Date: Wed, 23 Jul 2003 18:27:22 +0200 From: Brad Knowles <brad.knowles@skynet.be> To: "Nils Holland" <nils@thunderbridge.de> Cc: freebsd-chat@freebsd.org Subject: Re: DNS Question (quite a bit OT) Message-ID: <a06001204bb446160c2cb@[10.0.1.2]> In-Reply-To: <3F1EC18E.3100.637B8E@localhost> References: <3F1EC18E.3100.637B8E@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 5:10 PM +0200 2003/07/23, Nils Holland wrote:
> the following has pretty little to do with FreeBSD, but I know
> that some really great people who have a clue about almost
> everything hang around here, and so I thought I'd ask.
For DNS questions, I suggest the newsgroup comp.protocols.tcpip.domains.
> Well, I'm in the process of changing the nameservers for my
> domain thunderbridge.de.
Okay.
> However, the German domain registry
> (DeNic) seems to have some strict requirements in that area,
Indeed, they do.
> So, does anybody have a clue who's right here? Is DeNIC giving me
> errors because of the loadbalanced.net zone (as my provider
> believes) or because of the thunderbridge.de zone (as I believe)?
They're giving you errors based on the thunderbridge.de zone.
However, I just checked both of these zones myself, and didn't
find anything remotely like what you found:
% dig de. soa
; <<>> DiG 9.2.2 <<>> de. soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61659
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 11, ADDITIONAL: 11
;; QUESTION SECTION:
;de. IN SOA
;; ANSWER SECTION:
de. 86400 IN SOA dns.denic.de.
ops.denic.de. 2003072346 10800 7200 3600000 86400
;; AUTHORITY SECTION:
de. 172055 IN NS SSS-US1.DE.NET.
de. 172055 IN NS SSS-US2.denic.de.
de. 172055 IN NS SSS-SE.denic.de.
de. 172055 IN NS AUTH03.NS.DE.UU.NET.
de. 172055 IN NS dns.denic.de.
de. 172055 IN NS SSS-AT.denic.de.
de. 172055 IN NS SSS-NL.denic.de.
de. 172055 IN NS SSS-DE1.DE.NET.
de. 172055 IN NS SSS-UK.DE.NET.
de. 172055 IN NS DNS2.DE.NET.
de. 172055 IN NS SSS-JP.denic.de.
;; ADDITIONAL SECTION:
SSS-US1.DE.NET. 85848 IN A 206.65.170.100
SSS-US2.denic.de. 3069 IN A 167.216.196.131
SSS-SE.denic.de. 3008 IN A 192.36.144.211
AUTH03.NS.DE.UU.NET. 85665 IN A 192.76.144.16
dns.denic.de. 2885 IN A 81.91.161.5
SSS-AT.denic.de. 2926 IN A 193.171.255.34
SSS-NL.denic.de. 2987 IN A 193.0.0.237
SSS-DE1.DE.NET. 85746 IN A 193.159.170.187
SSS-UK.DE.NET. 85828 IN A 62.53.3.68
DNS2.DE.NET. 85705 IN A 81.91.162.5
SSS-JP.denic.de. 2966 IN A 210.81.13.179
;; Query time: 217 msec
;; SERVER: 10.0.1.240#53(10.0.1.240)
;; WHEN: Wed Jul 23 18:02:06 2003
;; MSG SIZE rcvd: 488
% dig @dns.denic.de. thunderbridge.de. any
; <<>> DiG 9.2.2 <<>> @dns.denic.de. thunderbridge.de. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44125
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;thunderbridge.de. IN ANY
;; AUTHORITY SECTION:
thunderbridge.de. 86400 IN NS ns1.modwest.com.
thunderbridge.de. 86400 IN NS ns2.modwest.com.
;; Query time: 41 msec
;; SERVER: 81.91.161.5#53(dns.denic.de.)
;; WHEN: Wed Jul 23 18:03:00 2003
;; MSG SIZE rcvd: 81
% dig @ns1.modwest.com. thunderbridge.de. any
; <<>> DiG 9.2.2 <<>> @ns1.modwest.com. thunderbridge.de. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26592
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3
;; QUESTION SECTION:
;thunderbridge.de. IN ANY
;; ANSWER SECTION:
thunderbridge.de. 7200 IN SOA ns1.modwest.com.
root.modwest.com. 2003051710 10800 3600 604800 7200
thunderbridge.de. 7200 IN NS ns2.modwest.com.
thunderbridge.de. 7200 IN NS ns1.modwest.com.
thunderbridge.de. 7200 IN MX 10 mail.modwest.com.
thunderbridge.de. 7200 IN A 216.129.251.2
;; ADDITIONAL SECTION:
ns1.modwest.com. 3600 IN A 216.129.251.13
ns2.modwest.com. 3600 IN A 66.109.128.213
mail.modwest.com. 3600 IN A 216.129.251.30
;; Query time: 216 msec
;; SERVER: 216.129.251.13#53(ns1.modwest.com.)
;; WHEN: Wed Jul 23 18:04:08 2003
;; MSG SIZE rcvd: 207
% dig @ns2.modwest.com. thunderbridge.de. any
; <<>> DiG 9.2.2 <<>> @ns2.modwest.com. thunderbridge.de. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9058
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3
;; QUESTION SECTION:
;thunderbridge.de. IN ANY
;; ANSWER SECTION:
thunderbridge.de. 7200 IN SOA ns1.modwest.com.
root.modwest.com. 2003051710 10800 3600 604800 7200
thunderbridge.de. 7200 IN NS ns1.modwest.com.
thunderbridge.de. 7200 IN NS ns2.modwest.com.
thunderbridge.de. 7200 IN MX 10 mail.modwest.com.
thunderbridge.de. 7200 IN A 216.129.251.2
;; ADDITIONAL SECTION:
ns1.modwest.com. 3600 IN A 216.129.251.13
ns2.modwest.com. 3600 IN A 66.109.128.213
mail.modwest.com. 3600 IN A 216.129.251.30
;; Query time: 235 msec
;; SERVER: 66.109.128.213#53(ns2.modwest.com.)
;; WHEN: Wed Jul 23 18:04:52 2003
;; MSG SIZE rcvd: 207
% dig -x 216.129.251.13
; <<>> DiG 9.2.2 <<>> -x 216.129.251.13
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30331
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;13.251.129.216.in-addr.arpa. IN PTR
;; ANSWER SECTION:
13.251.129.216.in-addr.arpa. 85088 IN PTR outlaw.modwest.com.
;; AUTHORITY SECTION:
13.251.129.216.in-addr.arpa. 86400 IN NS outlaw.modwest.com.
;; Query time: 253 msec
;; SERVER: 195.238.2.21#53(195.238.2.21)
;; WHEN: Wed Jul 23 18:13:44 2003
;; MSG SIZE rcvd: 118
% dig -x 66.109.128.213
; <<>> DiG 9.2.2 <<>> -x 66.109.128.213
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12798
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;213.128.109.66.in-addr.arpa. IN PTR
;; ANSWER SECTION:
213.128.109.66.in-addr.arpa. 86400 IN PTR ns2.modwest.com.
;; AUTHORITY SECTION:
128.109.66.in-addr.arpa. 80356 IN NS paw.montana.com.
128.109.66.in-addr.arpa. 80356 IN NS dnsa.montana.com.
;; ADDITIONAL SECTION:
paw.montana.com. 39487 IN A 66.109.128.3
;; Query time: 221 msec
;; SERVER: 195.238.2.22#53(195.238.2.22)
;; WHEN: Wed Jul 23 18:13:50 2003
;; MSG SIZE rcvd: 162
So, it would appear that thunderbridge.de is registered to
modwest.com, not loadbalanced.net. Moreover, the SOA values that
modwest.com is providing for this domain appear to be within the
limits that DEnic appears to require. Unfortunately, it appears that
ns1.modwest.com is a public recursive/caching nameserver, and
therefore subject to cache pollution/poisoning, and this could be
used to subvert any domain hierarchies that they may serve. The
folks at modwest.com should also clean up their reverse DNS.
However, at least they allow TCP connections, although they
refuse zone transfers for this domain, so if there was an issue with
UDP (maybe too much data to be returned in a single 512-byte packet),
you could retry the query with TCP instead. I'm just guessing, but
they appear to be running some version of BIND 8.
Checking loadbalanced.net, we see:
% dig net. soa
; <<>> DiG 9.2.2 <<>> net. soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65398
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; QUESTION SECTION:
;net. IN SOA
;; ANSWER SECTION:
net. 172800 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. 2003072300 1800 900 604800 86400
;; AUTHORITY SECTION:
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
;; ADDITIONAL SECTION:
k.gtld-servers.net. 172800 IN A 192.52.178.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
a.gtld-servers.net. 172800 IN A 192.5.6.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
;; Query time: 669 msec
;; SERVER: 10.0.1.240#53(10.0.1.240)
;; WHEN: Wed Jul 23 18:11:51 2003
;; MSG SIZE rcvd: 508
% dig @a.gtld-servers.net. loadbalanced.net. any
; <<>> DiG 9.2.2 <<>> @a.gtld-servers.net. loadbalanced.net. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47865
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;loadbalanced.net. IN ANY
;; ANSWER SECTION:
loadbalanced.net. 172800 IN NS ns1.loadbalanced.net.
loadbalanced.net. 172800 IN NS ns2.loadbalanced.net.
;; AUTHORITY SECTION:
loadbalanced.net. 172800 IN NS ns1.loadbalanced.net.
loadbalanced.net. 172800 IN NS ns2.loadbalanced.net.
;; ADDITIONAL SECTION:
ns1.loadbalanced.net. 172800 IN A 66.119.216.7
ns2.loadbalanced.net. 172800 IN A 65.39.221.8
;; Query time: 125 msec
;; SERVER: 192.5.6.30#53(a.gtld-servers.net.)
;; WHEN: Wed Jul 23 18:12:46 2003
;; MSG SIZE rcvd: 130
% dig @ns1.loadbalanced.net. loadbalanced.net. any
; <<>> DiG 9.2.2 <<>> @ns1.loadbalanced.net. loadbalanced.net. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60800
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;loadbalanced.net. IN ANY
;; ANSWER SECTION:
loadbalanced.net. 3600 IN SOA ns1.loadbalanced.net.
postmaster.loadbalanced.net. 2003072200 16384 2048 604800 1800
loadbalanced.net. 86400 IN NS ns1.loadbalanced.net.
loadbalanced.net. 86400 IN NS ns2.loadbalanced.net.
loadbalanced.net. 3600 IN MX 10 loadbalanced.net.
loadbalanced.net. 1800 IN A 65.39.221.17
;; ADDITIONAL SECTION:
ns1.loadbalanced.net. 3600 IN A 66.119.216.7
ns2.loadbalanced.net. 3600 IN A 65.39.221.8
;; Query time: 199 msec
;; SERVER: 66.119.216.7#53(ns1.loadbalanced.net.)
;; WHEN: Wed Jul 23 18:15:17 2003
;; MSG SIZE rcvd: 181
% dig @ns2.loadbalanced.net. loadbalanced.net. any
; <<>> DiG 9.2.2 <<>> @ns2.loadbalanced.net. loadbalanced.net. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43267
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;loadbalanced.net. IN ANY
;; ANSWER SECTION:
loadbalanced.net. 3600 IN SOA ns1.loadbalanced.net.
postmaster.loadbalanced.net. 2003072200 16384 2048 604800 1800
loadbalanced.net. 86400 IN NS ns1.loadbalanced.net.
loadbalanced.net. 86400 IN NS ns2.loadbalanced.net.
loadbalanced.net. 3600 IN MX 10 loadbalanced.net.
loadbalanced.net. 1800 IN A 65.39.221.17
;; ADDITIONAL SECTION:
ns1.loadbalanced.net. 3600 IN A 66.119.216.7
ns2.loadbalanced.net. 3600 IN A 65.39.221.8
;; Query time: 197 msec
;; SERVER: 65.39.221.8#53(ns2.loadbalanced.net.)
;; WHEN: Wed Jul 23 18:15:37 2003
;; MSG SIZE rcvd: 181
% dig -x 66.119.216.7
; <<>> DiG 9.2.2 <<>> -x 66.119.216.7
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25733
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;7.216.119.66.in-addr.arpa. IN PTR
;; ANSWER SECTION:
7.216.119.66.in-addr.arpa. 3600 IN PTR loadbalanced.net.
;; AUTHORITY SECTION:
216.119.66.in-addr.arpa. 3600 IN NS ns2.digitaloasys.net.
216.119.66.in-addr.arpa. 3600 IN NS ns1.digitaloasys.net.
;; ADDITIONAL SECTION:
ns2.digitaloasys.net. 171699 IN A 65.39.221.12
ns1.digitaloasys.net. 171699 IN A 66.119.216.2
;; Query time: 568 msec
;; SERVER: 10.0.1.240#53(10.0.1.240)
;; WHEN: Wed Jul 23 18:15:56 2003
;; MSG SIZE rcvd: 179
% dig -x 65.39.221.8
; <<>> DiG 9.2.2 <<>> -x 65.39.221.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8200
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;8.221.39.65.in-addr.arpa. IN PTR
;; ANSWER SECTION:
8.221.39.65.in-addr.arpa. 2502 IN PTR ns2.loadbalanced.net.
;; AUTHORITY SECTION:
221.39.65.in-addr.arpa. 85302 IN NS ns1.loadbalanced.net.
221.39.65.in-addr.arpa. 85302 IN NS ns2.loadbalanced.net.
;; ADDITIONAL SECTION:
ns1.loadbalanced.net. 2417 IN A 66.119.216.7
ns2.loadbalanced.net. 2437 IN A 65.39.221.8
;; Query time: 32 msec
;; SERVER: 10.0.1.240#53(10.0.1.240)
;; WHEN: Wed Jul 23 18:16:06 2003
;; MSG SIZE rcvd: 140
These folks should also clean up their reverse DNS. The SOA
values are a bit strange, and I think that the refresh is below the
minimum allowed by DEnic. So, they would definitely need to clean
that up if they were the cause of your problems. However, I don't
think that this is the case.
Unfortunately, these folks refuse all DNS queries via TCP, in
violation of the protocol spec. If you were to have a query that
could not be answered via UDP (or not answered fully, so the protocol
spec says that query should be re-tried with TCP), then you would
have a problem.
From what I can tell, these people appear to be running djbdns,
and have not configured it to be properly compliant with the DNS
protocol spec. Personally, I would make every possible effort to
avoid using a provider that does not properly implement important
protocol specifications, especially with regards to the DNS.
> And besides: Does anyone have a clue why the DeNIC has these
> requirements concerning refresh / retry? Nobody bothered when I
> moved an .org domain to exactly the same nameservers that DeNIC
> doesn't want to let me move my .de domain to...
The registry owner for each TLD can set whatever rules they want
for the domains that people want to register. It happens that the
DEnic folks want to insist that people more closely follow what is
generally recommended to be good practice, and will refuse to
register your domain if you fail their checks. Contrariwise, the
registry for .org didn't care so much.
Anyway, if you want to learn more about these zones and any
potential problems they may have, I'd suggest running DNS debugging
tools like "doc" and/or "dnswalk" on them. The results are likely to
be pretty surprising.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a06001204bb446160c2cb>