Reverse DNS Dig returning PTR results only with trace option

Mark Andrews marka at isc.org
Tue Nov 10 21:58:05 UTC 2009 

In message <4AF9A220.9070100 at cyzap.com>, Raj Adhikari writes:
> Hi Guys,
> I have a 63.254.134.224/28 delegated from ns1.cyzap.net to
> ns1.moneytreesystems.com. The dig with trace only shows the PTR record.
> Surprisingly, it starts acting normal after I do the dig on
> ns1.cyzap.net. See the dig output below.
> 
> Here is the output:
> Simple dig to 63.254.234.228.
> $ dig -x 63.254.134.228
> 
> ; <<>> DiG 9.3.4 <<>> -x 63.254.134.228
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23703
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;228.134.254.63.in-addr.arpa.   IN      PTR
> 
> ;; Query time: 9 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Nov 10 11:09:36 2009
> ;; MSG SIZE  rcvd: 45
> -----------------------------------------------------------------
> Now do dig +trace
> $ dig -x 63.254.134.228 +trace
> 
> ; <<>> DiG 9.3.4 <<>> -x 63.254.134.228 +trace
> ;; global options:  printcmd
> .                       346584  IN      NS      C.ROOT-SERVERS.NET.
> .                       346584  IN      NS      D.ROOT-SERVERS.NET.
> .                       346584  IN      NS      E.ROOT-SERVERS.NET.
> .                       346584  IN      NS      F.ROOT-SERVERS.NET.
> .                       346584  IN      NS      G.ROOT-SERVERS.NET.
> .                       346584  IN      NS      H.ROOT-SERVERS.NET.
> .                       346584  IN      NS      I.ROOT-SERVERS.NET.
> .                       346584  IN      NS      J.ROOT-SERVERS.NET.
> .                       346584  IN      NS      K.ROOT-SERVERS.NET.
> .                       346584  IN      NS      L.ROOT-SERVERS.NET.
> .                       346584  IN      NS      M.ROOT-SERVERS.NET.
> .                       346584  IN      NS      A.ROOT-SERVERS.NET.
> .                       346584  IN      NS      B.ROOT-SERVERS.NET.
> ;; Received 500 bytes from 127.0.0.1#53(127.0.0.1) in 20 ms
> 
> 63.in-addr.arpa.        86400   IN      NS      X.ARIN.NET.
> 63.in-addr.arpa.        86400   IN      NS      BASIL.ARIN.NET.
> 63.in-addr.arpa.        86400   IN      NS      DILL.ARIN.NET.
> 63.in-addr.arpa.        86400   IN      NS      HENNA.ARIN.NET.
> 63.in-addr.arpa.        86400   IN      NS      INDIGO.ARIN.NET.
> 63.in-addr.arpa.        86400   IN      NS      Y.ARIN.NET.
> 63.in-addr.arpa.        86400   IN      NS      Z.ARIN.NET.
> ;; Received 181 bytes from 192.33.4.12#53(C.ROOT-SERVERS.NET) in 90 ms
> 
> 254.63.in-addr.arpa.    86400   IN      NS      NS3.MCLEODUSA.NET.
> 254.63.in-addr.arpa.    86400   IN      NS      NS2.MCLEODUSA.NET.
> 254.63.in-addr.arpa.    86400   IN      NS      NS1.MCLEODUSA.NET.
> ;; Received 112 bytes from 192.55.83.32#53(BASIL.ARIN.NET) in 173 ms
> 
> 228.134.254.63.in-addr.arpa. 7200 IN    NS      ns2.cyzap.net.
> 228.134.254.63.in-addr.arpa. 7200 IN    NS      ns1.cyzap.net.
> ;; Received 90 bytes from 209.253.113.19#53(NS3.MCLEODUSA.NET) in 26 ms

228.134.254.63.in-addr.arpa is delegated to ns1.cyzap.net and
ns2.cyzap.net.
 
> 228.134.254.63.in-addr.arpa. 3600 IN    NS      ns2.moneytreesystems.com.
> 228.134.254.63.in-addr.arpa. 3600 IN    NS      ns1.moneytreesystems.com.
> ;; Received 160 bytes from 64.253.181.53#53(ns2.cyzap.net) in 1 ms

ns1.cyzap.net and ns2.cyzap.net then claim they don't serve
228.134.254.63.in-addr.arpa but that it is served by
ns1.moneytreesystems.com and ns2.moneytreesystems.com.  This is a
broken delegation and it needs to be fixed.

Named detects this breakage, but this version of dig doesn't as it
doesn't do checks to ensure that the new referral improves the
situation.

Mark

> 228.134.254.63.in-addr.arpa. 3600 IN    PTR    
> test228.moneytreesystems.com.
> ;; Received 87 bytes from 63.254.134.214#53(ns2.moneytreesystems.com) in
> 3 ms
> 
> -----------------------------------------------------------------------------
> -------------------------------
> Now, I will do a dig on sn1.cyzap.net which has delegated this IP from
> ns1.cyzap.net to ns1.moneytreesystems.com
> $ dig @ns1.cyzap.net -x 63.254.134.228
> 
> ; <<>> DiG 9.3.4 <<>> @ns1.cyzap.net -x 63.254.134.228
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60256
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;228.134.254.63.in-addr.arpa.   IN      PTR
> 
> ;; ANSWER SECTION:
> 228.134.254.63.in-addr.arpa. 3600 IN    PTR    
> test228.moneytreesystems.com.
> 
> ;; Query time: 3 msec
> ;; SERVER: 63.254.134.3#53(63.254.134.3)
> ;; WHEN: Tue Nov 10 11:11:55 2009
> ;; MSG SIZE  rcvd: 87
> -----------------------------------------------------------------------------
> ----------------------------
> Now, I will do a simple dig again.
> $ dig -x 63.254.134.228
> 
> ; <<>> DiG 9.3.4 <<>> -x 63.254.134.228
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21096
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;228.134.254.63.in-addr.arpa.   IN      PTR
> 
> ;; ANSWER SECTION:
> 228.134.254.63.in-addr.arpa. 3599 IN    PTR    
> test228.moneytreesystems.com.
> 
> ;; AUTHORITY SECTION:
> 228.134.254.63.in-addr.arpa. 7057 IN    NS      ns1.cyzap.net.
> 228.134.254.63.in-addr.arpa. 7057 IN    NS      ns2.cyzap.net.
> 
> ;; ADDITIONAL SECTION:
> ns1.cyzap.net.          12523   IN      A       63.254.134.3
> ns2.cyzap.net.          1723    IN      A       64.253.181.53
> 
> ;; Query time: 7 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Nov 10 11:11:56 2009
> ;; MSG SIZE  rcvd: 164
> 
> -----------------------------------------------------------------------------
> Now I can do a dig for an hour or so. But again I run into same problem.
> It wont return PTR record unless I explicitly do dig on ns1.cyzap.net.
> Also, the last did showing ns1.cyzap.net as Authority NS for this IP.
> But trace showing ns1.moneytreesystems.com as final sender.
> 
> Could someone shed a light on this?
> 
> Overall, I was trying to achieve delegation of subnet from ns1.cyzap.net
> to ns1.moneytreesystems.com. I tried RFC 2317, but that is suing CNAME
> and having a lot of problem. So I just delegated each one of single IP
> on my /28 subnet from ns1.cyzap.net to ns1.moneytreesystems.com.. Please
> have some suggestion to make it work completely with authoritative to be
> ns1.moneytreesystems.com.
> 
> Thank you,
> Rajendra Adhikari
> 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list