[afnog] RIPE in-addr help
Brian Candler
B.Candler at pobox.com
Thu Feb 3 12:28:53 EAT 2005
On Wed, Feb 02, 2005 at 07:34:03PM -0000, Bruno Agbessitse wrote:
> leo vegoda wrote:
>
> >Squish.net provide a useful web-based tool that will do a complete DNS
> >traversal for you, too. It's quite useful when trying to track down DNS
> >problems. It's at:
>
> >http://www.squish.net/dnscheck/
>
> >I hope this is helpful.
>
>
> You can also check these URLs as well
> 1- http://www.dnsstuff.com/
> 2- http://www.domainwhitepages.com/
I haven't yet come across a zone checking tool which does the *whole* job
correctly.
For example, the 'doc' tool just quoted says that psg.com is all OK. It
finds that the listed domain name servers for psg.com are:
arizona.edu. dns.library.ucla.edu. rain.psg.com.
but it doesn't then go on to test the name->A record resolution for those
name servers, which you need to complete the job (especially to check for
bad glue records). Now,
doc -d library.ucla.edu.
says that there is actually a problem with this domain, saying it found a
delegation to dns2.library.ucla.edu. which doesn't actually exist.
Digging around by hand, I find it's right: looking at one of the nameservers
for ucla.edu,
dig @adns2.berkeley.edu. library.ucla.edu. ns
lists six nameservers, one of which does not exist. However the other domain
name servers for ucla.edu list only five.
This is weird - all the servers for ucla.edu have the same SOA serial
number.
Now, the squish.net checker seems to find this error by itself, although its
output is not especially helpful:
| 1.4% of queries will end in failure at 164.67.43.25 (dns2.library.ucla.edu)
| - failed to resolve dns.library.ucla.edu due to 164.67.43.25 - query timed
| out
"Query timed out?" The name dns2.library.ucla.edu does not exist in the DNS
at all, except perhaps as a glue record somewhere.
$ ping dns2.library.ucla.edu.
ping: cannot resolve dns2.library.ucla.edu.: Unknown host
www.zonecheck.fr doesn't find the problem at all, although it gives some
warnings about other things which don't matter very much, e.g.
dns.library.ucla.edu. -> 164.67.41.8 -> gaskell.library.ucla.edu.
^----'
However, it also doesn't notice that arizona.edu actually resolves to two
different IP addresses, 128.196.128.233 and 128.196.128.234, which is
potentially a more serious matter. Investigating by hand,
- the root servers and nstld.com servers have glue saying
arizona.edu. 172800 IN A 128.196.128.233
- the auth servers for arizona.edu have two A records:
arizona.edu. 7200 IN A 128.196.128.234
arizona.edu. 7200 IN A 128.196.128.233
So, when testing the zone properly, you have to remember the two different
'A' records you've seen for arizona.edu, and test both.
"doc -d arizona.edu" does find some more serious stuff, including some
mismatched serial numbers for arizona.edu (perhaps just transient while a
slave updates), and mismatched NS records from above and within the zone.
But it also doesn't seem to find the 128.196.128.234 A record.
www.dnsstuff.com and www.domainwhitepages.com are irrelevant to this thread
- they're just web frontends to dns lookups and whois, not proper zone
testing.
So in summary: squish.net is probably the most complete single test. It
found and tested both IP addresses of arizona.edu, although it didn't warn
about the inconsistency with the glue records. doc does a pretty good job,
although you have to re-run it on each of the domains for the nameservers
you find (and you need some intelligence to do this: e.g. 'doc
dns.library.ucla.edu' fails, you must do 'doc library.ucla.edu' instead).
The problem with these tools is that they can give you a smug sense of
self-satisfaction that all is OK with your domain, when actually there are
underlying problems that they've missed.
Regards,
Brian.
More information about the afnog
mailing list