[afnog] Bind/DNS/resolution

[Brian Candler]

On Wed, Jul 13, 2005 at 08:35:02AM +0200, Gcinaphi Maseko wrote:
> Have a problem here. We are unable to borwse the pages, for now namely,
> www.swazi.com, www.usb.sun.ac.za and www.acia.sun.ac.za. It seems like a
> resolution problem. Only these are unable to be resolved. It's been one
> week since these pages were last accessable. What I've done so far is to
> restart our DNS services, ,'named'(BIND), restart the machine.... and
> ended up adding a foreign DNS in our resolv.conf files.

If everything else resolves except those three, then the chances are that
those three domains are broken.

To test, you need to follow the tree of referrals from the root nameservers
down to the servers which are responsible (authoritative) for serving those
domains.

$ dig +norec @a.root-servers.net. www.swazi.com. a
...
com.                    172800  IN      NS      A.GTLD-SERVERS.NET.
com.                    172800  IN      NS      G.GTLD-SERVERS.NET.
com.                    172800  IN      NS      H.GTLD-SERVERS.NET.
com.                    172800  IN      NS      C.GTLD-SERVERS.NET.
com.                    172800  IN      NS      I.GTLD-SERVERS.NET.
com.                    172800  IN      NS      B.GTLD-SERVERS.NET.
com.                    172800  IN      NS      D.GTLD-SERVERS.NET.
com.                    172800  IN      NS      L.GTLD-SERVERS.NET.
com.                    172800  IN      NS      F.GTLD-SERVERS.NET.
com.                    172800  IN      NS      J.GTLD-SERVERS.NET.
com.                    172800  IN      NS      K.GTLD-SERVERS.NET.
com.                    172800  IN      NS      E.GTLD-SERVERS.NET.
com.                    172800  IN      NS      M.GTLD-SERVERS.NET.

$ dig +norec @a.gtld-servers.net. www.swazi.com. a
...
swazi.com.              172800  IN      NS      falcon.mweb.co.za.
swazi.com.              172800  IN      NS      swazi.com.
...
swazi.com.              172800  IN      A       196.28.7.3

$ dig +norec @falcon.mweb.co.za. www.swazi.com. a
;; AUTHORITY SECTION:
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.

This is a referral back to the root nameservers. In other words, this server
does not hold any information about the swazi.com domain.

$ dig +norec @swazi.com. www.swazi.com. a
;; ANSWER SECTION:
www.swazi.com.          86400   IN      CNAME   home.swazi.com.
home.swazi.com.         86400   IN      A       196.28.7.12

Now, this appears to work for me. However, the domain is delegated to
'swazi.com', so we have to check the resolution of 'swazi.com' to its IP
address (since this is done to locate the nameserver)

$ dig +norec @swazi.com. swazi.com. a
;; ANSWER SECTION:
swazi.com.              86400   IN      A       196.28.7.12

Oops! This address is *different* to the one held in the gtld servers (which
says swazi.com is 196.28.7.3). This is called an "out of date glue record".

Testing both purported addresses for swazi.com:

$ dig +norec @196.28.7.12 swazi.com. a
;; connection timed out; no servers could be reached
$ dig +norec @196.28.7.3 swazi.com. a
...
;; ANSWER SECTION:
swazi.com.              86400   IN      A       196.28.7.12

So, the wrong information is 196.28.7.3. If your nameserver follows this
information (which it will, since there's nothing else it can do if it has
an empty cache), it will be unable to find any working nameserver for
swazi.com.

You can follow the same process for the other two domains, and I guess they
are also broken.

The solution is that you have to contain whoever owns and runs swazi.com,
and get them to fix their nameservers and the glue records above them. There
is nothing wrong with your cache; it's the authoritative servers for this
domain which are wrong.

HTH,

Brian.