DNS Tracing

Wed Jul 12 00:00:16 UTC 2000

    >> Are there any good tools out there that will tell me where a
    >> record is coming from and what path it is following to get that
    >> record?

Yes, dig.

    >> problem I am having is if I do a standard lookup for
    >> ecs1.altamente.com I am supposed to get back 209.12.244.241,
    >> but alot of times I get 209.12.224.11 which is it's really old
    >> IP address.

Let's see:
	% dig ecs1.altamente.com any
	... dig output snipped....
	;; AUTHORITY SECTION
	ALTAMENTE.COM.          2D IN NS        NS1.ESPIRE.NET.
	ALTAMENTE.COM.          2D IN NS        NS2.ESPIRE.NET.
	ALTAMENTE.COM.          2D IN NS        NS1.OLSS.NET.

This means there are three name servers for the altamente.com zone, so
let's ask them and see what they have to say for themselves:

	% dig @ns1.espire.net ecs1.altamente.com any
	... dig output snipped ...
	;; ANSWER SECTION:
	ecs1.altamente.com.     1D IN A         209.12.244.241

	% dig @ns2.espire.net ecs1.altamente.com any
	... dig output snipped ...
	;; ANSWER SECTION:
	ecs1.altamente.com.     1D IN A         209.12.244.241

	% dig @ns1.olss.net ecs1.altamente.com any
	... dig output snipped ...
	;; ANSWER SECTION:
	ecs1.altamente.com.     1D IN A         209.12.244.241

So all three name servers are telling the truth. If you get dig to ask
for altamente.com's SOA record, they all return the same answer. This
means the problem is not with the zone data or name servers for
altamente.com. Those three servers seem consistent with each other,
which is how things should be. That means the problem is elsewhere.

When my name server looked up ecs1.altamente.com, it got the wrong
answer: an A record pointing at 209.12.224.11. It must have got that
name in the answer that was returned when it asked one of the .com
name servers for ecs1.altamente.com. [This was confirmed by checking
my name server's cache dump, but that's a story for another time.] The
answer to my server's query returned the expected NS records for the
altamente.com name servers, but the answer also included this bogus A
record. So this means that some zone somewhere in the .com zone has or
had a glue record for ecs1.altamente.com which points at that old
address. This too is confirmed with dig:

	% dig @a.root-servers.net ecs1.altamente.com any
	... dig output snipped ...
	;; ANSWER SECTION:
	ecs1.altamente.com.     2D IN A         209.12.224.11

(FYI, a.root-servers.net is one of the .com name servers.) Better
contact Network Solutions and find out where that glue record came
from and get it fixed. The 2 day TTL in that answer is another
giveaway: this is the standard TTL for resource records in the .com
zone. It's also not the same as the 1 day TTL you gave for that A
record in your altamente.com zone file, which is the ultimate
authority for that domain. But because other name servers will consult
.com name servers when looking up ecs1.altamente.com, they'll get the
false answer - the old glue record - in the .com zone. They won't
bother asking one of the three altamente.com name servers for this
name because the .com name servers gave them the answer - albeit with
wrong data! - for the query that they made. Somewhere in the .com zone
file, there's a line:
	ecs1.altamente.com. IN A 209.12.224.11
this has to be removed or corrected somehow. Removing it is better
since this glue probably isn't needed any more and because it has the
wrong IP address.

If you go to http://www.networksolutions.com/cgi-bin/whois/whois
and search for host ecs1.altamente.com, here's what you find:

[No name] (ECS6-HST)

                Hostname: ECS1.ALTAMENTE.COM
                Address: 209.12.224.11
                System: ? running ?

                Coordinator:
                   O'Malley, James  (JO4364)  jomalley at COMPUSERVE.COM
                   OG Consulting
                   Urb. Santa Clara
                   W-1 Anamu
                   Guaynabo, PR 00969
                   787-731-4332 (FAX) 787-731-4332

                Record last updated on 09-Dec-1999.
                Database last updated on 11-Jul-2000 00:32:06 EDT.

I guess that James O'Malley supplied this hostname and address when
the altamente.com zone was initially registered. [He's down in the
whois database as the contact for this zone.] Once the name servers
were up and running for altamente.com, new glue was added but the old
glue wasn't removed. Or maybe this old A record was supplied by him as
glue for some other .{com,net,org} domain.