From owner-freebsd-questions@FreeBSD.ORG Fri Nov 5 07:28:31 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA895106564A for ; Fri, 5 Nov 2010 07:28:31 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 277438FC1D for ; Fri, 5 Nov 2010 07:28:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id oA57SRbw044953; Fri, 5 Nov 2010 18:28:28 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 5 Nov 2010 18:28:27 +1100 (EST) From: Ian Smith To: Jon Radel In-Reply-To: <20101105053844.71239106577C@hub.freebsd.org> Message-ID: <20101105174858.X16633@sola.nimnet.asn.au> References: <20101105053844.71239106577C@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: kline , freebsd-questions@freebsd.org Subject: Re: ATTN GARY KLINE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2010 07:28:32 -0000 In freebsd-questions Digest, Vol 335, Issue 8, Message: 29 On Fri, 05 Nov 2010 01:32:11 -0400 Jon Radel wrote: > On 11/5/10 12:22 AM, kline wrote: [..] > > It is time to get this stuff arrow-straight, so hoping that someone > > on-list can clue me in. [..] > > http://www.dnscog.com/report/thought.org/1288928790 > If your parents, the nameservers authoritative for .org, tell the world > that one of the nameservers for thought.org is ns1.thought.org, they > also have to tell the world what the IP address for ns1.thought.org is > using an A record. That A record is glue. Otherwise you get a machine > conversation something like: > > Resolving nameserver trying to find a record in the thought.org zone > (RN): Please Mr. root server, I'd like to know about www.thought.org.... > Root: See the .org folks over there.... > RN: Please Mr. top-level dude, about that www.thought.org.... > Org: Well, see ns1.thought.org.... > RN: Ahem, I'm trying to find out basic stuff about thought.org and I > don't know the address for ns1.thought.org in order to ask it > Org: Well, ask ns1.thought.org what the address for ns1.thought.org is... > RN: But, but, but....followed by petulant stomping off > > Glue A records fix that problem. Lovely description Jon :) But you don't always have any control of what parent nameservers do; eg we do DNS for a .com but both NS are in .au so DNS reports always whinge about lack of glue .. nonetheless it works, though only after a hunt down through the .au servers, until cached. > BTW, the fact that a glue record isn't returned for ns2.everydns.net in > response to a query about NS records for thought.org really isn't a > problem; note the "info" rather than "fail" from DNSCog. > > Biggest problem I still see is that ns2.everydns.net refuses to respond > to queries about thought.org. You sure your account there is still > active and functional and that you're allowing zone transfers to them? Confirmed here, no response at all after a good long wait; worse than reyrning 'we don't do thought.org' % dig @ns2.everydns.net. thought.org ; <<>> DiG 9.3.4-P1 <<>> @ns2.everydns.net. thought.org ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached where they really should be quickly issuing a REFUSED response. 'dig @ns2.everydns.net. everydns.net' works fine, so I'm reaching it ok. > I note that you don't allow transfers from arbitrary addresses, and > http://www.everydns.com/faq/secondary-domain/example-setup does warn > that the source address for transfer requests was/will/did change. > > Some of the problems reported by DNSCog appear to be bogus. They've got > some bugs related to cases where a nameserver has a name in the domain > in question. (And also some bugs related to nameservers which are > reachable by both ipv4 and ipv6, but that doesn't apply to you.) Bogus indeed. Tested one local domain there and got whinging about not accepting <> and postmaster@ mail; odd, thought I, but maillog shows: Nov 4 22:43:43 xxxx sm-mta[81227]: ruleset=check_relay, arg1=[216.146.46.136], arg2=216.146.46.136, relay=[216.146.46.136], reject=550 5.7.1 Fix reverse DNS for 216.146.46.136 % dig -x 216.146.46.136 [..] ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18278 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;136.46.146.216.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 46.146.216.in-addr.arpa. 1800 IN SOA ns1.mydyndns.org. zone-admin.dyndns.com. 2008082768 10800 1800 604800 1800 Seems a bit amateurish to me, running a service like that on a dynamic address without reverse resolution, then expecting mail to work .. cheers, Ian