' [216.253.137.36])
Parsing zone data...  (NS BIND version: 8.1.2)
Performing in-zone and external lookups...

Warning: the nameserver supplying the zone data is running a version
         of BIND that is vulnerable to the following bug(s):
 naptr, maxdname, solinger, fdmax, & infoleak.
 See < http://www.isc.org/products/BIND/bind-security.html > and
     < http://www.cert.org/advisories/CA-2001-02.html > for details.

Warning: found the following problematic SOA time interval(s):
 SOA expire value is less than SOA refresh + (10 * retry)
   [2h < 1h + (10 * 30m)].
 SOA expire value (2h) is less than 7 days.
Warning: found NS RR(s) pointing to the following problematic domain name(s):
 ns2.bluestar.net.                      [  NXDOMAIN  ]
 ns1.bluestar.net.                      [  NXDOMAIN  ]
Warning: found CNAME(s) pointing to the following problematic domain name(s):
 berth.mysp.net.                        [  NXDOMAIN  ]
Warning: found inconsistent NS RRsets surrounding the zone boundary (RFC-1034):
 sarahwoody.com.        IN NS   bertha.mysp.net.
                        IN NS   ns1.bicity.net.
                        IN NS   ns1.thepurist.org.
 (non-authoritative)
 ---------------------------- zone cut ----------------------------
 (  authoritative  )
 @                      IN NS   ns.mysp.net.
                        IN NS   ns1.bluestar.net.
                        IN NS   ns2.bluestar.net.
Warning: verifying the NS delegations generated the following error(s):
 No name server running on ns1.bicity.net (domain sarahwoody.com)

Problem #1: The NS records on the master nameserver for sarahwoody.com
            (the authoritative ones below the zone cut) need to match
            those from the delegating 'com' TLD (the non-authoritative
            set that is above the zone cut).  What's really bad in this
            case is that the domain names for the alleged bluestar.net
            nameservers don't even exist.  Also, since 'bertha.mysp.net'
            and 'ns.mysp.net' have the same IP address, you should just
            use the name 'bertha' to keep things consistent.

Problem #2: To compound your precarious delegation issues, your zone
            data is hanging by a thread by only having a two-hour
            expiration interval.  If the slave nameservers can't reach
            the master nameserver during that time, they'll stop
            handing out authoritative answers.  Seven days should be
            the minimum time before a zone expires.

Problem #3: One of your CNAMEs is pointing to 'berth' instead of 'bertha'.

Problem #4: The sysadmin for 'bertha' should upgrade to BIND 8.2.3-REL
            or newer.

HTH,

Andris Kalnozols
Hewlett-Packard Laboratories
andris at hpl.hp.com


> Well, in that case you need to get the delegation straightened out -
> it seems to be a mess to me. Have a peak - and this is WITHOUT any
> real DNS debugging tools, mind you!
> 
> > [michael at varg michael]$ dig sarahwoody.com @a.gtld-servers.net +norec ns
> >
> > ; <<>> DiG 9.2.0rc1 <<>> sarahwoody.com @a.gtld-servers.net +norec ns
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22692
> > ;; flags: qr; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
> >
> > ;; QUESTION SECTION:
> > ;sarahwoody.com.                        IN      NS
> >
> > ;; ANSWER SECTION:
> > sarahwoody.com.         172800  IN      NS      NS1.THEPURIST.ORG.
> > sarahwoody.com.         172800  IN      NS      NS1.BICITY.NET.
> > sarahwoody.com.         172800  IN      NS      BERTHA.MYSP.NET.
> >
> > ;; ADDITIONAL SECTION:
> > NS1.THEPURIST.ORG.      172800  IN      A       63.90.251.224
> > NS1.BICITY.NET.         172800  IN      A       63.90.252.62
> > BERTHA.MYSP.NET.        172800  IN      A       216.253.137.36
> >
> > ;; Query time: 140 msec
> > ;; SERVER: 192.5.6.30#53(a.gtld-servers.net)
> > ;; WHEN: Fri Aug 31 23:48:01 2001
> > ;; MSG SIZE  rcvd: 165
> >
> > [michael at varg michael]$ dig sarahwoody.com @ns1.thepurist.org +short ns
> > ns1.thepurist.org.
> > [michael at varg michael]$ dig sarahwoody.com @ns1.bigcity.net +short ns
> > BERTHA.MYSP.NET.
> > NS1.THEPURIST.ORG.
> > NS1.BICITY.NET.
> > [michael at varg michael]$ dig sarahwoody.com @bertha.mysp.net +short ns
> > ns1.bluestar.net.
> > ns2.bluestar.net.
> > ns.mysp.net.
> > [michael at varg michael]$ dig sarahwoody.com @ns1.bicity.net +short ns
> >
> > ; <<>> DiG 9.2.0rc1 <<>> sarahwoody.com @ns1.bicity.net +short ns
> > ;; global options:  printcmd
> > ;; connection timed out; no servers could be reached
> > [michael at varg michael]$ dig sarahwoody.com @ns1.bluestar.net +short ns
> > dig: Couldn't find server 'ns1.bluestar.net': Name or service not known
> > [michael at varg michael]$ dig sarahwoody.com @ns2.bluestar.net +short ns
> > dig: Couldn't find server 'ns2.bluestar.net': Name or service not known
> > [michael at varg michael]$ dig sarahwoody.com @ns.mysp.net +short ns
> > ns2.bluestar.net.
> > ns.mysp.net.
> > ns1.bluestar.net.
> > [michael at varg michael]$
> 
> 
> Michael Kjörling
> 
> 
> On Aug 31 2001 17:31 -0400, Bill wrote:
> 
> > Hi Michael,
> > Your dig info was enlightening. Sarahwoody.com only seems to point to the
> > former secondary server.
> > Hm-m-m. Everything would have probobly made more sense if I had asked the
> > right question. When I try to get sarahwoody.com, the browser always looks
> > to 63.90.....while never looking at the primary dns which is 216.253...
> > The site is actually on the 216 server. The 63 server is actually a dead
> > issue backup. (If I ever figure out bind, I will have a back-up dns box at
> > the end of a cable modem.


More information about the bind-users mailing list