trouble resolving specific zones
Brad Knowles
brad.knowles at skynet.be
Thu May 17 23:57:11 UTC 2001
At 12:16 PM -0700 5/17/01, Kelsey Cummings wrote:
> I've recently upgraded to bind 9.1.2 and we are having trouble resolving
> specific zones, for example, toyota.com.
Here's the results of running the latest version of "doc" on this domain:
doc -d toyota.com.
Doc-2.2.2: doc -d toyota.com.
Doc-2.2.2: Starting test of toyota.com. parent is com.
Doc-2.2.2: Test date - Thu May 17 19:09:00 EDT 2001
DEBUG: digging @a.gtld-servers.net. for soa of com.
soa @a.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @b.gtld-servers.net. for soa of com.
soa @b.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @c.gtld-servers.net. for soa of com.
soa @c.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @d.gtld-servers.net. for soa of com.
soa @d.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @e.gtld-servers.net. for soa of com.
soa @e.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @f.gtld-servers.net. for soa of com.
soa @f.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @g.gtld-servers.net. for soa of com.
soa @g.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @i.gtld-servers.net. for soa of com.
soa @i.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @j.gtld-servers.net. for soa of com.
soa @j.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @k.gtld-servers.net. for soa of com.
soa @k.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @l.gtld-servers.net. for soa of com.
soa @l.gtld-servers.net. for com. has serial: 2001051700
DEBUG: digging @m.gtld-servers.net. for soa of com.
soa @m.gtld-servers.net. for com. has serial: 2001051700
SOA serial #'s agree for com. domain
Found 4 NS and 4 glue records for toyota.com. @a.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @b.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @c.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @d.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @e.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @f.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @g.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @i.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @j.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @k.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @l.gtld-servers.net. (non-AUTH)
Found 4 NS and 4 glue records for toyota.com. @m.gtld-servers.net. (non-AUTH)
DNServers for com.
=== 0 were also authoritatve for toyota.com.
=== 12 were non-authoritative for toyota.com.
Servers for com. (not also authoritative for toyota.com.)
=== agree on NS records for toyota.com.
DEBUG: domserv = freeside.toyota.com. ns3.raleigh.usf.ibm.com.
ns4.raleigh.usf.ibm.com. toyota.toyota.com.
NS list summary for toyota.com. from parent (com.) servers
== freeside.toyota.com. ns3.raleigh.usf.ibm.com. ns4.raleigh.usf.ibm.com.
== toyota.toyota.com.
digging @freeside.toyota.com. for soa of toyota.com.
soa @freeside.toyota.com. for toyota.com. serial: 2001051701
digging @ns3.raleigh.usf.ibm.com. for soa of toyota.com.
soa @ns3.raleigh.usf.ibm.com. for toyota.com. serial: 2001051701
digging @ns4.raleigh.usf.ibm.com. for soa of toyota.com.
soa @ns4.raleigh.usf.ibm.com. for toyota.com. serial: 2001051701
digging @toyota.toyota.com. for soa of toyota.com.
soa @toyota.toyota.com. for toyota.com. serial: 2001051701
SOA serial #'s agree for toyota.com.
Authoritative domain (toyota.com.) servers agree on NS for toyota.com.
ERROR: NS list from toyota.com. authoritative servers does not
=== match NS list from parent (com.) servers
NS list summary for toyota.com. from authoritative servers
== freeside.toyota.com. ns1.toyota.com. ns2.toyota.com.
== ns3.raleigh.usf.ibm.com. ns3.toyota.com. ns4.raleigh.usf.ibm.com.
== toyota.toyota.com.
Checking 2 potential addresses for hosts at toyota.com.
== 63.87.74.7 10.63.12.3
in-addr PTR record found for 63.87.74.7
in-addr PTR record found for 10.63.12.3
Summary:
ERRORS found for toyota.com. (count: 1)
Done testing toyota.com. Thu May 17 19:09:07 EDT 2001
You will observe that they have four nameservers that are
delegated from the gTLD root nameservers, but when you ask the
authoritative servers, they come up with a total of *SEVEN*
nameservers that are included. They need to clean up their
delegations.
However, there's something more interesting going on here. When
you list too much data in the DNS, and you exceed what can be packed
into a single UDP response packet, what happens is the extra data
gets "truncated", and the "truncated" bit gets set in the response.
The client is then supposed to retry the query using TCP, to fill in
the missing data.
Unfortunately, many sites misconfigure their firewalls and their
nameservers so as to block all TCP port 53 traffic from the outside
world, in a mistaken attempt to prevent other sites from being able
to perform zone transfers of their zone data.
We can see this with the zone data for toyota.com with the
following queries. First, we show the results of a UDP query:
dig toyota.com. any
; <<>> DiG 9.1.2 <<>> toyota.com. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16946
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 7, ADDITIONAL: 5
;; QUESTION SECTION:
;toyota.com. IN ANY
;; ANSWER SECTION:
toyota.com. 3263 IN SOA toyota.toyota.com.
hostmaster.toyota.com. 2001051701 14400 3600 3600000 3600
toyota.com. 3271 IN MX 15 freeside.toyota.com.
toyota.com. 3271 IN MX 25 raven.toyota.com.
toyota.com. 3271 IN MX 10 armitage.toyota.com.
toyota.com. 3597 IN NS toyota.toyota.com.
toyota.com. 3597 IN NS ns3.raleigh.usf.ibm.com.
toyota.com. 3597 IN NS freeside.toyota.com.
toyota.com. 3597 IN NS ns4.raleigh.usf.ibm.com.
toyota.com. 3597 IN NS ns1.toyota.com.
toyota.com. 3597 IN NS ns2.toyota.com.
toyota.com. 3597 IN NS ns3.toyota.com.
toyota.com. 3597 IN A 129.33.47.206
;; AUTHORITY SECTION:
toyota.com. 3597 IN NS toyota.toyota.com.
toyota.com. 3597 IN NS ns3.raleigh.usf.ibm.com.
toyota.com. 3597 IN NS freeside.toyota.com.
toyota.com. 3597 IN NS ns4.raleigh.usf.ibm.com.
toyota.com. 3597 IN NS ns1.toyota.com.
toyota.com. 3597 IN NS ns2.toyota.com.
toyota.com. 3597 IN NS ns3.toyota.com.
;; ADDITIONAL SECTION:
freeside.toyota.com. 26489 IN A 63.87.74.7
raven.toyota.com. 3271 IN A 63.87.74.200
armitage.toyota.com. 3271 IN A 63.87.74.3
toyota.toyota.com. 41387 IN A 63.87.74.3
ns3.raleigh.usf.ibm.com. 5406 IN A 129.33.60.15
;; Query time: 4 msec
;; WHEN: Thu May 17 19:15:34 2001
;; MSG SIZE rcvd: 485
Now, we show the results of a TCP query:
dig toyota.com. any +vc
; <<>> DiG 9.1.2 <<>> toyota.com. any +vc
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59015
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 7, ADDITIONAL: 9
;; QUESTION SECTION:
;toyota.com. IN ANY
;; ANSWER SECTION:
toyota.com. 3228 IN SOA toyota.toyota.com.
hostmaster.toyota.com. 2001051701 14400 3600 3600000 3600
toyota.com. 3236 IN MX 15 freeside.toyota.com.
toyota.com. 3236 IN MX 25 raven.toyota.com.
toyota.com. 3236 IN MX 10 armitage.toyota.com.
toyota.com. 3562 IN NS toyota.toyota.com.
toyota.com. 3562 IN NS ns3.raleigh.usf.ibm.com.
toyota.com. 3562 IN NS freeside.toyota.com.
toyota.com. 3562 IN NS ns4.raleigh.usf.ibm.com.
toyota.com. 3562 IN NS ns1.toyota.com.
toyota.com. 3562 IN NS ns2.toyota.com.
toyota.com. 3562 IN NS ns3.toyota.com.
toyota.com. 3562 IN A 129.33.47.206
;; AUTHORITY SECTION:
toyota.com. 3562 IN NS toyota.toyota.com.
toyota.com. 3562 IN NS ns3.raleigh.usf.ibm.com.
toyota.com. 3562 IN NS freeside.toyota.com.
toyota.com. 3562 IN NS ns4.raleigh.usf.ibm.com.
toyota.com. 3562 IN NS ns1.toyota.com.
toyota.com. 3562 IN NS ns2.toyota.com.
toyota.com. 3562 IN NS ns3.toyota.com.
;; ADDITIONAL SECTION:
freeside.toyota.com. 26454 IN A 63.87.74.7
raven.toyota.com. 3236 IN A 63.87.74.200
armitage.toyota.com. 3236 IN A 63.87.74.3
toyota.toyota.com. 41352 IN A 63.87.74.3
ns3.raleigh.usf.ibm.com. 5371 IN A 129.33.60.15
ns4.raleigh.usf.ibm.com. 150159 IN A 129.33.60.14
ns1.toyota.com. 3565 IN A 10.63.12.3
ns2.toyota.com. 3565 IN A 10.63.12.7
ns3.toyota.com. 3565 IN A 10.63.12.5
;; Query time: 4 msec
;; WHEN: Thu May 17 19:16:09 2001
;; MSG SIZE rcvd: 549
See the size of the received packet? It's more than 512 bytes,
whereas the UDP query only got back 489 bytes (which will fit inside
of a 512 byte UDP packet, plus additional overhead). Unfortunately,
many mail servers do not properly deal with truncation, so when you
see this happen, this is a very clear indicator that there will
almost certainly be problems getting mail to that domain.
I tried performing DNS queries using TCP to the publicly
accessible toyota.com nameservers within the toyota.com domain (e.g.,
freeside.toyota.com and toyota.toyota.com which is also known as
armitage.toyota.com), and got no response from them. Clearly, they
are blocking all port 53/TCP traffic when they should not.
Fortunately for them, the two nameservers hosted within IBM do appear
to handle DNS queries via DNS correctly.
Also note that the nameserver toyota.toyota.com is actually an
alias -- the canonical name is armitage.toyota.com. This is not
supposed to happen -- the targets of NS records are not supposed to
be aliases. Worse, according to the SOA record, this is supposed to
be the master server for the entire zone.
But, we also see something even more interesting -- note that
ns1.toyota.com (as well as ns2.toyota.com and ns3.toyota.com) is
shown as having an IP address beginning with 10.* Unfortunately,
this network is defined as being "unroutable" as far as the public
Internet is concerned (see RFC 1918 at
<http://www.faqs.org/rfcs/rfc1918.html>).
I checked this out with one of the nameservers for toyota.com
that is actually publicly accessible (toyota.toyota.com), and it does
actually appear to be handing out "private" 10.* IP addresses for
these machines:
dig @toyota.toyota.com. ns1.toyota.com.
; <<>> DiG 9.1.2 <<>> @toyota.toyota.com. ns1.toyota.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43870
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 6
;; QUESTION SECTION:
;ns1.toyota.com. IN A
;; ANSWER SECTION:
ns1.toyota.com. 3600 IN A 10.63.12.3
;; AUTHORITY SECTION:
toyota.com. 3600 IN NS toyota.toyota.com.
toyota.com. 3600 IN NS ns3.raleigh.usf.ibm.com.
toyota.com. 3600 IN NS freeside.toyota.com.
toyota.com. 3600 IN NS ns4.raleigh.usf.ibm.com.
toyota.com. 3600 IN NS ns1.toyota.com.
toyota.com. 3600 IN NS ns2.toyota.com.
toyota.com. 3600 IN NS ns3.toyota.com.
;; ADDITIONAL SECTION:
ns3.raleigh.usf.ibm.com. 6182 IN A 129.33.60.15
freeside.toyota.com. 3600 IN A 63.87.74.7
ns4.raleigh.usf.ibm.com. 9877 IN A 129.33.60.14
ns1.toyota.com. 3600 IN A 10.63.12.3
ns2.toyota.com. 3600 IN A 10.63.12.7
ns3.toyota.com. 3600 IN A 10.63.12.5
;; Query time: 145 msec
;; SERVER: 63.87.74.3#53(toyota.toyota.com.)
;; WHEN: Thu May 17 19:18:44 2001
;; MSG SIZE rcvd: 290
Worse, when you query this machine about itself, it comes back as an alias:
dig @toyota.toyota.com. toyota.toyota.com.
; <<>> DiG 9.1.2 <<>> @toyota.toyota.com. toyota.toyota.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20595
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 6
;; QUESTION SECTION:
;toyota.toyota.com. IN A
;; ANSWER SECTION:
toyota.toyota.com. 3600 IN CNAME armitage.toyota.com.
armitage.toyota.com. 3600 IN A 63.87.74.3
;; AUTHORITY SECTION:
toyota.com. 3600 IN NS toyota.toyota.com.
toyota.com. 3600 IN NS ns3.raleigh.usf.ibm.com.
toyota.com. 3600 IN NS freeside.toyota.com.
toyota.com. 3600 IN NS ns4.raleigh.usf.ibm.com.
toyota.com. 3600 IN NS ns1.toyota.com.
toyota.com. 3600 IN NS ns2.toyota.com.
toyota.com. 3600 IN NS ns3.toyota.com.
;; ADDITIONAL SECTION:
ns3.raleigh.usf.ibm.com. 5716 IN A 129.33.60.15
freeside.toyota.com. 3600 IN A 63.87.74.7
ns4.raleigh.usf.ibm.com. 9411 IN A 129.33.60.14
ns1.toyota.com. 3600 IN A 10.63.12.3
ns2.toyota.com. 3600 IN A 10.63.12.7
ns3.toyota.com. 3600 IN A 10.63.12.5
;; Query time: 117 msec
;; SERVER: 63.87.74.3#53(toyota.toyota.com.)
;; WHEN: Thu May 17 19:26:30 2001
;; MSG SIZE rcvd: 313
Now, if we check to see if any of these nameservers are also
caching, we find even more bad news:
dig @armitage.toyota.com. aol.com. any
; <<>> DiG 9.1.2 <<>> @armitage.toyota.com. aol.com. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19137
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 161577 IN NS DNS-02.NS.aol.com.
aol.com. 161577 IN NS DNS-01.NS.aol.com.
aol.com. 2098 IN A 64.12.149.24
aol.com. 2098 IN A 205.188.160.121
aol.com. 2098 IN A 64.12.149.13
aol.com. 2117 IN MX 15 mailin-03.mx.aol.com.
aol.com. 2117 IN MX 15 mailin-04.mx.aol.com.
aol.com. 2117 IN MX 15 mailin-01.mx.aol.com.
aol.com. 2117 IN MX 15 mailin-02.mx.aol.com.
;; AUTHORITY SECTION:
aol.com. 161577 IN NS DNS-02.NS.aol.com.
aol.com. 161577 IN NS DNS-01.NS.aol.com.
;; ADDITIONAL SECTION:
DNS-02.NS.aol.com. 16927 IN A 205.188.157.232
DNS-01.NS.aol.com. 16927 IN A 152.163.159.232
;; Query time: 77 msec
;; SERVER: 63.87.74.3#53(armitage.toyota.com.)
;; WHEN: Thu May 17 19:47:28 2001
;; MSG SIZE rcvd: 285
dig @freeside.toyota.com. aol.com. any
; <<>> DiG 9.1.2 <<>> @freeside.toyota.com. aol.com. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41021
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 131229 IN NS DNS-02.NS.aol.com.
aol.com. 131229 IN NS DNS-01.NS.aol.com.
;; AUTHORITY SECTION:
aol.com. 131229 IN NS DNS-02.NS.aol.com.
aol.com. 131229 IN NS DNS-01.NS.aol.com.
;; ADDITIONAL SECTION:
DNS-02.NS.aol.com. 18933 IN A 205.188.157.232
DNS-01.NS.aol.com. 18933 IN A 152.163.159.232
;; Query time: 77 msec
;; SERVER: 63.87.74.7#53(freeside.toyota.com.)
;; WHEN: Thu May 17 19:47:37 2001
;; MSG SIZE rcvd: 130
dig @ns3.raleigh.usf.ibm.com. aol.com. any
; <<>> DiG 9.1.2 <<>> @ns3.raleigh.usf.ibm.com. aol.com. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30316
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 2, ADDITIONAL: 12
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 49317 IN NS DNS-02.NS.aol.com.
aol.com. 49317 IN NS DNS-01.NS.aol.com.
aol.com. 582 IN A 64.12.149.13
aol.com. 582 IN A 64.12.149.24
aol.com. 582 IN A 205.188.160.121
aol.com. 2788 IN MX 15 mailin-02.mx.aol.com.
aol.com. 2788 IN MX 15 mailin-03.mx.aol.com.
aol.com. 2788 IN MX 15 mailin-04.mx.aol.com.
aol.com. 2788 IN MX 15 mailin-01.mx.aol.com.
;; AUTHORITY SECTION:
aol.com. 49317 IN NS DNS-02.NS.aol.com.
aol.com. 49317 IN NS DNS-01.NS.aol.com.
;; ADDITIONAL SECTION:
DNS-02.NS.aol.com. 150163 IN A 205.188.157.232
DNS-01.NS.aol.com. 150163 IN A 152.163.159.232
mailin-03.mx.aol.com. 2386 IN A 152.163.224.88
mailin-03.mx.aol.com. 2386 IN A 64.12.136.153
mailin-03.mx.aol.com. 2386 IN A 205.188.156.186
mailin-04.mx.aol.com. 2578 IN A 205.188.158.25
mailin-04.mx.aol.com. 2578 IN A 205.188.156.249
mailin-04.mx.aol.com. 2578 IN A 152.163.224.122
mailin-01.mx.aol.com. 2578 IN A 205.188.156.122
mailin-01.mx.aol.com. 2578 IN A 205.188.157.25
mailin-01.mx.aol.com. 2578 IN A 152.163.224.26
mailin-01.mx.aol.com. 2578 IN A 64.12.136.57
;; Query time: 14 msec
;; SERVER: 129.33.60.15#53(ns3.raleigh.usf.ibm.com.)
;; WHEN: Thu May 17 19:48:08 2001
;; MSG SIZE rcvd: 445
dig @ns4.raleigh.usf.ibm.com. aol.com. any
; <<>> DiG 9.1.2 <<>> @ns4.raleigh.usf.ibm.com. aol.com. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2104
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;aol.com. IN ANY
;; ANSWER SECTION:
aol.com. 152658 IN NS DNS-02.NS.aol.com.
aol.com. 152658 IN NS DNS-01.NS.aol.com.
aol.com. 643 IN A 205.188.160.121
aol.com. 643 IN A 64.12.149.13
aol.com. 643 IN A 64.12.149.24
;; AUTHORITY SECTION:
aol.com. 152658 IN NS DNS-02.NS.aol.com.
aol.com. 152658 IN NS DNS-01.NS.aol.com.
;; ADDITIONAL SECTION:
DNS-02.NS.aol.com. 169307 IN A 205.188.157.232
DNS-01.NS.aol.com. 169307 IN A 152.163.159.232
;; Query time: 13 msec
;; SERVER: 129.33.60.14#53(ns4.raleigh.usf.ibm.com.)
;; WHEN: Thu May 17 19:48:19 2001
;; MSG SIZE rcvd: 178
You will note that only one of these four nameservers does not
give us a cached answer. This is really bad news, because even the
IBM guys get this wrong.
This is all very, very bad news. The entire toyota.com zone is
clearly very seriously messed up. I don't think that there is
anything you need to worry about -- these problems are far more
systemic than anything you can fix.
You may note that I have carbon-copied the registered addresses
at Toyota that are found in the WHOIS entry at Network Solutions, as
well as the classic "hostmaster" address that they are required to
support, in addition to the "DNS Team" address at IBM that is listed
as being the address in the SOA records for the raleigh.usf.ibm.com
zone.
To the Toyota & IBM personnel who receive this message -- I would
be perfectly happy to work with you to fix these problems, and will
gladly do so without charging a fee. I would like to use this
experience as background material for a chapter on DNS that I am
writing in an upcoming book, but I promise to keep your names out of
it.
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list