need another pair of eyes: edu/net (educause?) glue issues?
michael.hare at wisc.edu
Wed Oct 18 18:09:53 UTC 2017
Sorry for the wide blast (and long email), but perhaps some fellow .edu's can help us through this one.
I'm one of the DNS admins for wisc.edu. An academic group on campus has noticed an issue with the atecentral.net delegation, for which two of the listed NS are on campus.
$ dig atecentral.net NS +short
dns2.scout.wisc.edu. <------------- on campus
dns.scout.wisc.edu. <------------- on campus
wisc.edu is authoritative for scout.wisc.edu and return the following correct A records
$ dig scout.wisc.edu NS +short | sort
adns1.doit.wisc.edu:dns.scout.wisc.edu. 14400 IN A 126.96.36.199
adns2.doit.wisc.edu:dns.scout.wisc.edu. 14400 IN A 188.8.131.52
adns3.doit.wisc.edu:dns.scout.wisc.edu. 14400 IN A 184.108.40.206
adns1.doit.wisc.edu:dns2.scout.wisc.edu. 14400 IN A 220.127.116.11
adns2.doit.wisc.edu:dns2.scout.wisc.edu. 14400 IN A 18.104.22.168
adns3.doit.wisc.edu:dns2.scout.wisc.edu. 14400 IN A 22.214.171.124
$ dig @126.96.36.199 atecentral.net NS +short
It appears that there is some bad glue "somewhere" and I'm having trouble finding where it is coming from.
dig +norecurse @b.gtld-servers.net atecentral.net NS
;; ADDITIONAL SECTION:
dns.axisdata.com. 172800 IN A 188.8.131.52
dns.scout.wisc.edu. 172800 IN A 184.108.40.206 <---------------- WRONG
dns2.scout.wisc.edu. 172800 IN A 220.127.116.11 <---------------- WRONG
note: local admins have enabled DNS servers on 170.199 and 170.200 as a short term measure until this can be resolved, so if you dig against those incorrect IPs directly you will get an answer (for now).
We have asked the scout.wisc.edu folks to check the atecentral.net delegation and received the following response: "... I checked with Namecheap, where atecentral.net is registered, and they say that the glue record values are supplied to the root nameservers by the registrar for the top-level domain where the names are located (wisc.edu, in this case, so Educause/VeriSign) ...."
And this matches my memory as well. As recent as June 2017 when an NS inside a .edu was also the NS for another domain (for example, a .org), wearing my wisc.edu DNS admin hat I would log into the educause domain portal and add/update glue, the production example being uwhealth.org which has NS inside the wisc.edu namespace.
My suspicious is that the glue stuck in gtld is supplied by educause however educause (who recently went through a major facelift of their portal, net.educause.edu) is claiming no such thing has ever existed. I'm not convinced, but there is an off chance early senility is setting in. I have a screenshot from June 2017 (without URL, unfortunately) of our list of "glue" from what I'm 99% sure is the old net.educause.edu portal however educause is claiming adamantly (yes, we have escalated a ticket) that my screenshot is not from their old portal.
I see other screenshots on the web of the old net.educause.edu website that shows basically the same design theme (color) as my screenshot. You'll note my screenshot from June 2017 from "somewhere" has the wrong IPs for dns.scout.wisc.edu and dns2.scout.wisc.edu.
found on web: https://image.slidesharecdn.com/edu-dnssec-151026011336-lva1-app6891/95/edu-dnssec-testbed-27-638.jpg?cb=1445822096
For info from an old thread related to a similar thing we did at wisc.edu ~10 years ago: https://arstechnica.com/civis/viewtopic.php?f=10&t=97332, but I digress.
I can't dump the .edu zonefile and educause (for now) is denying culpability. My 'dig' foo is weak enough that I can't come up with a damning output to know where to go from here. Any ideas?
More information about the bind-users