From owner-freebsd-chat@FreeBSD.ORG Wed Jul 23 09:27:57 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D5FB37B401 for ; Wed, 23 Jul 2003 09:27:57 -0700 (PDT) Received: from vhost109.his.com (vhost109.his.com [216.194.225.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D1D243F75 for ; Wed, 23 Jul 2003 09:27:56 -0700 (PDT) (envelope-from brad.knowles@skynet.be) Received: from [10.0.1.2] (localhost.his.com [127.0.0.1]) by vhost109.his.com (8.12.6p2/8.12.3) with ESMTP id h6NGRRta020521; Wed, 23 Jul 2003 12:27:53 -0400 (EDT) (envelope-from brad.knowles@skynet.be) Mime-Version: 1.0 X-Sender: bs663385@pop.skynet.be Message-Id: In-Reply-To: <3F1EC18E.3100.637B8E@localhost> References: <3F1EC18E.3100.637B8E@localhost> Date: Wed, 23 Jul 2003 18:27:22 +0200 To: "Nils Holland" From: Brad Knowles Content-Type: text/plain; charset="us-ascii" ; format="flowed" cc: freebsd-chat@freebsd.org Subject: Re: DNS Question (quite a bit OT) X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2003 16:27:57 -0000 At 5:10 PM +0200 2003/07/23, Nils Holland wrote: > the following has pretty little to do with FreeBSD, but I know > that some really great people who have a clue about almost > everything hang around here, and so I thought I'd ask. For DNS questions, I suggest the newsgroup comp.protocols.tcpip.domains. > Well, I'm in the process of changing the nameservers for my > domain thunderbridge.de. Okay. > However, the German domain registry > (DeNic) seems to have some strict requirements in that area, Indeed, they do. > So, does anybody have a clue who's right here? Is DeNIC giving me > errors because of the loadbalanced.net zone (as my provider > believes) or because of the thunderbridge.de zone (as I believe)? They're giving you errors based on the thunderbridge.de zone. However, I just checked both of these zones myself, and didn't find anything remotely like what you found: % dig de. soa ; <<>> DiG 9.2.2 <<>> de. soa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61659 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 11, ADDITIONAL: 11 ;; QUESTION SECTION: ;de. IN SOA ;; ANSWER SECTION: de. 86400 IN SOA dns.denic.de. ops.denic.de. 2003072346 10800 7200 3600000 86400 ;; AUTHORITY SECTION: de. 172055 IN NS SSS-US1.DE.NET. de. 172055 IN NS SSS-US2.denic.de. de. 172055 IN NS SSS-SE.denic.de. de. 172055 IN NS AUTH03.NS.DE.UU.NET. de. 172055 IN NS dns.denic.de. de. 172055 IN NS SSS-AT.denic.de. de. 172055 IN NS SSS-NL.denic.de. de. 172055 IN NS SSS-DE1.DE.NET. de. 172055 IN NS SSS-UK.DE.NET. de. 172055 IN NS DNS2.DE.NET. de. 172055 IN NS SSS-JP.denic.de. ;; ADDITIONAL SECTION: SSS-US1.DE.NET. 85848 IN A 206.65.170.100 SSS-US2.denic.de. 3069 IN A 167.216.196.131 SSS-SE.denic.de. 3008 IN A 192.36.144.211 AUTH03.NS.DE.UU.NET. 85665 IN A 192.76.144.16 dns.denic.de. 2885 IN A 81.91.161.5 SSS-AT.denic.de. 2926 IN A 193.171.255.34 SSS-NL.denic.de. 2987 IN A 193.0.0.237 SSS-DE1.DE.NET. 85746 IN A 193.159.170.187 SSS-UK.DE.NET. 85828 IN A 62.53.3.68 DNS2.DE.NET. 85705 IN A 81.91.162.5 SSS-JP.denic.de. 2966 IN A 210.81.13.179 ;; Query time: 217 msec ;; SERVER: 10.0.1.240#53(10.0.1.240) ;; WHEN: Wed Jul 23 18:02:06 2003 ;; MSG SIZE rcvd: 488 % dig @dns.denic.de. thunderbridge.de. any ; <<>> DiG 9.2.2 <<>> @dns.denic.de. thunderbridge.de. any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44125 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;thunderbridge.de. IN ANY ;; AUTHORITY SECTION: thunderbridge.de. 86400 IN NS ns1.modwest.com. thunderbridge.de. 86400 IN NS ns2.modwest.com. ;; Query time: 41 msec ;; SERVER: 81.91.161.5#53(dns.denic.de.) ;; WHEN: Wed Jul 23 18:03:00 2003 ;; MSG SIZE rcvd: 81 % dig @ns1.modwest.com. thunderbridge.de. any ; <<>> DiG 9.2.2 <<>> @ns1.modwest.com. thunderbridge.de. any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26592 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;thunderbridge.de. IN ANY ;; ANSWER SECTION: thunderbridge.de. 7200 IN SOA ns1.modwest.com. root.modwest.com. 2003051710 10800 3600 604800 7200 thunderbridge.de. 7200 IN NS ns2.modwest.com. thunderbridge.de. 7200 IN NS ns1.modwest.com. thunderbridge.de. 7200 IN MX 10 mail.modwest.com. thunderbridge.de. 7200 IN A 216.129.251.2 ;; ADDITIONAL SECTION: ns1.modwest.com. 3600 IN A 216.129.251.13 ns2.modwest.com. 3600 IN A 66.109.128.213 mail.modwest.com. 3600 IN A 216.129.251.30 ;; Query time: 216 msec ;; SERVER: 216.129.251.13#53(ns1.modwest.com.) ;; WHEN: Wed Jul 23 18:04:08 2003 ;; MSG SIZE rcvd: 207 % dig @ns2.modwest.com. thunderbridge.de. any ; <<>> DiG 9.2.2 <<>> @ns2.modwest.com. thunderbridge.de. any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9058 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;thunderbridge.de. IN ANY ;; ANSWER SECTION: thunderbridge.de. 7200 IN SOA ns1.modwest.com. root.modwest.com. 2003051710 10800 3600 604800 7200 thunderbridge.de. 7200 IN NS ns1.modwest.com. thunderbridge.de. 7200 IN NS ns2.modwest.com. thunderbridge.de. 7200 IN MX 10 mail.modwest.com. thunderbridge.de. 7200 IN A 216.129.251.2 ;; ADDITIONAL SECTION: ns1.modwest.com. 3600 IN A 216.129.251.13 ns2.modwest.com. 3600 IN A 66.109.128.213 mail.modwest.com. 3600 IN A 216.129.251.30 ;; Query time: 235 msec ;; SERVER: 66.109.128.213#53(ns2.modwest.com.) ;; WHEN: Wed Jul 23 18:04:52 2003 ;; MSG SIZE rcvd: 207 % dig -x 216.129.251.13 ; <<>> DiG 9.2.2 <<>> -x 216.129.251.13 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30331 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;13.251.129.216.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.251.129.216.in-addr.arpa. 85088 IN PTR outlaw.modwest.com. ;; AUTHORITY SECTION: 13.251.129.216.in-addr.arpa. 86400 IN NS outlaw.modwest.com. ;; Query time: 253 msec ;; SERVER: 195.238.2.21#53(195.238.2.21) ;; WHEN: Wed Jul 23 18:13:44 2003 ;; MSG SIZE rcvd: 118 % dig -x 66.109.128.213 ; <<>> DiG 9.2.2 <<>> -x 66.109.128.213 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12798 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;213.128.109.66.in-addr.arpa. IN PTR ;; ANSWER SECTION: 213.128.109.66.in-addr.arpa. 86400 IN PTR ns2.modwest.com. ;; AUTHORITY SECTION: 128.109.66.in-addr.arpa. 80356 IN NS paw.montana.com. 128.109.66.in-addr.arpa. 80356 IN NS dnsa.montana.com. ;; ADDITIONAL SECTION: paw.montana.com. 39487 IN A 66.109.128.3 ;; Query time: 221 msec ;; SERVER: 195.238.2.22#53(195.238.2.22) ;; WHEN: Wed Jul 23 18:13:50 2003 ;; MSG SIZE rcvd: 162 So, it would appear that thunderbridge.de is registered to modwest.com, not loadbalanced.net. Moreover, the SOA values that modwest.com is providing for this domain appear to be within the limits that DEnic appears to require. Unfortunately, it appears that ns1.modwest.com is a public recursive/caching nameserver, and therefore subject to cache pollution/poisoning, and this could be used to subvert any domain hierarchies that they may serve. The folks at modwest.com should also clean up their reverse DNS. However, at least they allow TCP connections, although they refuse zone transfers for this domain, so if there was an issue with UDP (maybe too much data to be returned in a single 512-byte packet), you could retry the query with TCP instead. I'm just guessing, but they appear to be running some version of BIND 8. Checking loadbalanced.net, we see: % dig net. soa ; <<>> DiG 9.2.2 <<>> net. soa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65398 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUESTION SECTION: ;net. IN SOA ;; ANSWER SECTION: net. 172800 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 2003072300 1800 900 604800 86400 ;; AUTHORITY SECTION: net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. ;; ADDITIONAL SECTION: k.gtld-servers.net. 172800 IN A 192.52.178.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 a.gtld-servers.net. 172800 IN A 192.5.6.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 m.gtld-servers.net. 172800 IN A 192.55.83.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 ;; Query time: 669 msec ;; SERVER: 10.0.1.240#53(10.0.1.240) ;; WHEN: Wed Jul 23 18:11:51 2003 ;; MSG SIZE rcvd: 508 % dig @a.gtld-servers.net. loadbalanced.net. any ; <<>> DiG 9.2.2 <<>> @a.gtld-servers.net. loadbalanced.net. any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47865 ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;loadbalanced.net. IN ANY ;; ANSWER SECTION: loadbalanced.net. 172800 IN NS ns1.loadbalanced.net. loadbalanced.net. 172800 IN NS ns2.loadbalanced.net. ;; AUTHORITY SECTION: loadbalanced.net. 172800 IN NS ns1.loadbalanced.net. loadbalanced.net. 172800 IN NS ns2.loadbalanced.net. ;; ADDITIONAL SECTION: ns1.loadbalanced.net. 172800 IN A 66.119.216.7 ns2.loadbalanced.net. 172800 IN A 65.39.221.8 ;; Query time: 125 msec ;; SERVER: 192.5.6.30#53(a.gtld-servers.net.) ;; WHEN: Wed Jul 23 18:12:46 2003 ;; MSG SIZE rcvd: 130 % dig @ns1.loadbalanced.net. loadbalanced.net. any ; <<>> DiG 9.2.2 <<>> @ns1.loadbalanced.net. loadbalanced.net. any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60800 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;loadbalanced.net. IN ANY ;; ANSWER SECTION: loadbalanced.net. 3600 IN SOA ns1.loadbalanced.net. postmaster.loadbalanced.net. 2003072200 16384 2048 604800 1800 loadbalanced.net. 86400 IN NS ns1.loadbalanced.net. loadbalanced.net. 86400 IN NS ns2.loadbalanced.net. loadbalanced.net. 3600 IN MX 10 loadbalanced.net. loadbalanced.net. 1800 IN A 65.39.221.17 ;; ADDITIONAL SECTION: ns1.loadbalanced.net. 3600 IN A 66.119.216.7 ns2.loadbalanced.net. 3600 IN A 65.39.221.8 ;; Query time: 199 msec ;; SERVER: 66.119.216.7#53(ns1.loadbalanced.net.) ;; WHEN: Wed Jul 23 18:15:17 2003 ;; MSG SIZE rcvd: 181 % dig @ns2.loadbalanced.net. loadbalanced.net. any ; <<>> DiG 9.2.2 <<>> @ns2.loadbalanced.net. loadbalanced.net. any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43267 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;loadbalanced.net. IN ANY ;; ANSWER SECTION: loadbalanced.net. 3600 IN SOA ns1.loadbalanced.net. postmaster.loadbalanced.net. 2003072200 16384 2048 604800 1800 loadbalanced.net. 86400 IN NS ns1.loadbalanced.net. loadbalanced.net. 86400 IN NS ns2.loadbalanced.net. loadbalanced.net. 3600 IN MX 10 loadbalanced.net. loadbalanced.net. 1800 IN A 65.39.221.17 ;; ADDITIONAL SECTION: ns1.loadbalanced.net. 3600 IN A 66.119.216.7 ns2.loadbalanced.net. 3600 IN A 65.39.221.8 ;; Query time: 197 msec ;; SERVER: 65.39.221.8#53(ns2.loadbalanced.net.) ;; WHEN: Wed Jul 23 18:15:37 2003 ;; MSG SIZE rcvd: 181 % dig -x 66.119.216.7 ; <<>> DiG 9.2.2 <<>> -x 66.119.216.7 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25733 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;7.216.119.66.in-addr.arpa. IN PTR ;; ANSWER SECTION: 7.216.119.66.in-addr.arpa. 3600 IN PTR loadbalanced.net. ;; AUTHORITY SECTION: 216.119.66.in-addr.arpa. 3600 IN NS ns2.digitaloasys.net. 216.119.66.in-addr.arpa. 3600 IN NS ns1.digitaloasys.net. ;; ADDITIONAL SECTION: ns2.digitaloasys.net. 171699 IN A 65.39.221.12 ns1.digitaloasys.net. 171699 IN A 66.119.216.2 ;; Query time: 568 msec ;; SERVER: 10.0.1.240#53(10.0.1.240) ;; WHEN: Wed Jul 23 18:15:56 2003 ;; MSG SIZE rcvd: 179 % dig -x 65.39.221.8 ; <<>> DiG 9.2.2 <<>> -x 65.39.221.8 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8200 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;8.221.39.65.in-addr.arpa. IN PTR ;; ANSWER SECTION: 8.221.39.65.in-addr.arpa. 2502 IN PTR ns2.loadbalanced.net. ;; AUTHORITY SECTION: 221.39.65.in-addr.arpa. 85302 IN NS ns1.loadbalanced.net. 221.39.65.in-addr.arpa. 85302 IN NS ns2.loadbalanced.net. ;; ADDITIONAL SECTION: ns1.loadbalanced.net. 2417 IN A 66.119.216.7 ns2.loadbalanced.net. 2437 IN A 65.39.221.8 ;; Query time: 32 msec ;; SERVER: 10.0.1.240#53(10.0.1.240) ;; WHEN: Wed Jul 23 18:16:06 2003 ;; MSG SIZE rcvd: 140 These folks should also clean up their reverse DNS. The SOA values are a bit strange, and I think that the refresh is below the minimum allowed by DEnic. So, they would definitely need to clean that up if they were the cause of your problems. However, I don't think that this is the case. Unfortunately, these folks refuse all DNS queries via TCP, in violation of the protocol spec. If you were to have a query that could not be answered via UDP (or not answered fully, so the protocol spec says that query should be re-tried with TCP), then you would have a problem. From what I can tell, these people appear to be running djbdns, and have not configured it to be properly compliant with the DNS protocol spec. Personally, I would make every possible effort to avoid using a provider that does not properly implement important protocol specifications, especially with regards to the DNS. > And besides: Does anyone have a clue why the DeNIC has these > requirements concerning refresh / retry? Nobody bothered when I > moved an .org domain to exactly the same nameservers that DeNIC > doesn't want to let me move my .de domain to... The registry owner for each TLD can set whatever rules they want for the domains that people want to register. It happens that the DEnic folks want to insist that people more closely follow what is generally recommended to be good practice, and will refuse to register your domain if you fail their checks. Contrariwise, the registry for .org didn't care so much. Anyway, if you want to learn more about these zones and any potential problems they may have, I'd suggest running DNS debugging tools like "doc" and/or "dnswalk" on them. The results are likely to be pretty surprising. -- Brad Knowles, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)