[afnog] Bind/DNS/resolution
Brian Candler
B.Candler at pobox.com
Wed Jul 13 22:24:03 EAT 2005
On Wed, Jul 13, 2005 at 08:35:02AM +0200, Gcinaphi Maseko wrote:
> Have a problem here. We are unable to borwse the pages, for now namely,
> www.swazi.com, www.usb.sun.ac.za and www.acia.sun.ac.za. It seems like a
> resolution problem. Only these are unable to be resolved. It's been one
> week since these pages were last accessable. What I've done so far is to
> restart our DNS services, ,'named'(BIND), restart the machine.... and
> ended up adding a foreign DNS in our resolv.conf files.
If everything else resolves except those three, then the chances are that
those three domains are broken.
To test, you need to follow the tree of referrals from the root nameservers
down to the servers which are responsible (authoritative) for serving those
domains.
$ dig +norec @a.root-servers.net. www.swazi.com. a
...
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
$ dig +norec @a.gtld-servers.net. www.swazi.com. a
...
swazi.com. 172800 IN NS falcon.mweb.co.za.
swazi.com. 172800 IN NS swazi.com.
...
swazi.com. 172800 IN A 196.28.7.3
$ dig +norec @falcon.mweb.co.za. www.swazi.com. a
;; AUTHORITY SECTION:
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
This is a referral back to the root nameservers. In other words, this server
does not hold any information about the swazi.com domain.
$ dig +norec @swazi.com. www.swazi.com. a
;; ANSWER SECTION:
www.swazi.com. 86400 IN CNAME home.swazi.com.
home.swazi.com. 86400 IN A 196.28.7.12
Now, this appears to work for me. However, the domain is delegated to
'swazi.com', so we have to check the resolution of 'swazi.com' to its IP
address (since this is done to locate the nameserver)
$ dig +norec @swazi.com. swazi.com. a
;; ANSWER SECTION:
swazi.com. 86400 IN A 196.28.7.12
Oops! This address is *different* to the one held in the gtld servers (which
says swazi.com is 196.28.7.3). This is called an "out of date glue record".
Testing both purported addresses for swazi.com:
$ dig +norec @196.28.7.12 swazi.com. a
;; connection timed out; no servers could be reached
$ dig +norec @196.28.7.3 swazi.com. a
...
;; ANSWER SECTION:
swazi.com. 86400 IN A 196.28.7.12
So, the wrong information is 196.28.7.3. If your nameserver follows this
information (which it will, since there's nothing else it can do if it has
an empty cache), it will be unable to find any working nameserver for
swazi.com.
You can follow the same process for the other two domains, and I guess they
are also broken.
The solution is that you have to contain whoever owns and runs swazi.com,
and get them to fix their nameservers and the glue records above them. There
is nothing wrong with your cache; it's the authoritative servers for this
domain which are wrong.
HTH,
Brian.
More information about the afnog
mailing list