[afnog] RIPE in-addr help

Brian Candler B.Candler at pobox.com
Thu Feb 3 12:28:53 EAT 2005


On Wed, Feb 02, 2005 at 07:34:03PM -0000, Bruno Agbessitse wrote:
> leo vegoda wrote:
> 
> >Squish.net provide a useful web-based tool that will do a complete DNS 
> >traversal for you, too. It's quite useful when trying to track down DNS 
> >problems. It's at:
> 
> >http://www.squish.net/dnscheck/
> 
> >I hope this is helpful.
> 
> 
> You can also check these URLs as well
> 1- http://www.dnsstuff.com/
> 2- http://www.domainwhitepages.com/

I haven't yet come across a zone checking tool which does the *whole* job
correctly.

For example, the 'doc' tool just quoted says that psg.com is all OK. It
finds that the listed domain name servers for psg.com are:
  arizona.edu. dns.library.ucla.edu. rain.psg.com.

but it doesn't then go on to test the name->A record resolution for those
name servers, which you need to complete the job (especially to check for
bad glue records). Now,

  doc -d library.ucla.edu.

says that there is actually a problem with this domain, saying it found a
delegation to dns2.library.ucla.edu. which doesn't actually exist.

Digging around by hand, I find it's right: looking at one of the nameservers
for ucla.edu,
  dig @adns2.berkeley.edu. library.ucla.edu. ns
lists six nameservers, one of which does not exist. However the other domain
name servers for ucla.edu list only five.

This is weird - all the servers for ucla.edu have the same SOA serial
number.

Now, the squish.net checker seems to find this error by itself, although its
output is not especially helpful:

| 1.4% of queries will end in failure at 164.67.43.25 (dns2.library.ucla.edu)
| - failed to resolve dns.library.ucla.edu due to 164.67.43.25 - query timed
| out

"Query timed out?" The name dns2.library.ucla.edu does not exist in the DNS
at all, except perhaps as a glue record somewhere.

  $ ping dns2.library.ucla.edu.
  ping: cannot resolve dns2.library.ucla.edu.: Unknown host

www.zonecheck.fr doesn't find the problem at all, although it gives some
warnings about other things which don't matter very much, e.g.
   dns.library.ucla.edu. -> 164.67.41.8 -> gaskell.library.ucla.edu.
                                      ^----'

However, it also doesn't notice that arizona.edu actually resolves to two
different IP addresses, 128.196.128.233 and 128.196.128.234, which is
potentially a more serious matter. Investigating by hand,

- the root servers and nstld.com servers have glue saying
arizona.edu.            172800  IN      A       128.196.128.233

- the auth servers for arizona.edu have two A records:
arizona.edu.            7200    IN      A       128.196.128.234
arizona.edu.            7200    IN      A       128.196.128.233

So, when testing the zone properly, you have to remember the two different
'A' records you've seen for arizona.edu, and test both.

"doc -d arizona.edu" does find some more serious stuff, including some
mismatched serial numbers for arizona.edu (perhaps just transient while a
slave updates), and mismatched NS records from above and within the zone.
But it also doesn't seem to find the 128.196.128.234 A record.

www.dnsstuff.com and www.domainwhitepages.com are irrelevant to this thread
- they're just web frontends to dns lookups and whois, not proper zone
testing.

So in summary: squish.net is probably the most complete single test. It
found and tested both IP addresses of arizona.edu, although it didn't warn
about the inconsistency with the glue records. doc does a pretty good job,
although you have to re-run it on each of the domains for the nameservers
you find (and you need some intelligence to do this: e.g. 'doc
dns.library.ucla.edu' fails, you must do 'doc library.ucla.edu' instead).

The problem with these tools is that they can give you a smug sense of
self-satisfaction that all is OK with your domain, when actually there are
underlying problems that they've missed.

Regards,

Brian.


More information about the afnog mailing list