Bad delegation?

Sun Aug 31 00:42:29 UTC 2008

> I administer a web and mail server whose IP was changed some weeks
> ago.  Since then I've had intermittent problems, affecting only some
> of my users.  They get timeout errors when attempting to follow
> certain links on my web pages.
> 
> The server is cohosted at my ISP.  The DNS is handled by my domain
> registrar, Dreamhost.  (Previously I ran my own BIND server.)  All of
> the following looks OK to me:
> 
> $ dig @ns1.dreamhost.com -t any pinko.net
> 
> ; <<>> DiG 9.4.2-P1 <<>> @ns1.dreamhost.com -t any pinko.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10719
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;pinko.net.			IN	ANY
> 
> ;; ANSWER SECTION:
> pinko.net.		14400	IN	A	208.79.2.3
> pinko.net.		14400	IN	NS	ns2.dreamhost.com.
> pinko.net.		14400	IN	NS	ns1.dreamhost.com.
> pinko.net.		14400	IN	SOA	ns1.dreamhost.com. hostmaster.d
> reamhost.com.
> 2008082600 20690 1800 1814400 14400
> pinko.net.		14400	IN	MX	10 debs.pinko.net.
> pinko.net.		14400	IN	NS	ns3.dreamhost.com.
> 
> ;; ADDITIONAL SECTION:
> ns2.dreamhost.com.	14400	IN	A	208.96.10.221
> ns3.dreamhost.com.	14400	IN	A	66.33.216.216
> debs.pinko.net.		14400	IN	A	208.79.2.3
> ns1.dreamhost.com.	14400	IN	A	66.33.206.206
> 
> ;; Query time: 65 msec
> ;; SERVER: 66.33.206.206#53(66.33.206.206)
> ;; WHEN: Tue Aug 26 19:10:19 2008
> ;; MSG SIZE  rcvd: 259
> 
> 
> Now let's query the TLD name servers for debs.pinko.net.  Note that
> the A record returned for debs.pinko.net is different; that is the old
> IP address.

	Well someone has registered debs.pinko.net as glue for a
	nameserver.  If it is a nameserver you need to update the
	record via your registrar.  If it is not a nameserver you
	should remove the record via your registar.

	Mark

> $ dig @a.gtld-servers.net debs.pinko.net
> 
> ; <<>> DiG 9.4.2-P1 <<>> @a.gtld-servers.net debs.pinko.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26253
> ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;debs.pinko.net.			IN	A
> 
> ;; ANSWER SECTION:
> debs.pinko.net.		172800	IN	A	204.96.181.68
> 
> ;; AUTHORITY SECTION:
> pinko.net.		172800	IN	NS	ns1.dreamhost.com.
> pinko.net.		172800	IN	NS	ns2.dreamhost.com.
> pinko.net.		172800	IN	NS	ns3.dreamhost.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.dreamhost.com.	172800	IN	A	66.33.206.206
> ns2.dreamhost.com.	172800	IN	A	208.96.10.221
> ns3.dreamhost.com.	172800	IN	A	66.33.216.216
> 
> ;; Query time: 74 msec
> ;; SERVER: 192.5.6.30#53(192.5.6.30)
> ;; WHEN: Tue Aug 26 19:13:02 2008
> ;; MSG SIZE  rcvd: 163
> 
> 
> Albitz & Liu, DNS and BIND, says this indicates a delegation problem,
> if I understand them correctly.  So does this:
> 
> $ dig @a.gtld-servers.net -t ns pinko.net
> 
> ; <<>> DiG 9.4.2-P1 <<>> @a.gtld-servers.net -t ns pinko.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32942
> ;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;pinko.net.			IN	NS
> 
> ;; ANSWER SECTION:
> pinko.net.		172800	IN	NS	ns1.dreamhost.com.
> pinko.net.		172800	IN	NS	ns2.dreamhost.com.
> pinko.net.		172800	IN	NS	ns3.dreamhost.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.dreamhost.com.	172800	IN	A	66.33.206.206
> ns2.dreamhost.com.	172800	IN	A	208.96.10.221
> ns3.dreamhost.com.	172800	IN	A	66.33.216.216
> 
> ;; Query time: 79 msec
> ;; SERVER: 192.5.6.30#53(192.5.6.30)
> ;; WHEN: Tue Aug 26 19:17:04 2008
> ;; MSG SIZE  rcvd: 142
> 
> 
> I understand the parent shouldn't be handing out NS records in the
> answer section, rather, they should appear in the authority section.
> 
> 
> Verisign says "talk to Dreamhost."  Dreamhost says "our servers are
> functioning properly."  If this is indeed bad delegation, what's the
> right way to solve the problem?  Or is my diagnosis wrong?
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org