strange behaviour of resolving nameserver
Sam Wilson
Sam.Wilson at ed.ac.uk
Wed Mar 10 10:47:05 UTC 2010
In article <mailman.751.1268170620.21153.bind-users at lists.isc.org>,
Mark Andrews <marka at isc.org> wrote:
> In message <20100309154017.4801cf70 at the-damian.de>, Torsten writes:
> > Am Wed, 10 Mar 2010 00:44:46 +1100
> > schrieb Mark Andrews <marka at isc.org>:
> >
> > >
> > > In message <20100309142153.016c7dbb at the-damian.de>, Torsten writes:
> > > > Hi,
> > > >
> > > > I'm a bit clueless about what's happening here exactly.
> > > > I have a server (9.6.1-P3) that tries resolving
> > > > ws.mobilecdn.verisign.com. Queries for this host permanently fail
> > > > with SERVFAIL.
> > > >
> > > > I've narrowed the problem down to answers from c2.nstld.net
> > > >
> > > >
> > > > dig @c2.nstld.com mobilecdn.verisign.com
> > > > ;; Got referral reply from 192.26.92.31, trying next server
> > >
> > > Fix /etc/resolv.conf to point to recursive nameservers. 192.26.92.31
> > > is not a recursive nameserver.
> >
> > /etc/resolv.conf already points to recursive nameservers. Since these
> > nameservers can't resolve ws.mobilecdn.verisign.com I tried every
> > single nameserver found by dig +trace and ended up with the behaviour
> > of c2.nstld.net.
>
> I mis-read. 192.26.92.31 is c2.nstld.net so someone at RedHat has
> hacked dig to return " ;; Got referral reply from 192.26.92.31,
> trying next server" when it see a referral and move onto the next
> address which is a IPv6 addresss which presumably you don't have
> connectivity for.
>
> Try "dig -4 @c2.nstld.com mobilecdn.verisign.com". Then yell at
> RedHat. Dig is not supposed to move on when it sees a referral.
> Dig is a diagnostic tool first and foremost, not a general hostname
> lookup tool. One needs to see the answers to queries in a diagnostic
> tool not have them skipped.
There's also a lame delegation. Here's an extract from "dig
ws.mobilecdn.verisign.com +trace":
:
:
mobilecdn.verisign.com. 900 IN NS dns2-auth.m-qube.com.
mobilecdn.verisign.com. 900 IN NS dns1-auth.m-qube.com.
;; Received 98 bytes from 192.5.6.31#53(a2.nstld.com) in 119 ms
ws.mobilecdn.verisign.com. 1800 IN A 64.14.95.24
mobilecdn.verisign.com. 1800 IN NS dns2-auth.m-qube.com.
mobilecdn.verisign.com. 1800 IN NS dns3-auth.m-qube.com.
mobilecdn.verisign.com. 1800 IN NS ns1.savvis.net.
mobilecdn.verisign.com. 1800 IN NS ns2.savvis.net.
mobilecdn.verisign.com. 1800 IN NS ns3.savvis.net.
;; Received 178 bytes from 64.14.95.64#53(dns2-auth.m-qube.com) in 90 ms
dns1-auth.m-qube.com does not respond, at least to me, and will also
cause delays or failures because it is a CNAME for dns1.m-qube.com.
Sam
More information about the bind-users
mailing list