new here

john jbond at ripe.net
Wed May 2 18:47:03 UTC 2012


Hi David,

I think first your ISP needs to fix there delegation. If we look at
their chain we see
dig ns 16.98.in-addr.arpa +short
ns2-auth.windstream.net.
ns1-auth.windstream.net.
ns4-auth.windstream.net.
ns3-auth.windstream.net.

however the authoritive server has a different set

dig ns 16.98.in-addr.arpa +short @ns1-auth.windstream.net.
padnsauth02.admin.windstream.net.
nednsauth02.admin.windstream.net.
padnsauth01.admin.windstream.net.
nednspri01.admin.windstream.net.
nednsauth01.admin.windstream.net.

Unfortunately querying for any of the above gives a Serve Fail
dig ns 16.98.in-addr.arpa +short @ns1-auth.windstream.net. | while read
line ; do dig $line ; done | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53909
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43623
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53120
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37551
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6656

This appears to be caused by a refuse at the windstream.net domain
dig nednsauth01.admin.windstream.net. @NS1-AUTH.WINDSTREAM.NET.

; <<>> DiG 9.7.3-P3 <<>> ns nednsauth01.admin.windstream.net.
@NS1-AUTH.WINDSTREAM.NET.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 403
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

This is probably caused because admin.windstream.net. is in an internal
view[1].  You ISP Needs to fix there in zone nsset to point to the
external addresses.  the ones referred to by the parent are all
authoritative so they should probably be using them

dig ns 16.98.in-addr.arpa +short  | while read line ; do dig soa
16.98.in-addr.arpa @$line ; done | grep flags
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0



On 5/2/12 7:01 PM, David wrote:
> Here is what they show on their logs:
> 
> 01-May-2012 09:07:30.868 transfer of '104-22.16.98.in-addr.arpa/IN' from
> 98.16.104.14#53: connected using 207.91.5.70#40513
> 01-May-2012 09:07:30.971 transfer of '104-22.16.98.in-addr.arpa/IN' from
> 98.16.104.14#53: failed while receiving responses: NOTAUTH
> 01-May-2012 09:07:30.971 transfer of '104-22.16.98.in-addr.arpa/IN' from
> 98.16.104.14#53: end of transfer
After this its hard to guess what they are doing internally.  It looks
like they want you to set up a domain of 104-22.16.98.in-addr.arpa.
Which they will transfer from you.  After the transfer they would need
to merge the zone into the parent.  RFC 2317 style delegations dose not
work for netblocks larger the a /25.  Although i would guess from the
below that they are, as ben suggested, trying to do this.

dig ns 104-22.16.98.in-addr.arpa @NS1-AUTH.WINDSTREAM.NET.

; <<>> DiG 9.7.3-P3 <<>> ns 104-22.16.98.in-addr.arpa
@NS1-AUTH.WINDSTREAM.NET.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18018

dig ns 104.16.98.in-addr.arpa @NS1-AUTH.WINDSTREAM.NET.

; <<>> DiG 9.7.3-P3 <<>> ns 104.16.98.in-addr.arpa @NS1-AUTH.WINDSTREAM.NET.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4761
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

Unfortunatly before you can continue to trouble shoot this you would
need to get your ISP to fix their stuff.  You should also ask what they
are trying to do in requesting a transfer of 104-22.16.98.in-addr.arpa
from you, instead of just delegating all of the /24 blocks to your servers.

regards
john

[1]also suggested as we get Refused for the following
dig  NS admin.windstream.net. @NS1-AUTH.WINDSTREAM.NET.




More information about the bind-users mailing list