[afnog] DNS reach ability
Brian Candler
B.Candler at pobox.com
Thu Jun 1 12:47:57 EAT 2006
On Thu, Jun 01, 2006 at 11:23:14AM +0300, Mike Barnard wrote:
> sorry about that....my server is [2]ns.one2net.co.ug and IP address
> is [3]41.220.14.8 ;-)
(1) It's IP-reachable from here:
$ dig +norec @41.220.14.8 ug. soa
; <<>> DiG 9.3.1 <<>> +norec @41.220.14.8 ug. soa
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64889
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 9
;; QUESTION SECTION:
;ug. IN SOA
;; ANSWER SECTION:
ug. 14400 IN SOA web.eahd.or.ug. beg_g.eahd.or.ug. 2006060110 86400 3600 2592000 14400
;; AUTHORITY SECTION:
ug. 3600 IN NS web.eahd.or.ug.
ug. 3600 IN NS ns.icann.org.
ug. 3600 IN NS ns.one2net.co.ug.
ug. 3600 IN NS ns.ripe.net.
ug. 3600 IN NS demon.mtn.co.ug.
ug. 3600 IN NS ns-ext.vix.com.
ug. 3600 IN NS ns-ug.ripe.net.
;; ADDITIONAL SECTION:
web.eahd.or.ug. 17640 IN A 216.104.202.101
ns.icann.org. 2498 IN A 192.0.34.126
ns.one2net.co.ug. 21600 IN A 41.220.14.8
ns.ripe.net. 153698 IN A 193.0.0.193
demon.mtn.co.ug. 3600 IN A 212.88.97.20
ns-ext.vix.com. 160137 IN A 204.152.184.64
ns-ug.ripe.net. 77611 IN A 193.0.12.231
ns.ripe.net. 93390 IN AAAA 2001:610:240:0:53::193
ns-ug.ripe.net. 77611 IN AAAA 2001:610:240:0:53:cc:12:231
;; Query time: 602 msec
;; SERVER: 41.220.14.8#53(41.220.14.8)
;; WHEN: Thu Jun 1 10:32:21 2006
;; MSG SIZE rcvd: 407
(2) The glue in the root is wrong as you said:
$ dig +norec @a.root-servers.net. ns.one2net.co.ug. a
;; ANSWER SECTION:
ns.one2net.co.ug. 172800 IN A 81.199.88.10
^^^^^^^^^^^^
;; AUTHORITY SECTION:
ug. 172800 IN NS NS.RIPE.NET.
ug. 172800 IN NS NS.ICANN.ORG.
ug. 172800 IN NS WEB.EAHD.OR.ug.
ug. 172800 IN NS DEMON.MTN.co.ug.
ug. 172800 IN NS ns.one2net.co.ug.
;; ADDITIONAL SECTION:
NS.RIPE.NET. 172800 IN A 193.0.0.193
NS.ICANN.ORG. 172800 IN A 192.0.34.126
WEB.EAHD.OR.ug. 172800 IN A 216.104.202.101
DEMON.MTN.co.ug. 172800 IN A 212.88.97.20
ns.one2net.co.ug. 172800 IN A 81.199.88.10
^^^^^^^^^^^^
$ dig +norec @ns.ripe.net. ns.one2net.co.ug. a
;; ADDITIONAL SECTION:
ns.one2net.co.ug. 3600 IN A 41.220.14.8
ns2.one2net.co.ug. 3600 IN A 41.220.14.9
;; AUTHORITY SECTION:
one2net.co.ug. 3600 IN NS ns.one2net.co.ug.
one2net.co.ug. 3600 IN NS ns2.one2net.co.ug.
(3) Now, this is where the problem seems to be:
$ dig +norec @41.220.14.9 ns.one2net.co.ug. a
; <<>> DiG 9.2.4 <<>> +norec @41.220.14.9 ns.one2net.co.ug. a
;; global options: printcmd
;; connection timed out; no servers could be reached
$ dig +norec @41.220.14.8 ns
;; ANSWER SECTION:
ns.one2net.co.ug. 21600 IN A 41.220.14.8
;; AUTHORITY SECTION:
one2net.co.ug. 21600 IN NS ns.one2net.co.ug.
one2net.co.ug. 21600 IN NS ns2.one2net.co.ug.
;; ADDITIONAL SECTION:
ns.one2net.co.ug. 21600 IN A 41.220.14.8
ns2.one2net.co.ug. 21600 IN A 41.220.14.9
This shows that the names under one2net.co.ug (including ns.one2net.co.ug)
may not be resolvable. You have only two nameservers listed for
one2net.co.ug: ns.one2net.co.ug cannot be found because the glue in the root
is wrong, and ns2.one2net.co.ug is not responding at all.
So first you need to put your house in order for one2net.co.ug. Either fix
ns2, or (preferably) get an off-site secondary for this domain, since at the
moment you're violating RFC 2182. This is definitely not good for a
nameserver which is supposed to be providing service for a top-level domain.
You're on show to the world here :-)
Alternatively, you could rename this host entirely, so that its new name is
under somebody else's domain which has RFC 2182-compliant nameservice (e.g.
"ns-ug.psg.com"). That's probably more work than making the nameservice for
one2net.co.ug RFC 2182-complaint, as the delegation for .ug would need
changing to point to this new name.
Regards,
Brian.
More information about the afnog
mailing list