lame servers

James A Griffin agriffin at cpcug.org
Thu Mar 1 13:49:20 UTC 2001 

kpc wrote:
> 
> This looks bad. Any comments, or help, for that matter.
> I am running 9.1 on RH7, with patches, but not new kernel yet.
> Still testing on other machine.

The problem is not with your configuration (unless you happen to be the
hostmaster for the offending domains.  It is bad however since about 40%
of all of the domains the I've 'doc'd (tested with a delegation testing
tool) have some error.

> 
> this is /var/log/messages:
> 
> Feb 28 21:06:45 tabatha modprobe: modprobe: Can't locate module net-pf-10
> Feb 28 21:06:59 tabatha named[3757]: lame server on
> '89.31.77.64.in-addr.arpa' (in '31.77.64.in-addr.arpa'?):
> 209.196.128.21#53

I find it easier (and I hope Jim or Mark or Kevin will correct me if I'm
wrong) to read the log message is if it said:

Feb 28 21:06:59 tabatha named[3757]: lame server for
'89.31.77.64.in-addr.arpa' (in '31.77.64.in-addr.arpa'?) at:
209.196.128.21#53

[SNIP other log messages]

Looking at the 'doc' results below, you can see that the parent domain
(in-addr.arpa.) zone has name servers at netservers.net. listed for
31.77.64.in-addr.arpa.  This is just a referral, not an authorative
statement. Then when one look at netservers.net. there are SOA records
of 31.77.64.in-addr.arpa., but the NS records for 31.77.64.in-addr.arpa.
at the netservers.net state that name servers at netlimited.net. should
be used.

Doc-2.1.4: doc -v -p 31.77.64.in-addr.arpa.
Doc-2.1.4: Starting test of 31.77.64.in-addr.arpa.   parent is
77.64.in-addr.arpa.
Doc-2.1.4: Test date - Thu Mar  1 07:53:36 EST 2001
WARNING: No NS found for parent domain 77.64.in-addr.arpa.
WARNING: No NS found for parent domain 64.in-addr.arpa.
Note: Skipping parent domain testing
Found 2 NS and 2 glue records for 31.77.64.in-addr.arpa.
@a.root-servers.net. (non-AUTH)
Using NSlist from parent domain server a.root-servers.net.
NS list summary for 31.77.64.in-addr.arpa. from parent (in-addr.arpa.)
servers
  == dns1.netservers.net. dns2.netservers.net.
soa @dns1.netservers.net. for 31.77.64.in-addr.arpa. serial: 2001022822
soa @dns2.netservers.net. for 31.77.64.in-addr.arpa. serial: 2001022822
SOA serial #'s agree for 31.77.64.in-addr.arpa.
Authoritative domain (31.77.64.in-addr.arpa.) servers agree on NS for
31.77.64.in-addr.arpa.
ERROR: NS list from 31.77.64.in-addr.arpa. authoritative servers does
not
  === match NS list from parent (in-addr.arpa.) servers
NS list summary for 31.77.64.in-addr.arpa. from authoritative servers  
== dns1.netlimited.net. dns2.netlimited.net.
ERROR: dns1.netservers.net. claims to be authoritative, but does not
appear in
NS list from authoritative servers
ERROR: dns2.netservers.net. claims to be authoritative, but does not
appear in
NS list from authoritative servers
Checking 0 potential addresses for hosts at 31.77.64.in-addr.arpa.
  ==
Summary:
   ERRORS found for 31.77.64.in-addr.arpa. (count: 3)
Done testing 31.77.64.in-addr.arpa.  Thu Mar  1 07:53:54 EST 2001


A 'doc' run on netservers.net. returns multiple errors.
A 'doc' run on netlimited.net. returns no errors or warnsing.

Interestingly enough 'dig'ing at either dns[12].netserver.net or
dns[12].netlimited.net return basically the same authorative (flags: aa)
result: (only the dig at dns1.netserver.net shown below) 

[artch at sparta doc-2.1.4]$ dig @dns1.netservers.net.
89.31.77.64.in-addr.arpa. ptr +norec

; <<>> DiG 9.1.1rc3 <<>> @dns1.netservers.net. 89.31.77.64.in-addr.arpa.
ptr +norec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28661
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;89.31.77.64.in-addr.arpa.      IN      PTR
 
;; ANSWER SECTION:
89.31.77.64.in-addr.arpa. 28800 IN      PTR    
bbr1-gig1-2.lax.netservers.net.
 
;; AUTHORITY SECTION:
31.77.64.in-addr.arpa.  28800   IN      NS      dns1.netlimited.net.
31.77.64.in-addr.arpa.  28800   IN      NS      dns2.netlimited.net.
 
;; ADDITIONAL SECTION:
dns1.netlimited.net.    28800   IN      A       209.196.128.11
dns2.netlimited.net.    28800   IN      A       209.196.128.12
 
;; Query time: 164 msec
;; SERVER: 209.196.128.21#53(dns1.netservers.net.)
;; WHEN: Thu Mar  1 08:24:12 2001
;; MSG SIZE  rcvd: 167
               

I conclude that when your name server was making queries about
89.31.77.64.in-addr.arpa., it notice the discrepancy between what the
in-addr.arpa. zone said and what the dns[12].netservers.net said. 
[Mark, et al, Is this a correct interpertation of what the code does?]

Regards,
Jim

PS doc-2.1.4 (a shell script currently written for dig version 8) can be
found at http://www.shub-internet.org/brad/dns/index.html.  If you are a
hostmaster (or are allowed to do zone transfers), you may want to check
your delegated domain with 'dnswalk'
(http://www.cis.ohio-state.edu/~barr/dnswalk/).

More information about the bind-users mailing list