DNS Resolution 'Flapping' -- PLEASE HELP
Frederick Lowe
frederick at lecltd.com
Tue Apr 25 20:19:09 UTC 2000
PROBLEM OUTLINE:
DNS resolution 'flaps' for the following FQDN:
www.cmdrealty.com
The authoritative hosts for this domain are:
ns0.enteract.com (primary)
bifrost.seastrom.com (secondary)
PARTY DETAIL:
There are three companies directly involved in this problem:
CMD Realty Investors
(the client for whom services are provided, and registrant of the domain
cmdrealty.com)
Enteract
(the DNS provider and name authority)
LEC Limited
(the Interactive agency on whose machines the Web site for
www.cmdrealty.com and www.cmdrealtyinvestors.com are hosted).
PROBLEM DESCRIPTION:
For about 45 days, we have been seeing some bizzare behavior with regard
to resolution of the FQDN www.cmdrealty.com.
The syntax of the SOA records for is included for reference:
#------------------------------------------------------------------
@ 1D IN SOA enteract.com. root.enteract.com.
(
2000041301 ; serial
1H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
1D IN NS ns0.enteract.com.
1D IN NS bifrost.seastrom.com.
1D IN MX 10 mx.enteract.com.
1D IN MX 0 mailhost
1D IN A 209.0.139.4
mailhost 1D IN A 207.229.147.81
corpserver1 1D IN A 207.229.147.81
www 1D IN CNAME @
#------------------------------------------------------------------
The problem we are experiencing is this:
Remote DNS frequently misresolves the addresses for these domains.
Examples of the bad DNS behavior are appended to the end of this
E-mail. The problem is difficult to consistently reproduce, and the
DNS' listed there may or may not return the same addresses I
am submitting as examples. I (think) I understand enough about DNS to
know that there _should_be_ only four possible reasons for this:
1) The authoritative host is actively handing out bad addresses.
2) There are cached records on a remote DNS that have not yet expired;
hence remote DNS' non-authoritative responses do
not reflect the current state of the SOA
3) The remote DNS' are configured to permanently cache records, and
will never reflect changes to the SOA
4) The is some bad delegation going on, and a server somewhere in the
chain of authority is giving back information on
a name even though it does not have the authority to resolve that
information.
We have actively studied points #2, and #3 and I think we have
eliminated them as possibilities. The serial numbers on records on
remote DNS' match the serial numbers for this record on the primary
authoritative host, whether or not the address resolves correctly.
The only place I cannot verify serial number information is for the
non-authoritative responses supplied by a.root-servers.net.
Point #1 is still a possibility. Enteract (the DNS provider and name
authority) and LEC Limited have differing opinions about the
syntax of the SOA record. I am not personally in agreement with the
convention used in the last line of their SOA:
www 1D IN CNAME @
Although I see this '@' fairly frequently. Our convention at LEC for a
self-reference is:
hostname 1D IN CNAME .
OR
hostname 1D IN A XXX.XXX.XXX.XXX
PLEASE NOTE : THE RECORD WAS CHANGED FOR SEVERAL DAYS TO REFLECT 'IN A
XXX.XXX.XXX.XXX' IN PLACE OF 'IN CNAME @'; WITH NO IMPROVEMENT.
Point #4 is harder for me to diagnose or test. I don't know how the
lame delegation could be happening, and I don't know where to look
for an answer to the problem, if indeed this is it.
I also find it curious (though again it might just be my ignorance),
that a.root-servers.net and c.root-servers.net were supplying (at
least for a time) non-authoritative answers for these FQDNs, rather than
references to the authoritative hosts. I was under the impression
that the root servers _only_ supplied references to resolvers, not
addresses.
This has been a harrowing problem, to say the least. Any help anyone
can provide would be greatly appreciated.
Thank you,
Frederick Lowe
#------------------------------------------------------------------
appended nslookup information
#------------------------------------------------------------------
bash$ nslookup
Default Server: r2d2.lecltd.com
Address: 209.0.142.231
> server ns0.enteract.com
Default Server: ns0.enteract.com
Address: 207.229.143.3
> ls -d cmdrealty.com
[ns0.enteract.com]
$ORIGIN cmdrealty.com.
@ 1D IN SOA enteract.com. root.enteract.com.
(
2000041301 ; serial
1H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
1D IN NS ns0.enteract.com.
1D IN NS bifrost.seastrom.com.
1D IN MX 0 mailhost
1D IN A 209.0.139.4
1D IN MX 10 mx.enteract.com.
mailhost 1D IN A 207.229.147.81
corpserver1 1D IN A 207.229.147.81
www 1D IN CNAME @
#------------------------------------------------------------------
notes : current serial number 2000041301
#------------------------------------------------------------------
> www.cmdrealty.com
Server: ns0.enteract.com
Address: 207.229.143.3
Name: cmdrealty.com
Address: 209.0.139.4
Aliases: www.cmdrealty.com
#------------------------------------------------------------------
notes : domain is resolved correctly here
#------------------------------------------------------------------
> server ns1.mindspring.com
Default Server: ns1.mindspring.com
Address: 207.69.188.185
> www.cmdrealty.com
Server: ns1.mindspring.com
Address: 207.69.188.185
Non-authoritative answer:
Name: cmdrealty.com
Address: 209.0.139.4
Aliases: www.cmdrealty.com
#------------------------------------------------------------------
notes : domain is resolved correctly here
#------------------------------------------------------------------
> server r2d2.lecltd.com
Default Server: r2d2.lecltd.com
Address: 209.0.142.231
> www.cmdrealty.com
Server: r2d2.lecltd.com
Address: 209.0.142.231
Non-authoritative answer:
Name: www.cmdrealty.com
Address: 207.229.147.81
#------------------------------------------------------------------
notes : domain is misresolved here
#------------------------------------------------------------------
> set type=soa
> www.cmdrealty.com
Server: r2d2.lecltd.com
Address: 209.0.142.231
www.cmdrealty.com canonical name = cmdrealty.com
cmdrealty.com
origin = enteract.com
mail addr = root.enteract.com
serial = 2000041301
refresh = 3600 (1H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
cmdrealty.com nameserver = ns0.enteract.com
cmdrealty.com nameserver = bifrost.seastrom.com
ns0.enteract.com internet address = 207.229.143.3
bifrost.seastrom.com internet address = 192.148.252.10
#------------------------------------------------------------------
notes : serial number for this record is the same as primary
#------------------------------------------------------------------
> server dns1.giantstep.com
Default Server: dns1.giantstep.com
Address: 208.193.67.11
> set type=a
> www.cmdrealty.com
Server: dns1.giantstep.com
Address: 208.193.67.11
Non-authoritative answer:
Name: www.cmdrealty.com
Address: 207.229.147.81
#------------------------------------------------------------------
notes : domain is misresolved here
#------------------------------------------------------------------
> set type=soa
> www.cmdrealty.com
Server: dns1.giantstep.com
Address: 208.193.67.11
www.cmdrealty.com canonical name = cmdrealty.com
cmdrealty.com
origin = enteract.com
mail addr = root.enteract.com
serial = 2000041301
refresh = 3600 (1H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
cmdrealty.com nameserver = ns0.enteract.com
cmdrealty.com nameserver = bifrost.seastrom.com
ns0.enteract.com internet address = 207.229.143.3
bifrost.seastrom.com internet address = 192.148.252.10
#------------------------------------------------------------------
notes : serial number for this record is the same as primary
#------------------------------------------------------------------
> server ns1.mindspring.com
Default Server: ns1.mindspring.com
Address: 207.69.188.185
> set type=a
> www.cmdrealty.com
Server: ns1.mindspring.com
Address: 207.69.188.185
Non-authoritative answer:
Name: cmdrealty.com
Address: 209.0.139.4
Aliases: www.cmdrealty.com
#------------------------------------------------------------------
notes : domain is resolved correctly here
#------------------------------------------------------------------
> set type=soa
> www.cmdrealty.com
Server: ns1.mindspring.com
Address: 207.69.188.185
Non-authoritative answer:
www.cmdrealty.com canonical name = cmdrealty.com
cmdrealty.com
origin = enteract.com
mail addr = root.enteract.com
serial = 2000041301
refresh = 3600 (1H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
Authoritative answers can be found from:
cmdrealty.com nameserver = BIFROST.SEASTROM.com
cmdrealty.com nameserver = NS0.enteract.com
BIFROST.SEASTROM.com internet address = 192.148.252.10
NS0.enteract.com internet address = 207.229.143.3
#------------------------------------------------------------------
notes : serial number for this record is the same as primary
#------------------------------------------------------------------
More information about the bind-users
mailing list