Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Mar 2003 10:13:13 -0000
From:      Philip Payne <Philip.Payne@uk.uu.net>
To:        "'Janine C.Buorditez'" <johann@broadpark.no>
Cc:        questions@freebsd.org
Subject:   RE: [URGENT] Bad MX record; very bad.
Message-ID:  <36D04A8168B2D41182250008C7E6F8780374F58F@ukcamexch2.cbg.uk.corp.eu.uu.net>

next in thread | raw e-mail | index | archive | help
Hi,

I don't know how much you know about DNS so if I aim too low then ignore me
otherwise read on for a full explanation. I strongly suspect you're
suffering from the fact that your old address is simply cached on various
resolvers around the internet and you've just got to wait until it times out
but I'll show how to check.


> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> $ORIGIN         terrabionic.com.
> $TTL            86400
> 
> @       IN SOA  ns1.terrabionic.com.    
> johann.ninja.terrabionic.com. (
>                         2003011901      ; Serial
>                         10800           ; Refresh
>                         3600            ; Retry
>                         604800          ; Expire
>                         86400 )         ; Minimum TTL
> 
>                 IN A            213.187.181.68
>                 IN NS           ns1.terrabionic.com.
>                 IN NS           ns2.terrabionic.com.
> 
> www             IN CNAME        terrabionic.com.
> 
> ninja           IN A            213.187.181.68
> ninja6          IN AAAA         3ffe:4008:1b::1200
> ns1             IN A            213.187.181.68
> ns2             IN A            209.98.239.41
> 
>                 IN MX           ninja.terrabionic.com.
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

You should have dig on your freebsd machine right so you can check this out.


I notice on my own ISP's resolver that 

---
happyclown>dig @158.43.128.1 ninja.terrabionic.com a

; <<>> DiG 8.3 <<>> @158.43.128.1 ninja.terrabionic.com a 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      ninja.terrabionic.com, type = A, class = IN

;; ANSWER SECTION:
ninja.terrabionic.com.  10h44m25s IN A  217.13.29.51

;; Total query time: 1 msec
;; FROM: happyclown.cbg.eng.emea.uu.net to SERVER: 158.43.128.1
158.43.128.1
;; WHEN: Fri Mar 14 09:40:18 2003
;; MSG SIZE  sent: 39  rcvd: 55
---

gives me a result that ninja is 217.13.29.51 (your old address) but the
important thing to note is the 10h44m25s... this is the time left that this
resolver will cache that record for. Until that time has passed this
resolver simply will not bother even to check whether a new record exists.

The way to check if the correct record will be propagated to this resolver
when the record times out is to query the authoritative nameservers for the
domain. You can tell what the authoritative nameservers are by doing:

---
happyclown>dig @a.gtld-servers.net terrabionic.com ns

; <<>> DiG 8.3 <<>> @a.gtld-servers.net terrabionic.com ns 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;;      terrabionic.com, type = NS, class = IN

;; ANSWER SECTION:
terrabionic.com.        2D IN NS        ns1.terrabionic.com.
terrabionic.com.        2D IN NS        ns2.terrabionic.com.

;; ADDITIONAL SECTION:
ns1.terrabionic.com.    2D IN A         213.187.181.68
ns2.terrabionic.com.    2D IN A         209.98.239.41

;; Total query time: 87 msec
;; FROM: happyclown.cbg.eng.emea.uu.net to SERVER: a.gtld-servers.net
192.5.6.30
;; WHEN: Fri Mar 14 09:49:26 2003
;; MSG SIZE  sent: 33  rcvd: 101
---

So, ns1 & ns2 should be carrying records for terrabionic.com . If I query
one of those name servers I should get an authoritative answer:

---
happyclown>dig @213.187.181.68 terrabionic.com mx

; <<>> DiG 8.3 <<>> @213.187.181.68 terrabionic.com mx 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUERY SECTION:
;;      terrabionic.com, type = MX, class = IN

;; ANSWER SECTION:
terrabionic.com.        10h39m14s IN MX  10 ninja.terrabionic.com.

;; AUTHORITY SECTION:
terrabionic.com.        10h30m27s IN NS  ns1.terrabionic.com.
terrabionic.com.        10h30m27s IN NS  ns2.terrabionic.com.

;; ADDITIONAL SECTION:
ninja.terrabionic.com.  10h30m27s IN A  217.13.29.51
ns1.terrabionic.com.    10h30m27s IN A  217.13.29.51
ns2.terrabionic.com.    1d10h30m27s IN A  209.98.239.41

;; Total query time: 63 msec
;; FROM: happyclown.cbg.eng.emea.uu.net to SERVER: 213.187.181.68
213.187.181.68
;; WHEN: Fri Mar 14 09:54:17 2003
;; MSG SIZE  sent: 33  rcvd: 139
---

Notice the flags section... if this name server was carrying an actual zone
for this domain you would get an "aa" flag. I don't so it's probably
secondaried to this machine and unfortunately the ninja.terrabionic.com
still reads as the old address.... so...

solution:

1) Update the serial number in your zonefile so you ensure the secondary
picks up the new zone and hopefully the new address for ninja as you seem to
have this specified correctly in the zonefile from the email.
2) Also, the ordering of entries in your zonefile is bad, in it's original
order you're specifying an mx record for ns2.terrabionic.com instead of the
whole domain terrabionic.com so it should read:
---
@       IN SOA  ns1.terrabionic.com.    johann.ninja.terrabionic.com. (
                        2003011901      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL

                IN A            213.187.181.68
                IN NS           ns1.terrabionic.com.
                IN NS           ns2.terrabionic.com.

                IN MX           ninja.terrabionic.com.

www             IN CNAME        terrabionic.com.

ninja           IN A            213.187.181.68
ninja6          IN AAAA         3ffe:4008:1b::1200
ns1             IN A            213.187.181.68
ns2             IN A            209.98.239.41
---

To avoid problems like this in future, the day or two before any serious
changes like this, drop your TTL in the SOA record to 15 mins (900 secs).

---
@       IN SOA  ns1.terrabionic.com.    johann.ninja.terrabionic.com. (
                        2003011901      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        900 )         ; 15 min TTL
---

This TTL controls how long name resolvers cache records for so, this new TTL
time propagates around the net over the next 24 hours and starts the caches
re-checking for records every 15 mins instead of every 24 hours... then when
you make your important change, like updating your mailserver IP address,
you reset the SOA back to 24 hours. This propagates quickly (due to the 15
mins you set the day or two before) but immediately resets the caches back
to sensible behaviour.

Hope that helps. Anyone else wants to comment feel free, I'm more familiar
with DNS from BIND 8 than 9 so any changes in behaviour point it out.

Phil.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36D04A8168B2D41182250008C7E6F8780374F58F>