[afnog] strange ns record

Wed Apr 26 16:37:14 EAT 2006

On Wed, Apr 26, 2006 at 04:06:38PM +0300, Mike Barnard wrote:
>    i seem to be having a strange ns record problem. i have a domain
>    [1]profiles.co.ug, which i am an authority for. problem is i cannot
>    retrieve records for this domain even from my name server.
>    i have updated it, made sure that the zone file was correctly updated
>    with a new serial number, deleted and recreated it, made sure that the
>    file permisions are all right but i get nothing from it:
>    my name server is running named 8.4.4 on FreeBSD 4.9.
>    this is what i get when i query for this record
>    cachekla# host [2]profiles.co.ug
>    Host [3]profiles.co.ug not found: 2(SERVFAIL)
>     and..........
>    cachekla# dig [4]profiles.co.ug

Those commands will be sent to whatever DNS caches are listed in
/etc/resolv.conf. If you want to send them directly to the authoritative
host in order to test it, then you need something like

# dig +norec @127.0.0.1 profiles.co.ug.

or replace 127.0.0.1 with the IP address of your authoritative nameserver,
if it's a different machine.

Taking a look from the outside:

$ dig +norec @a.root-servers.net. www.profiles.co.ug. a
;; AUTHORITY SECTION:
ug.                     172800  IN      NS      NS.RIPE.NET.
ug.                     172800  IN      NS      NS.ICANN.ORG.
ug.                     172800  IN      NS      WEB.EAHD.OR.ug.
ug.                     172800  IN      NS      DEMON.MTN.co.ug.
ug.                     172800  IN      NS      NS.ONE2NET.co.ug.

$ dig +norec @ns.ripe.net. www.profiles.co.ug. a
;; AUTHORITY SECTION:
profiles.co.ug.         3600    IN      NS      ns.one2net.co.ug.
profiles.co.ug.         3600    IN      NS      ns2.one2net.co.ug.
;; ADDITIONAL SECTION:
ns.one2net.co.ug.       3600    IN      A       41.220.14.8
ns2.one2net.co.ug.      3600    IN      A       41.220.14.9

(Naughty boy! Both nameservers on same subnet!)

$ dig +norec @ns.one2net.co.ug. www.profiles.co.ug. a
;; connection timed out; no servers could be reached

Hmm, but trying again it's fine:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14790
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.profiles.co.ug.            IN      A

;; AUTHORITY SECTION:
profiles.co.ug.         3600    IN      NS      ns.one2net.co.ug.
profiles.co.ug.         3600    IN      NS      ns2.one2net.co.ug.

This is OK (it's just saying that www.profiles.co.ug definitely doesn't
exist). It just looks like some packet loss between here and there causes it
to fail intermittently for me.

But ns2 is clearly broken:

$ dig +norec @ns2.one2net.co.ug. www.profiles.co.ug. a

; <<>> DiG 9.2.4 <<>> +norec @ns2.one2net.co.ug. www.profiles.co.ug. a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14803
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

So I think that ns2 has not correctly been set up as authoritative for the
zone. Either it hasn't been configured as a slave (pulling the zone from
ns), or it has been configured as a slave, but ns is disabling zone
transfers.

To check this, log into ns2. Check that profiles.co.ug is in the named.conf
and is listed as a slave. Check that it points to 41.220.14.8 as the master.
Then try:

# dig @41.220.14.8 profiles.co.ug. axfr

and see if it works (i.e. ns allows a zone transfer to ns2). Finally,
restart named on ns2 and look in the log file to see whether the zone has
been rejected or the transfer failed for some reason.

HTH,

Brian.