Bind and possible redundancy flaw.

Noah McNallie lists at xzziroz.net
Thu Feb 21 05:07:57 UTC 2008 

Mark Andrews wrote:
>>> 	nameservers work out which servers are correctly configured
>>> 	and which ones arn't.
>>>
>>> 	"dig +trace" doesn't try to do that.
>>>
>>> 	Mark
>>>   
>>>       
>> so it's legit that if a query for a server has a NS listed that has no 
>> records for that server, the entire query should immediately fail?
>>     
>
> 	Put the question in context.  As it is there are so many
> 	variable left unstated that the answer could be "yes", "no"
> 	or "maybe".
>
> 	Mark
>   
k, well, it's not too important to get fixed if it's not a normal 
scenario. i don't much mind if it gets fixed at all because even if it 
was the end of the world i'd be smart enough to get the ips of anything 
that was routable to me ;) but just for the sake of curiosity perhaps, 
the scenario (although a bit sketchy as it may seem) is detailed:

2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.3.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa 
is the zone

this is how that flows:

ip6.arpa.               172800  IN      NS      SEC1.APNIC.NET.
ip6.arpa.               172800  IN      NS      NS.ICANN.ORG.
ip6.arpa.               172800  IN      NS      TINNIE.ARIN.NET.
ip6.arpa.               172800  IN      NS      NS.LACNIC.NET.
ip6.arpa.               172800  IN      NS      NS-SEC.RIPE.NET.
;; Received 220 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 120 ms

0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns2.ipv6.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns1.ipv6.he.net.
;; Received 137 bytes from 202.12.29.59#53(SEC1.APNIC.NET) in 277 ms

5.0.3.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 5000 IN NS ip6.sytes.net.
;; Received 117 bytes from 64.71.189.2#53(ns2.ipv6.he.net) in 122 ms

----

ip6.sytes.net points to my solaris/ultrasparc server at home on static 
ip assignment. what I had previously done is also had ip6.zapto.org as a 
nameserver for the range through he.net's interface to where 
ns(1|2).ipv6.he.net would respond with both of them, and this is when 
half the internet decided not to succeed on a PTR request for the range, 
after removing ip6.zapto.org everything worked fine instantly. btw, 
ip6.zapto.org is an A pointing to the A of ns1.earthlink.net (which had 
no records because it was simply there so people would not see one 
nameserver listend and thing oh yay! ddos! maybe it's his home server!) 
and i completely understand that such is not a legit purpose or reason 
for the email, it simply made my think further and ask why half the 
internet would fail to resolve a query just because one of the listed 
name servers has no records pertaining to the query.

n0ah

More information about the bind-users mailing list