[afnog] DNS reach ability

Brian Candler B.Candler at pobox.com
Thu Jun 1 12:47:57 EAT 2006


On Thu, Jun 01, 2006 at 11:23:14AM +0300, Mike Barnard wrote:
>    sorry about that....my server  is [2]ns.one2net.co.ug and IP address
>    is [3]41.220.14.8 ;-)

(1) It's IP-reachable from here:

$ dig +norec @41.220.14.8 ug. soa

; <<>> DiG 9.3.1 <<>> +norec @41.220.14.8 ug. soa
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64889
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 9

;; QUESTION SECTION:
;ug.                            IN      SOA

;; ANSWER SECTION:
ug.                     14400   IN      SOA     web.eahd.or.ug. beg_g.eahd.or.ug. 2006060110 86400 3600 2592000 14400

;; AUTHORITY SECTION:
ug.                     3600    IN      NS      web.eahd.or.ug.
ug.                     3600    IN      NS      ns.icann.org.
ug.                     3600    IN      NS      ns.one2net.co.ug.
ug.                     3600    IN      NS      ns.ripe.net.
ug.                     3600    IN      NS      demon.mtn.co.ug.
ug.                     3600    IN      NS      ns-ext.vix.com.
ug.                     3600    IN      NS      ns-ug.ripe.net.

;; ADDITIONAL SECTION:
web.eahd.or.ug.         17640   IN      A       216.104.202.101
ns.icann.org.           2498    IN      A       192.0.34.126
ns.one2net.co.ug.       21600   IN      A       41.220.14.8
ns.ripe.net.            153698  IN      A       193.0.0.193
demon.mtn.co.ug.        3600    IN      A       212.88.97.20
ns-ext.vix.com.         160137  IN      A       204.152.184.64
ns-ug.ripe.net.         77611   IN      A       193.0.12.231
ns.ripe.net.            93390   IN      AAAA    2001:610:240:0:53::193
ns-ug.ripe.net.         77611   IN      AAAA    2001:610:240:0:53:cc:12:231

;; Query time: 602 msec
;; SERVER: 41.220.14.8#53(41.220.14.8)
;; WHEN: Thu Jun  1 10:32:21 2006
;; MSG SIZE  rcvd: 407

(2) The glue in the root is wrong as you said:

$ dig +norec @a.root-servers.net. ns.one2net.co.ug. a
;; ANSWER SECTION:
ns.one2net.co.ug.       172800  IN      A       81.199.88.10
                                                ^^^^^^^^^^^^
;; AUTHORITY SECTION:
ug.                     172800  IN      NS      NS.RIPE.NET.
ug.                     172800  IN      NS      NS.ICANN.ORG.
ug.                     172800  IN      NS      WEB.EAHD.OR.ug.
ug.                     172800  IN      NS      DEMON.MTN.co.ug.
ug.                     172800  IN      NS      ns.one2net.co.ug.

;; ADDITIONAL SECTION:
NS.RIPE.NET.            172800  IN      A       193.0.0.193
NS.ICANN.ORG.           172800  IN      A       192.0.34.126
WEB.EAHD.OR.ug.         172800  IN      A       216.104.202.101
DEMON.MTN.co.ug.        172800  IN      A       212.88.97.20
ns.one2net.co.ug.       172800  IN      A       81.199.88.10
                                                ^^^^^^^^^^^^

$ dig +norec @ns.ripe.net. ns.one2net.co.ug. a

;; ADDITIONAL SECTION:
ns.one2net.co.ug.       3600    IN      A       41.220.14.8
ns2.one2net.co.ug.      3600    IN      A       41.220.14.9

;; AUTHORITY SECTION:
one2net.co.ug.          3600    IN      NS      ns.one2net.co.ug.
one2net.co.ug.          3600    IN      NS      ns2.one2net.co.ug.

(3) Now, this is where the problem seems to be:

$ dig +norec @41.220.14.9 ns.one2net.co.ug. a

; <<>> DiG 9.2.4 <<>> +norec @41.220.14.9 ns.one2net.co.ug. a
;; global options:  printcmd
;; connection timed out; no servers could be reached

$ dig +norec @41.220.14.8 ns

;; ANSWER SECTION:
ns.one2net.co.ug.       21600   IN      A       41.220.14.8

;; AUTHORITY SECTION:
one2net.co.ug.          21600   IN      NS      ns.one2net.co.ug.
one2net.co.ug.          21600   IN      NS      ns2.one2net.co.ug.

;; ADDITIONAL SECTION:
ns.one2net.co.ug.       21600   IN      A       41.220.14.8
ns2.one2net.co.ug.      21600   IN      A       41.220.14.9

This shows that the names under one2net.co.ug (including ns.one2net.co.ug)
may not be resolvable. You have only two nameservers listed for
one2net.co.ug: ns.one2net.co.ug cannot be found because the glue in the root
is wrong, and ns2.one2net.co.ug is not responding at all.

So first you need to put your house in order for one2net.co.ug. Either fix
ns2, or (preferably) get an off-site secondary for this domain, since at the
moment you're violating RFC 2182. This is definitely not good for a
nameserver which is supposed to be providing service for a top-level domain.
You're on show to the world here :-)

Alternatively, you could rename this host entirely, so that its new name is
under somebody else's domain which has RFC 2182-compliant nameservice (e.g.
"ns-ug.psg.com"). That's probably more work than making the nameservice for
one2net.co.ug RFC 2182-complaint, as the delegation for .ug would need
changing to point to this new name.

Regards,

Brian.



More information about the afnog mailing list