New IP for Auth Servers

Mark Andrews marka at isc.org
Thu Sep 17 00:54:52 UTC 2015 

This sort of of thing is *supposed* to be caught by the Registry
or by their proxy the Registrar.  Teresa, if you failed to receive
a notification that your glue records were wrong you should be
asking why you are paying good money for registry services that are
not being performed to agreed specifications.

RFC 1034 and the requirements specified therein predate the assignment
of the registry role to the current registrar so there is no excuse
of "we didn't know we were required to check".

Mark

RFC 1034 4.2.2. Administrative considerations

As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone.  The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.



In message <B7F4EC41-4B18-44DE-B567-497560505D48 at gronkulator.com>, Rich Goodson
 writes:
>
> Teresa,
>
> Here are the out of zone glue records for mcomdc.com <http://mcomdc.com/>
> (note the query to a.gtld-servers.net <http://a.gtld-servers.net/>, one
> of the authoritative servers for the com zone):
> rgoodson at bcn-rgoodson1 ~ $ dig  @a.gtld-servers.net
> <http://a.gtld-servers.net/> ns1.mcomdc.com <http://ns1.mcomdc.com/>
>
> ; <<>> DiG 9.9.5-P1 <<>> @a.gtld-servers.net <http://a.gtld-servers.net/>
> ns1.mcomdc.com <http://ns1.mcomdc.com/>
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49533
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ns1.mcomdc.com <http://ns1.mcomdc.com/>.			IN	A
>
> ;; AUTHORITY SECTION:
> mcomdc.com <http://mcomdc.com/>.		172800	IN	NS	
> ns1.mcomdc.com <http://ns1.mcomdc.com/>.
> mcomdc.com <http://mcomdc.com/>.		172800	IN	NS	
> ns2.mcomdc.com <http://ns2.mcomdc.com/>.
>
> ;; ADDITIONAL SECTION:
> ns1.mcomdc.com <http://ns1.mcomdc.com/>.		172800	IN	
> A	74.84.103.134
> ns2.mcomdc.com <http://ns2.mcomdc.com/>.		172800	IN	
> A	74.84.119.134
>
> ;; Query time: 79 msec
> ;; SERVER: 192.5.6.30#53(192.5.6.30)
> ;; WHEN: Wed Sep 16 09:36:10 CDT 2015
> ;; MSG SIZE  rcvd: 107
>
> rgoodson at bcn-rgoodson1 ~ $ dig +norec @68.66.64.240 ns1.mcomdc.com
> <http://ns1.mcomdc.com/>
>
> ; <<>> DiG 9.9.5-P1 <<>> +norec @68.66.64.240 ns1.mcomdc.com
> <http://ns1.mcomdc.com/>
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50438
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ns1.mcomdc.com <http://ns1.mcomdc.com/>.			IN	A
>
> ;; ANSWER SECTION:
> ns1.mcomdc.com <http://ns1.mcomdc.com/>.		300	IN	
> A	97.64.168.6
>
> ;; AUTHORITY SECTION:
> mcomdc.com <http://mcomdc.com/>.		300	IN	NS	
> ns1.mcomdc.com <http://ns1.mcomdc.com/>.
> mcomdc.com <http://mcomdc.com/>.		300	IN	NS	
> ns2.mcomdc.com <http://ns2.mcomdc.com/>.
>
> ;; ADDITIONAL SECTION:
> ns2.mcomdc.com <http://ns2.mcomdc.com/>.		300	IN	
> A	68.66.64.240
>
> ;; Query time: 51 msec
> ;; SERVER: 68.66.64.240#53(68.66.64.240)
> ;; WHEN: Wed Sep 16 09:36:49 CDT 2015
> ;; MSG SIZE  rcvd: 107
>
> What you need to do is log in to Network Solutions (your registrar) and
> update the IP addresses that they have for ns1.mcomdc.com
> <http://ns1.mcomdc.com/> and ns2.mcomdc.com <http://ns2.mcomdc.com/>.
> They in turn will update the ‘com’ zone with new glue records for
> ns1.mcomdc.com <http://ns1.mcomdc.com/> and ns2.mcomdc.com
> <http://ns2.mcomdc.com/>.
>
> -Rich
>
> > On Sep 16, 2015, at 9:23 AM, Teresa Campbell <tcampbell at mediacomcc.com
> <mailto:tcampbell at mediacomcc.com>> wrote:
> >
> > I recently moved my two authoritative servers to new servers on new
> IP's.  I did it slowly leaving the old servers up so that everyone would
> have time to receive the new IP for my domain. When I query everything
> from google's free DNS servers to my own recursive servers I show the new
> IP's, which is what I expected. It has been a month since I moved to the
> new IP's, however I am still see a ton of query's going to the old Auth
> servers. My authoritative servers do not have recursive turned on so all
> the traffic I am seeing is coming from other DNS servers and they are
> querying my domains for records. Did I miss something? Is that normal? Is
> it safe to just turn the old servers off?
> >
> > Here are the queries I am seeing in the logs
> >
> > 16-Sep-2015 09:00:16.807 client 78.140.179.9#22202 (ns2.mcomdc.com
> <http://ns2.mcomdc.com/>): query: ns2.mcomdc.com <http://ns2.mcomdc.com/>
> IN A -EDC (74.84.103.134)
> > 16-Sep-2015 09:00:16.882 client 63.79.12.161#20765 (ns1.mcomdc.com
> <http://ns1.mcomdc.com/>): query: ns1.mcomdc.com <http://ns1.mcomdc.com/>
> IN A -EDC (74.84.103.134)
> >
> >
> > Here is the process I followed to move to the new IP's.
> >
> > I brought up my new servers with the new IP's. I changed the A record
> for ns1.mcomdc.com <http://ns1.mcomdc.com/> on all 4 of the servers (old
> and new) to the new IP address. I waited a few hours to confirm it all
> looks good, then made the change to ns2.mcomdc.com
> <http://ns2.mcomdc.com/>. I then left all 4 servers up for 72 hours and
> came back and confirmed every major free recursive DNS server had the new
> ns server IP's and any changes I made to the new server and not the old
> where propagating across the internet. I am not sure it matters here but
> I am running BIND 9.10.2-P4
> >
> > Thanks,
> >
> > Teresa Campbell
> >
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from
> this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> > https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list