RFC 2317 Delegation Problems
Edward Lewis
edlewis at arin.net
Wed Jun 23 00:48:35 UTC 2004
My suspicion is that there are some lame delegations. (I found it
too, see below.) I am happy that you used +trace. That's a good
tool. I also like to ask a resolver where it gets stuck, it helps
pinpoint the problem -
Try this:
dig -x 209.189.103.200 # - against any old resolver, followed by:
dig -x 209.189.103.200 +norec # - this will tell you where it gets stuck.
The result of the last is:
# ;; ANSWER SECTION:
# 200.103.189.209.in-addr.arpa. CNAME 200.192.103.189.209.in-addr.arpa.
#
# ;; AUTHORITY SECTION:
# 192.103.189.209.in-addr.arpa. NS t.ns.verio.net.
# 192.103.189.209.in-addr.arpa. NS b.ns.verio.net.
This means that the resolver is stuck trying to ask [tb].ns.verio.net.
Doing some more digging (no pun intended), you get to:
dig @b.ns.verio.net. 200.192.103.189.209.in-addr.arpa. ptr
; <<>> DiG 9.2.2 <<>> @b.ns.verio.net. 200.192.103.189.209.in-addr.arpa. ptr
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12446
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;200.192.103.189.209.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
192.103.189.209.in-addr.arpa. 86400 IN NS dns.totalflood.com.
192.103.189.209.in-addr.arpa. 86400 IN NS dns2.totalflood.com.
;; ADDITIONAL SECTION:
dns.totalflood.com. 68352 IN A 12.47.198.108
dns2.totalflood.com. 68352 IN A 65.223.121.228
;; Query time: 64 msec
;; SERVER: 129.250.35.32#53(b.ns.verio.net.)
;; WHEN: Tue Jun 22 20:37:52 2004
;; MSG SIZE rcvd: 133
I.e., you're told to go to [tb].ns.verio.net for the info, when you
there, it says "I ain't got it - try there." Even though it seems
like BIND could follow one more step, it doesn't for fear that it
might be being led on an infinite path of referrals. It marks b
lame, then t, and gives up.
I suspect you need to make sure the ISP delegated to the right name servers.
(Other common boo-boos - not having A records for name servers, etc.)
I think this is the problem:
$ dig ns1.verio.net. +short
216.120.80.2
(Because I have v6 issues at the moment I need to do this by address.)
$ dig @216.120.80.2 192.103.189.209.in-addr.arpa. ns +norec
; <<>> DiG 9.2.2 <<>> @216.120.80.2 192.103.189.209.in-addr.arpa. ns +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7723
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;192.103.189.209.in-addr.arpa. IN NS
;; AUTHORITY SECTION:
192.103.189.209.in-addr.arpa. 14400 IN NS t.ns.verio.net.
192.103.189.209.in-addr.arpa. 14400 IN NS b.ns.verio.net.
;; ADDITIONAL SECTION:
b.ns.verio.net. 86400 IN A 129.250.35.32
t.ns.verio.net. 86400 IN A 192.67.14.16
;; Query time: 101 msec
;; SERVER: 216.120.80.2#53(216.120.80.2)
;; WHEN: Tue Jun 22 20:46:02 2004
;; MSG SIZE rcvd: 122
...Verio thinks you are on [bt].ns.verio.net. You have to ask them
to change that to your servers.
At 17:01 -0700 6/22/04, Stephen Carville wrote:
>I just got one of my ISP's to delegate 209.189.102.192/27 to my DNS servers
>by setting up CNAME records eg:
>
>200.103.198.209.in-addr-arpa. CNAME 200.192.103.198.209.in-addr-arpa.
>
>and delegated the zone 192.103.198.209.in-addr-arpa to my servers.
>
>If I got to an outside server and try
>
>$ dig -x 209.189.103.200 +trace
>
>; <<>> DiG 9.2.2-P3 <<>> -x 209.189.103.200 +trace
>;; global options: printcmd
>. 514079 IN NS K.ROOT-SERVERS.NET.
>. 514079 IN NS L.ROOT-SERVERS.NET.
>. 514079 IN NS M.ROOT-SERVERS.NET.
>. 514079 IN NS A.ROOT-SERVERS.NET.
>. 514079 IN NS B.ROOT-SERVERS.NET.
>. 514079 IN NS C.ROOT-SERVERS.NET.
>. 514079 IN NS D.ROOT-SERVERS.NET.
>. 514079 IN NS E.ROOT-SERVERS.NET.
>. 514079 IN NS F.ROOT-SERVERS.NET.
>. 514079 IN NS G.ROOT-SERVERS.NET.
>. 514079 IN NS H.ROOT-SERVERS.NET.
>. 514079 IN NS I.ROOT-SERVERS.NET.
>. 514079 IN NS J.ROOT-SERVERS.NET.
>;; Received 436 bytes from 192.168.1.1#53(192.168.1.1) in 2 ms
>
>209.in-addr.arpa. 86400 IN NS chia.arin.net.
>209.in-addr.arpa. 86400 IN NS dill.arin.net.
>209.in-addr.arpa. 86400 IN NS henna.arin.net.
>209.in-addr.arpa. 86400 IN NS indigo.arin.net.
>209.in-addr.arpa. 86400 IN NS epazote.arin.net.
>209.in-addr.arpa. 86400 IN NS figwort.arin.net.
>209.in-addr.arpa. 86400 IN NS ginseng.arin.net.
>;; Received 199 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 182 ms
>
>103.189.209.in-addr.arpa. 86400 IN NS ns0.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns1.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns2.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns3.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns4.verio.net.
>;; Received 145 bytes from 192.5.6.32#53(chia.arin.net) in 115 ms
>
>200.103.189.209.in-addr.arpa. 14400 IN NS t.ns.verio.net.
>200.103.189.209.in-addr.arpa. 14400 IN NS b.ns.verio.net.
>;; Received 122 bytes from 129.250.15.61#53(ns0.verio.net) in 71 ms
>
>200.103.189.209.in-addr.arpa. 86400 IN CNAME
>200.192.103.189.209.in-addr.arpa.
>192.103.189.209.in-addr.arpa. 86400 IN NS dns.totalflood.com.
>192.103.189.209.in-addr.arpa. 86400 IN NS dns2.totalflood.com.
>;; Received 151 bytes from 129.250.35.32#53(b.ns.verio.net) in 71 ms
>
>That looks right to me but if I try a dig -x it fails:
>
>$ dig -x 209.189.103.200
>
>; <<>> DiG 9.2.2-P3 <<>> -x 209.189.103.200
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47252
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;200.103.189.209.in-addr.arpa. IN PTR
>
>;; Query time: 178 msec
>;; SERVER: 192.168.1.1#53(192.168.1.1)
>;; WHEN: Tue Jun 22 16:41:42 2004
>;; MSG SIZE rcvd: 46
>
>If I specifiy one of the two dns servers, I get the correct answer:
>
>dig @dns.totalflood.com -x 209.189.103.200
>
>; <<>> DiG 9.2.2-P3 <<>> @dns.totalflood.com -x 209.189.103.200
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16015
>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
>
>;; QUESTION SECTION:
>;200.103.189.209.in-addr.arpa. IN PTR
>
>;; ANSWER SECTION:
>200.103.189.209.in-addr.arpa. 86400 IN CNAME
>200.192.103.189.209.in-addr.arpa.
>200.192.103.189.209.in-addr.arpa. 3600 IN PTR v200.totalflood.com.
>
>;; AUTHORITY SECTION:
>192.103.189.209.in-addr.arpa. 3600 IN NS dns.totalflood.com.
>192.103.189.209.in-addr.arpa. 3600 IN NS dns2.totalflood.com.
>192.103.189.209.in-addr.arpa. 3600 IN NS dns3.totalflood.com.
>
>;; ADDITIONAL SECTION:
>dns.totalflood.com. 3600 IN A 12.47.198.108
>dns2.totalflood.com. 3600 IN A 65.223.121.228
>dns3.totalflood.com. 3600 IN A 209.189.103.200
>
>;; Query time: 938 msec
>;; SERVER: 12.47.198.108#53(dns.totalflood.com)
>;; WHEN: Tue Jun 22 16:42:25 2004
>;; MSG SIZE rcvd: 205
>
>My ISP seesm to be set up correctly and I seem to be set up correctly but the
>two aren't working together.
>
>My named.conf entry for the zone is straight-forward:
>
>zone "192.103.189.209.in-addr.arpa" {
> type master;
> file "209.189.103.192.db";
>};
>
>and the data file record is equally unremarkable.
>
>$TTL 3600
>@ IN SOA dns.totalflood.com. domainadmin.totalflood.com. (
> 8
> 3H
> 15M
> 1W
> 3600 )
> IN NS dns.totalflood.com.
> IN NS dns2.totalflood.com.
> IN NS dns3.totalflood.com.
>
>@ IN TXT "Tue Jun 22 15:32:02 2004"
>193 IN PTR v193.totalflood.com.
>etc...
>
>I'm using version 9.2.1
>
>Reading thru the archvies I see I am not the only person who has had problems
>with RFC 2317 delegation. I don't feel so bad but I'd feel a whole lot
>better if someone could tell where my mistake is :-)
>
>--
>Stephen Carville
>Unix and Network Adminstrator
>DPSI
>6033 W.Century Blvd.
>Los Angeles, CA 90045
>310-342-3602
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
"I can't go to Miami. I'm expecting calls from telemarketers." -
Grandpa Simpson.
More information about the bind-users
mailing list