DNS resolution problem
Andris Kalnozols
andris at hpl.hp.com
Fri Sep 21 23:11:47 UTC 2001
I ran the 'ly.net' zone through h2n and came up with this:
h2n -V ly.net
Verifying zone data for domain 'ly.net.':
Getting NS RRset...
Transferring zone.... (from 'SOMETIMES.ly.net' [205.216.98.4])
Parsing zone data... (NS BIND version: 9.1.0)
Performing in-zone and external lookups...
Warning: found MX RR(s) pointing to the following problematic domain name(s):
mail.friend.ly.net. [ no such RR ]
mail.ly.net. [CNAME record]
mail.support.ly.net. [CNAME record]
Warning: found CNAME(s) pointing to the following problematic domain name(s):
mail.friend.ly.net. [ no such RR ]
pop3.friend.ly.net. [ no such RR ]
Warning: found inconsistent NS RRsets surrounding the zone boundary (RFC-1034):
ly.net. IN NS ns.cw.net.
IN NS sometimes.ly.net.
(non-authoritative)
---------------------------- zone cut ----------------------------
( authoritative )
@ IN NS ns.ly.net.
IN NS ns2.ly.net.
IN NS ns3.ly.net.
At first glance, the MX record issues seem to offer an explanation
for the mail delivery problems. The "no such RR" message (as opposed
to NXDOMAIN) is h2n's way of saying that 'friend' is just another
label and not a delegated subdomain of 'ly.net'. However, a query
for the MX records of 'ly.net' shows the following:
; <<>> DiG 8.3 <<>> ly.net mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; QUERY SECTION:
;; ly.net, type = MX, class = IN
;; ANSWER SECTION:
ly.net. 1D IN MX 50 mailin-01.ly.net.
ly.net. 1D IN MX 100 mail.friend.ly.net.
;; AUTHORITY SECTION:
ly.net. 1D IN NS ns.ly.net.
ly.net. 1D IN NS ns2.ly.net.
ly.net. 1D IN NS ns3.ly.net.
;; ADDITIONAL SECTION:
mailin-01.ly.net. 1D IN A 205.216.98.8
mail.friend.ly.net. 1D IN A 205.216.98.8
ns.ly.net. 1D IN A 205.216.98.4
ns2.ly.net. 1D IN A 205.216.98.5
ns3.ly.net. 1D IN A 205.216.98.6
Wait a minute. Why does the Additional Section show an
A record for 'mail.friend.ly.net' if h2n couldn't find
it in the AXFR query for 'ly.net'? Querying an authoritative
nameserver shows the following:
; <<>> DiG 8.3 <<>> mail.friend.ly.net a +norec @ns.ly.net
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16955
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;; mail.friend.ly.net, type = A, class = IN
;; ANSWER SECTION:
mail.friend.ly.net. 1D IN A 205.216.98.8
;; AUTHORITY SECTION:
friend.ly.net. 1D IN NS ns3.friend.ly.net.
friend.ly.net. 1D IN NS ns.friend.ly.net.
friend.ly.net. 1D IN NS ns2.friend.ly.net.
;; ADDITIONAL SECTION:
ns.friend.ly.net. 1D IN A 205.216.98.4
ns2.friend.ly.net. 1D IN A 205.216.98.5
ns3.friend.ly.net. 1D IN A 205.216.98.6
It turns out that all the 'ly.net' nameservers are also
authoritative for 'friend.ly.net' except for 'NS.CW.net':
; <<>> DiG 8.3 <<>> mail.friend.ly.net a +norec @NS.CW.net
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54979
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; mail.friend.ly.net, type = A, class = IN
;; AUTHORITY SECTION:
ly.net. 1D IN SOA ns.ly.net. ratt.friend.ly.net. (
2001082301 ; serial
8H ; refresh
2H ; retry
7W ; expiry
1D ) ; minimum
This explains the problem - the following delegations are
missing from the 'ly.net' parent zone:
$ORIGIN ly.net.
friend 1D IN NS ns3.friend
1D IN NS ns.friend
1D IN NS ns2.friend
Also, you have the following records in 'ly.net':
support 1D IN MX 10 mail.support
1D IN A 205.216.98.12
mail.support 1D IN CNAME support
MX records pointing to CNAMEs are not in accordance with the
RFCs. You probably want the self-pointing record instead:
support 1D IN MX 10 support
1D IN A 205.216.98.12
Finally, the PTR for [205.216.98.4] refers to 'sometimes.friend.ly.net'
but 'sometimes.ly.net' and 'ns.ly.net' also point to this address.
This is usually no big deal except that these three domain names
appear in NS records. This adds unnecessary complexity for the
human sysadmin when trying to unravel delegation problems. When
delegating to the same nameserver interface, a consistent domain
name should be used.
The 'ly.net' zone should also have an NS record pointing to
'ns.cw.net' to be in agreement with the parent 'net' zone.
HTH,
Andris Kalnozols
Hewlett-Packard Laboratories
andris at hpl.hp.com
> Michael Kjörling wrote:
>
> Seems like you've got a zone replication issue. sometimes.ly.net
> [205.216.98.4] and ns.cw.net [204.70.128.1], which ly.net is delegated
> from off the root servers, are serving inconsistent data even though
> the SOA is the same.
>
> So, 50% of the new lookups will return NXDOMAIN for friend.ly.net from
> ns.cw.net, while the other 50% will get the proper address record.
>
> The SOA serial is the same on both, so maybe you just forgot to
> increment it after you made changes (the number 2001082301 suggests to
> me on August 23).
>
>
> Michael Kjörling
>
>
> On Sep 21 2001 17:13 -0400, Hawk wrote:
>
> > Hi all,
> >
> > I have configured my DNS server on RH7.1. It's been working for the past
> > month or so and all of the sudden, people are informing that they are not
> > able to resolve dns.
> >
> >
> > DNS: sometimes.ly.net
> > DSN: ns2.ly.net
> >
> > Host that are important:
> >
> > friend.ly.net
> > mail.friend.ly.net
> >
> > thanks.
>
More information about the bind-users
mailing list