Glue records cached, when they should be coming from zone

Tue Nov 20 23:55:33 UTC 2007

> Hello
> 
> Kevin Darcy wrote:
> > ns.lanwan.fi is *not* from the child zone, so you're authoritative for 
> > it and the TTL does not decrease.
> 
> It is not that simple. Look at this, ns1.ar.lanwan.fi vs. ns2.ar.lanwan.fi:
> 
>  >> The problem is clearly visible in this dig query. Look at the TTL of
>  >> ns1.ar.lanwan.fi A record. Why does ns2.ar.lanwan.fi have constant
>  >> default TTL while ns1 TTL is decrementing?
>  >>
>  >> ---8<---
>  >> $ dig ns ar.lanwan.fi. @ns.lanwan.fi.
>  >>
>  >> ; <<>> DiG 9.3.4 <<>> ns ar.lanwan.fi. @ns.lanwan.fi.
>  >> ; (1 server found)
>  >> ;; global options:  printcmd
>  >> ;; Got answer:
>  >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1484
>  >> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>  >>
>  >> ;; QUESTION SECTION:
>  >> ;ar.lanwan.fi.                  IN      NS
>  >>
>  >> ;; AUTHORITY SECTION:
>  >> ar.lanwan.fi.           86400   IN      NS      ns2.ar.lanwan.fi.
>  >> ar.lanwan.fi.           86400   IN      NS      ns1.ar.lanwan.fi.
>  >>
>  >> ;; ADDITIONAL SECTION:
>  >> ns1.ar.lanwan.fi.       32535   IN      A       213.255.168.10
>  >> ns2.ar.lanwan.fi.       86400   IN      A       213.255.168.20
>  >>
>  >> ;; Query time: 4 msec
>  >> ;; SERVER: 213.255.190.40#53(213.255.190.40)
>  >> ;; WHEN: Mon Nov 12 14:57:48 2007
>  >> ;; MSG SIZE  rcvd: 98
>  >> ---8<---
> 
> 
> > My question is: why do you characterize this as a "problem"? Seems to me 
> > everything is working as designed.
> 
> Because I have received several automated emails from our local .fi 
> registry complaining that lanwan.fi. zone is not correctly configured in 
> ns.lanwan.fi. The specific problem is the occasional lack of 
> ns1.ar.lanwan.fi and/or ns2.ar.lanwan.fi glue records.

	ns.lanwan.fi doesn't serve ar.lanwan.fi.  It is not required
	to return their addresses unless it is returning a referral
	for ar.lanwan.fi.

	The registry is wrong here as the glue is from a sub-zone.
	They are assuming that there isn't a lower zone cut.  Their
	robot needs to be fixed to handle this case.

	They should be making a non-recursive query for ns1.ar.lanwan.fi
	and then following the delegation down to the sub-zone to
	check that the address records are still correct.

	Mark
 
> >> ---8<---
> >> $ dig ns lanwan.fi. @ns.lanwan.fi.
> >>
> >> ; <<>> DiG 9.3.4 <<>> ns lanwan.fi. @ns.lanwan.fi.
> >> ; (1 server found)
> >> ;; global options:  printcmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1313
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
> >>
> >> ;; QUESTION SECTION:
> >> ;lanwan.fi.                     IN      NS
> >>
> >> ;; ANSWER SECTION:
> >> lanwan.fi.              86400   IN      NS      ns2.ar.lanwan.fi.
> >> lanwan.fi.              86400   IN      NS      ns.lanwan.fi.
> >> lanwan.fi.              86400   IN      NS      ns1.ar.lanwan.fi.
> >>
> >> ;; ADDITIONAL SECTION:
> >> ns.lanwan.fi.           86400   IN      A       213.255.190.40
> >> ns1.ar.lanwan.fi.       47998   IN      A       213.255.168.10
> >>
> >> ;; Query time: 4 msec
> >> ;; SERVER: 213.255.190.40#53(213.255.190.40)
> >> ;; WHEN: Tue Nov 13 10:40:05 2007
> >> ;; MSG SIZE  rcvd: 115
> >> ---8<---
> 
> There should be A record for ns2.ar.lanwan.fi too, shouldn't there? Why 
> is it not there? What can I do to fix that?
> 
> BR,
> Tuomas
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org