Bind and possible redundancy flaw.

Noah McNallie lists at xzziroz.net
Thu Feb 21 05:17:23 UTC 2008 

Noah McNallie wrote:
> Mark Andrews wrote:
>>>>     nameservers work out which servers are correctly configured
>>>>     and which ones arn't.
>>>>
>>>>     "dig +trace" doesn't try to do that.
>>>>
>>>>     Mark
>>>>         
>>> so it's legit that if a query for a server has a NS listed that has 
>>> no records for that server, the entire query should immediately fail?
>>>     
>>
>>     Put the question in context.  As it is there are so many
>>     variable left unstated that the answer could be "yes", "no"
>>     or "maybe".
>>
>>     Mark
>>   
> k, well, it's not too important to get fixed if it's not a normal 
> scenario. i don't much mind if it gets fixed at all because even if it 
> was the end of the world i'd be smart enough to get the ips of 
> anything that was routable to me ;) but just for the sake of curiosity 
> perhaps, the scenario (although a bit sketchy as it may seem) is 
> detailed:
>
> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.3.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa 
> is the zone
>
> this is how that flows:
>
> ip6.arpa.               172800  IN      NS      SEC1.APNIC.NET.
> ip6.arpa.               172800  IN      NS      NS.ICANN.ORG.
> ip6.arpa.               172800  IN      NS      TINNIE.ARIN.NET.
> ip6.arpa.               172800  IN      NS      NS.LACNIC.NET.
> ip6.arpa.               172800  IN      NS      NS-SEC.RIPE.NET.
> ;; Received 220 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 
> 120 ms
>
> 0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns2.ipv6.he.net.
> 0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns1.ipv6.he.net.
> ;; Received 137 bytes from 202.12.29.59#53(SEC1.APNIC.NET) in 277 ms
>
> 5.0.3.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 5000 IN NS ip6.sytes.net.
> ;; Received 117 bytes from 64.71.189.2#53(ns2.ipv6.he.net) in 122 ms
>
> ----
>
> ip6.sytes.net points to my solaris/ultrasparc server at home on static 
> ip assignment. what I had previously done is also had ip6.zapto.org as 
> a nameserver for the range through he.net's interface to where 
> ns(1|2).ipv6.he.net would respond with both of them, and this is when 
> half the internet decided not to succeed on a PTR request for the 
> range, after removing ip6.zapto.org everything worked fine instantly. 
> btw, ip6.zapto.org is an A pointing to the A of ns1.earthlink.net 
> (which had no records because it was simply there so people would not 
> see one nameserver listend and thing oh yay! ddos! maybe it's his home 
> server!) and i completely understand that such is not a legit purpose 
> or reason for the email, it simply made my think further and ask why 
> half the internet would fail to resolve a query just because one of 
> the listed name servers has no records pertaining to the query.
>
> n0ah
>
>
>
sorry that's not the zone, that's the ip i was resolving: 
http://xzziroz.net/db.xzziroz.5.0.3.0.7.0.f.1.3.7.4.0.1.0.0.2.ip6.arpa
that should be the zone, i think i was going to add a TXT in there such 
as TXT  "2001:470:1f07:305::/64 authority"

n0ah

More information about the bind-users mailing list