Relevant RFC on A records for NS's

Kal Feher kalman.feher at melbourneit.com.au
Thu Apr 30 10:54:08 UTC 2009


Firstly I should say that I agree with those who think the tool is a little
suspect in its efficacy. I tried a few domains under some cctlds and it
appears as if the code assumes only GTLDs.

Nevertheless, it may be instructive to describe what you saw Scott.
You have 2 name servers:
$ dig ns newgeo.com +short
ns1.hostwizard.com.
ns1.nacio.com.

Lets check where they are delegated:
1st the hostwizard domain
$ dig ns hostwizard.com +short
ns1.hostwizard.com.
ns1.nacio.com.

Now nacio
$ dig ns nacio.com +short
ns1.nacio.com.
ns3.nacio.com.
ns2.nacio.com.

So what _should_ we see if I query ns1.nacio.com for hostwizard.com?
Since the domain is delegated there, I would expect an authoritive answer

 $ dig a ns1.hostwizard.com @ns1.nacio.com

; <<>> DiG 9.4.2-P2 <<>> a ns1.hostwizard.com @ns1.nacio.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1579
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.hostwizard.com.            IN      A

;; ANSWER SECTION:
ns1.hostwizard.com.     3600    IN      A       64.84.37.14

;; AUTHORITY SECTION:
hostwizard.com.         3600    IN      NS      ns1.nacio.com.
hostwizard.com.         3600    IN      NS      ns1.hostwizard.com.

;; ADDITIONAL SECTION:
ns1.nacio.com.          3600    IN      A       64.84.0.18

;; Query time: 177 msec
;; SERVER: 64.84.0.18#53(64.84.0.18)
;; WHEN: Thu Apr 30 20:45:00 2009


But what if I do the reverse? That is...query ns1.hostwizard.com for
ns1.nacio.com. We know that nacio.com isnt delegated to it. What should
ns1.hostwizard.com answer? Normally either an upwards referral to the root
servers or (if caching is disabled) with refused. I added some *s for
emphasis.

 $ dig ns1.nacio.com @ns1.hostwizard.com +norec

; <<>> DiG 9.4.2-P2 <<>> ns1.nacio.com @ns1.hostwizard.com +norec
;; global options:  printcmd
;; Got answer:
****;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35446
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.nacio.com.                 IN      A

;; Query time: 250 msec
;; SERVER: 64.84.37.14#53(64.84.37.14)
;; WHEN: Thu Apr 30 20:49:50 2009


ns1.hostwizard looks like it isn't answering from cache, (which is fine). So
you shouldn't worry. Sorry for the overly verbose response ;)


On 30/4/09 12:02 PM, "Sten Carlsen" <ccc2716 at vip.cybercity.dk> wrote:

> I get the same error when checking my own domain. A check with dig
> results in proving that the tool is wrong.
> 
> Scott Haneda wrote:
>> On Apr 30, 2009, at 1:43 AM, Kal Feher wrote:
>> 
>>> When I clicked on that link the only error was an MNAME error. Did
>>> you see
>>> another error? (I wonder if it was a transient error you observed,
>>> because
>>> it appears different to yours).
>>> The error according to the report (run against isc.org):
>>> 
>>> "ERROR: Your SOA (Start of Authority) record states that your master
>>> (primary) name server is: ns-int.isc.org. That server is not listed
>>> at the
>>> parent servers, which is not correct."
>> 
>> I knew I should have taken a screen shot :)
>> I consistently get a "No NS A Records at nameservers"
>> 
>> Here is what I see:
>> http://dl.getdropbox.com/u/340087/Drops/04.30.09/isc.org-report-64e3ad8b-0228
>> 56.jpg
>> 
>> 
>> For the sake of being thorough, here is mine, same error:
>> http://dl.getdropbox.com/u/340087/Drops/04.30.09/newgeo.com-report-53486995-0
>> 22950.jpg
>> 
>> 
>>> $ dig soa isc.org +short
>> 
>> Well hey, that +shore option is pretty nice, thanks!
>> 
>>> Checking your domain: newgeo.com (did you mean this one or another?).
>>> The
>> 
>> No, that one is relevant, though I suspect since this comes back to a
>> NS, it is going to say that for all my zones.
>> 
>>> error is a different one.
>>> Your name servers:
>>> $ dig ns newgeo.com +short
>>> ns1.nacio.com.
>>> ns1.hostwizard.com.
>>> 
>>> Now the report wants to check each name server:
>>> 
>>> $ dig ns1.hostwizard.com @ns1.nacio.com +short
>>> 64.84.37.14
>>> That worked.
>>> 
>>> $ dig ns1.nacio.com @ns1.hostwizard.com
>>> 
>>> ; <<>> DiG 9.4.2-P2 <<>> ns1.nacio.com @ns1.hostwizard.com
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24774
>>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>> ;; WARNING: recursion requested but not available
>>> 
>>> ;; QUESTION SECTION:
>>> ;ns1.nacio.com.                 IN      A
>>> This one didnt
>>> 
>>> So to answer your question "what is this error asking of me?". It wants
>>> ns1.hostwizard.com to reply as ns1.nacio.com did. Specifically to
>>> answer an
>>> A record query for ns1.nacio.com.
>> 
>> To make sure I understand, as I am finding the No A record error on
>> average 80% of the random domains I am comparing against...
>> 
>> In my zone for hostwizard.com I would add in
>> ns1.nacio.com. IN A 64.84.0.18
>> 
>> I am not sure I understand this.  I am not in any way in control of
>> ns1.nacio.com.  They merely slave my server.  They obviously have an A
>> record for ns1.nacio.com, and can maintain and control that.
>> 
>> I would be adding in an A record, pointing to an IP address, and now
>> have to watch and maintain their IP space, to be sure that IP does not
>> ever change.  If it does change, and I am not on top of that, things
>> are going to get a little wonky.
>> 
>> * Please refer to the screen shots in this email, I am going to toss
>> in some test records now, so your results may not match up well if you
>> do live testing.

-- 
Kal Feher




More information about the bind-users mailing list