Next message: Peter A. Peterson II: "Re: [LUNI] Telnet Troubles"
On Mon, Mar 19, 2001 at 01:33:52PM -0600, A.Khan wrote:
> Am I missing something?
There are a mess of other ways to query DNS servers, but as it happens
"host" is one that I've overlooked all these years.
> # host -t ns suryag-corp.com NS1.GRANITECANYON.COM
> Using domain server:
> Name: NS1.GRANITECANYON.COM
> Address: 205.166.226.38
> Aliases:
It's not clear what's happening there. Let's try a different way of asking:
$ dig @ns1.granitecanyon.com suryag-corp.com any
; <<>> DiG 8.1 <<>> @ns1.granitecanyon.com suryag-corp.com any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_send to server ns1.granitecanyon.com 205.166.226.38: Connection
timed out
Okay, their ns1 isn't reachable (from here, at this time). Now that I see
this, I have a notion that this was something else that used to happen, and
an even bigger reason why I wasn't keen to use their DNS service.
> # host -t ns suryag-corp.com NS2.GRANITECANYON.COM
> Using domain server:
> Name: NS2.GRANITECANYON.COM
> Address: 204.1.217.148
> Aliases:
>
> suryag-corp.com name server NS1.GRANITECANYON.com
> suryag-corp.com name server NS2.GRANITECANYON.com
$ dig @ns2.granitecanyon.com suryag-corp.com any
; <<>> DiG 8.1 <<>> @ns2.granitecanyon.com suryag-corp.com any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; suryag-corp.com, type = ANY, class = IN
;; ANSWER SECTION:
suryag-corp.com. 20h49m6s IN NS NS1.GRANITECANYON.com.
suryag-corp.com. 20h49m6s IN NS NS2.GRANITECANYON.com.
;; AUTHORITY SECTION:
suryag-corp.com. 20h49m6s IN NS NS1.GRANITECANYON.com.
suryag-corp.com. 20h49m6s IN NS NS2.GRANITECANYON.com.
;; ADDITIONAL SECTION:
NS1.GRANITECANYON.com. 1D IN A 205.166.226.38
NS2.GRANITECANYON.com. 1D IN A 204.1.217.148
Well, that looks okay, but when I try it using nslookup (which displays
things a bit differently [memo: must review dig man page]), there's a clear
problem. When nslookup (with type = any set) queries a properly configured
authoritative server, it reports on the zone's timeout figures, and shows
more clearly that this is an authoritative answer. For example:
[correction, later on: no, it doesn't look okay: it should look much more
like the nslookup "good" results below, with some formatting changes. in
particular, dig does show the SOA record info from a properly authoritative
server. I seem to have misled myself earlier.]
> set type=any
> server cerebus.mcs.net
Default Server: cerebus.mcs.net
Address: 207.98.129.77
> mcs.net
Server: cerebus.mcs.net
Address: 207.98.129.77
mcs.net nameserver = ns1.winstar.net
mcs.net nameserver = ns2.winstar.net
mcs.net
origin = ns1.winstar.net
mail addr = dns.winstar.net
serial = 2001031204
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 3600 (1H)
mcs.net internet address = 192.160.127.85
mcs.net preference = 10, mail exchanger = mail.winstarmail.com
mcs.net preference = 20, mail exchanger = relay.cioe.com
mcs.net nameserver = ns1.winstar.net
mcs.net nameserver = ns2.winstar.net
ns1.winstar.net internet address = 63.140.240.254
ns2.winstar.net internet address = 207.98.129.134
mail.winstarmail.com internet address = 63.140.240.250
relay.cioe.com internet address = 204.120.165.37
Whereas a server that's not speaking authoritatively looks very different:
> enteract.com
Server: cerebus.mcs.net
Address: 207.98.129.77
Non-authoritative answer:
enteract.com preference = 0, mail exchanger = pop3-3.enteract.com
enteract.com preference = 10, mail exchanger = mx.enteract.com
enteract.com preference = 0, mail exchanger = pop3-1.enteract.com
enteract.com preference = 0, mail exchanger = pop3-2.enteract.com
enteract.com nameserver = BIFROST.SEASTROM.com
enteract.com nameserver = NS0.enteract.com
Authoritative answers can be found from:
enteract.com nameserver = BIFROST.SEASTROM.com
enteract.com nameserver = NS0.enteract.com
pop3-3.enteract.com internet address = 207.229.143.32
mx.enteract.com internet address = 207.229.143.33
pop3-1.enteract.com internet address = 207.229.143.14
pop3-2.enteract.com internet address = 207.229.143.16
BIFROST.SEASTROM.com internet address = 192.148.252.10
NS0.enteract.com internet address = 207.229.143.3
Now, when we use nslookup to query your domain:
> lserver ns2.granitecanyon.com
Default Server: ns2.granitecanyon.com
Address: 204.1.217.148
> suryag-corp.com
Server: ns2.granitecanyon.com
Address: 204.1.217.148
Non-authoritative answer:
suryag-corp.com nameserver = NS1.GRANITECANYON.com
suryag-corp.com nameserver = NS2.GRANITECANYON.com
Authoritative answers can be found from:
suryag-corp.com nameserver = NS1.GRANITECANYON.com
suryag-corp.com nameserver = NS2.GRANITECANYON.com
NS1.GRANITECANYON.com internet address = 205.166.226.38
NS2.GRANITECANYON.com internet address = 204.1.217.148
It's replying as though it is not authoritative. I don't know why it's
doing this - the root servers appear to agree that it should be
authoritative, but something isn't right. Given that their ns1 server seesm
to be down or unreachable, one obvious possibility is that this is somehow
interfering with getting your zone's authority properly loaded to ns2. This
mught not reflect the most robust design practices, but stranger things have
certainly happened.
Then again, I'm not sure what's going on with these gtld-servers.net. Has
it been that long since I went DNSpelunking that they've rearranged the
furniture? Anyway, I don't think that's the problem: they do delegate,
however offhandedly, to granitecanyon, and granitecanyon's reachable server
is lame. You might best pursue this by communicating directly with
granitecanyon, as it would appear to be an issue at their end.
Uhm.... one last thought. Doesn't granitecanyon use a DNS-lint sort of a
checker? Are you certain it accepted your RRs and didn't make any obscure
complaints? Well, call it half a thought...
-=-
Linux Users Of Northern Illinois: General Discussion Mailing list.
For unsubscription, archives, and announcements only see http://luni.org
This archive was generated by hypermail 2b29
: Mon Mar 19 2001 - 15:04:33 CST