dig printout doesn't appear to match reality
It appears that dig is printing results that it attributes to the wrong server. While troubleshooting an inconsistent NS issue (upstream from us), a trace (at the end of this message) shows that DNS3.UIOWA.EDU listed two NS records, when in fact, if you query DNS3.UIOWA.EDU for the domain in question it returns three NS records. The results that were returned belong to either DNS-2.IASTATE.EDU or DNS2.ICN.STATE.ia.us. Why is dig attributing it to one NS server when it belongs to another? Regards, Frank == nagios:/etc/cron.daily# dig +trace NS sioux-center.k12.ia.us ; <<>> DiG 9.5.1-P1 <<>> +trace NS sioux-center.k12.ia.us ;; global options: printcmd . 512780 IN NS b.root-servers.net. . 512780 IN NS e.root-servers.net. . 512780 IN NS f.root-servers.net. . 512780 IN NS m.root-servers.net. . 512780 IN NS g.root-servers.net. . 512780 IN NS k.root-servers.net. . 512780 IN NS l.root-servers.net. . 512780 IN NS a.root-servers.net. . 512780 IN NS h.root-servers.net. . 512780 IN NS j.root-servers.net. . 512780 IN NS d.root-servers.net. . 512780 IN NS c.root-servers.net. . 512780 IN NS i.root-servers.net. ;; Received 500 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms us. 172800 IN NS I.GTLD.BIZ. us. 172800 IN NS J.GTLD.BIZ. us. 172800 IN NS K.GTLD.BIZ. us. 172800 IN NS B.GTLD.BIZ. us. 172800 IN NS A.GTLD.BIZ. us. 172800 IN NS C.GTLD.BIZ. ;; Received 308 bytes from 128.8.10.90#53(d.root-servers.net) in 48 ms k12.ia.us. 7200IN NS DNS-2.IASTATE.EDU. k12.ia.us. 7200IN NS DNS2.ICN.STATE.ia.us. k12.ia.us. 7200IN NS DNS3.UIOWA.EDU. ;; Received 141 bytes from 156.154.96.126#53(I.GTLD.BIZ) in 97 ms sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. ;; Received 109 bytes from 128.255.64.5#53(DNS3.UIOWA.EDU) in 18 ms sioux-center.k12.ia.us. 86400 IN NS ns2.mtcnet.net. sioux-center.k12.ia.us. 86400 IN NS ns1.mtcnet.net. sioux-center.k12.ia.us. 86400 IN NS ns1.netins.net. ;; Received 159 bytes from 167.142.225.5#53(ns1.netins.net) in 9 ms ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
If you send the server a recursive query, you get an answer from its cache. If you sent it an iterative query, you get a referral from its authoritative zone. $ dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +auth +norec ; <<>> DiG 9.4.3-P1 <<>> @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +auth +norec ; (2 servers found) ;; global options: printcmd sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. $ dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer ; <<>> DiG 9.4.3-P1 <<>> @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer ; (2 servers found) ;; global options: printcmd sioux-center.k12.ia.us. 83030 IN NS ns1.netins.net. sioux-center.k12.ia.us. 83030 IN NS ns2.mtcnet.net. sioux-center.k12.ia.us. 83030 IN NS ns1.mtcnet.net. Chris Buxton Professional Services Men & Mice On May 16, 2009, at 8:53 AM, Frank Bulk wrote: It appears that dig is printing results that it attributes to the wrong server. While troubleshooting an inconsistent NS issue (upstream from us), a trace (at the end of this message) shows that DNS3.UIOWA.EDU listed two NS records, when in fact, if you query DNS3.UIOWA.EDU for the domain in question it returns three NS records. The results that were returned belong to either DNS-2.IASTATE.EDU or DNS2.ICN.STATE.ia.us. Why is dig attributing it to one NS server when it belongs to another? Regards, Frank = = = = = = == == nagios:/etc/cron.daily# dig +trace NS sioux-center.k12.ia.us ; <<>> DiG 9.5.1-P1 <<>> +trace NS sioux-center.k12.ia.us ;; global options: printcmd . 512780 IN NS b.root-servers.net. . 512780 IN NS e.root-servers.net. . 512780 IN NS f.root-servers.net. . 512780 IN NS m.root-servers.net. . 512780 IN NS g.root-servers.net. . 512780 IN NS k.root-servers.net. . 512780 IN NS l.root-servers.net. . 512780 IN NS a.root-servers.net. . 512780 IN NS h.root-servers.net. . 512780 IN NS j.root-servers.net. . 512780 IN NS d.root-servers.net. . 512780 IN NS c.root-servers.net. . 512780 IN NS i.root-servers.net. ;; Received 500 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms us. 172800 IN NS I.GTLD.BIZ. us. 172800 IN NS J.GTLD.BIZ. us. 172800 IN NS K.GTLD.BIZ. us. 172800 IN NS B.GTLD.BIZ. us. 172800 IN NS A.GTLD.BIZ. us. 172800 IN NS C.GTLD.BIZ. ;; Received 308 bytes from 128.8.10.90#53(d.root-servers.net) in 48 ms k12.ia.us. 7200IN NS DNS-2.IASTATE.EDU. k12.ia.us. 7200IN NS DNS2.ICN.STATE.ia.us. k12.ia.us. 7200IN NS DNS3.UIOWA.EDU. ;; Received 141 bytes from 156.154.96.126#53(I.GTLD.BIZ) in 97 ms sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. ;; Received 109 bytes from 128.255.64.5#53(DNS3.UIOWA.EDU) in 18 ms sioux-center.k12.ia.us. 86400 IN NS ns2.mtcnet.net. sioux-center.k12.ia.us. 86400 IN NS ns1.mtcnet.net. sioux-center.k12.ia.us. 86400 IN NS ns1.netins.net. ;; Received 159 bytes from 167.142.225.5#53(ns1.netins.net) in 9 ms ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
> It appears that dig is printing results that it attributes to the wrong > server. Not really. > While troubleshooting an inconsistent NS issue (upstream from us), a trace > (at the end of this message) shows that DNS3.UIOWA.EDU listed two NS > records, when in fact, if you query DNS3.UIOWA.EDU for the domain in > question it returns three NS records. The results that were returned belong > to either DNS-2.IASTATE.EDU or DNS2.ICN.STATE.ia.us. > > Why is dig attributing it to one NS server when it belongs to another? Try with and without +norec and you'll see the difference: % dig +norec ns sioux-center.k12.ia.us. @128.255.1.8 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; AUTHORITY SECTION: sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. % dig ns sioux-center.k12.ia.us. @128.255.1.8 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3 ;; ANSWER SECTION: sioux-center.k12.ia.us. 82485 IN NS ns2.mtcnet.net. sioux-center.k12.ia.us. 82485 IN NS ns1.mtcnet.net. sioux-center.k12.ia.us. 82485 IN NS ns1.netins.net. One could certainly argue that DNS3.UIOWA.EDU should not behave this way. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dig printout doesn't appear to match reality
Wow, I wasn't aware of that nuance. I have been making incorrect assumptions. It doesn't make sense to me how DNS3.UIOWA.EDU can return the correct cached result for the NS records of sioux-center.k12.ia.us but an incorrect "norec" result. Doesn't specifying "no recursion" mean that it has to be either authoritative for that domain or have the entry cached in order to return any result at all? But the 'aa' bit is not set, which seems to me that it must have obtained the result from its cache. Frank -Original Message- From: Chris Buxton [mailto:cbux...@menandmice.com] Sent: Saturday, May 16, 2009 11:09 AM To: Frank Bulk Cc: bind-users@lists.isc.org Subject: Re: dig printout doesn't appear to match reality If you send the server a recursive query, you get an answer from its cache. If you sent it an iterative query, you get a referral from its authoritative zone. $ dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +auth +norec ; <<>> DiG 9.4.3-P1 <<>> @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +auth +norec ; (2 servers found) ;; global options: printcmd sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. $ dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer ; <<>> DiG 9.4.3-P1 <<>> @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer ; (2 servers found) ;; global options: printcmd sioux-center.k12.ia.us. 83030 IN NS ns1.netins.net. sioux-center.k12.ia.us. 83030 IN NS ns2.mtcnet.net. sioux-center.k12.ia.us. 83030 IN NS ns1.mtcnet.net. Chris Buxton Professional Services Men & Mice On May 16, 2009, at 8:53 AM, Frank Bulk wrote: > It appears that dig is printing results that it attributes to the > wrong > server. > > While troubleshooting an inconsistent NS issue (upstream from us), a > trace > (at the end of this message) shows that DNS3.UIOWA.EDU listed two NS > records, when in fact, if you query DNS3.UIOWA.EDU for the domain in > question it returns three NS records. The results that were > returned belong > to either DNS-2.IASTATE.EDU or DNS2.ICN.STATE.ia.us. > > Why is dig attributing it to one NS server when it belongs to another? > > Regards, > > Frank > > = > = > = > = > = > = > == > == > nagios:/etc/cron.daily# dig +trace NS sioux-center.k12.ia.us > > ; <<>> DiG 9.5.1-P1 <<>> +trace NS sioux-center.k12.ia.us > ;; global options: printcmd > . 512780 IN NS b.root-servers.net. > . 512780 IN NS e.root-servers.net. > . 512780 IN NS f.root-servers.net. > . 512780 IN NS m.root-servers.net. > . 512780 IN NS g.root-servers.net. > . 512780 IN NS k.root-servers.net. > . 512780 IN NS l.root-servers.net. > . 512780 IN NS a.root-servers.net. > . 512780 IN NS h.root-servers.net. > . 512780 IN NS j.root-servers.net. > . 512780 IN NS d.root-servers.net. > . 512780 IN NS c.root-servers.net. > . 512780 IN NS i.root-servers.net. > ;; Received 500 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms > > us. 172800 IN NS I.GTLD.BIZ. > us. 172800 IN NS J.GTLD.BIZ. > us. 172800 IN NS K.GTLD.BIZ. > us. 172800 IN NS B.GTLD.BIZ. > us. 172800 IN NS A.GTLD.BIZ. > us. 172800 IN NS C.GTLD.BIZ. > ;; Received 308 bytes from 128.8.10.90#53(d.root-servers.net) in 48 ms > > k12.ia.us. 7200IN NS DNS-2.IASTATE.EDU. > k12.ia.us. 7200IN NS DNS2.ICN.STATE.ia.us. > k12.ia.us. 7200IN NS DNS3.UIOWA.EDU. > ;; Received 141 bytes from 156.154.96.126#53(I.GTLD.BIZ) in 97 ms > > sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. > sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. > ;; Received 109 bytes from 128.255.64.5#53(DNS3.UIOWA.EDU) in 18 ms > > sioux-center.k12.ia.us. 86400 IN NS ns2.mtcnet.net. > sioux-center.k12.ia.us. 86400 IN NS ns1.mtcnet.net. > sioux-center.k12.ia.us. 86400 IN NS ns1.netins.net. > ;; Received 159 bytes from 167.142.225.5#53(ns1.netins.net) in 9 ms > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-
RE: dig printout doesn't appear to match reality
Thanks for the response. The wheels are already in motion to get this inconsistency resolved. Unfortunately, the stated response time for this state agency is 2 weeks. =( Frank -Original Message- From: sth...@nethelp.no [mailto:sth...@nethelp.no] Sent: Saturday, May 16, 2009 11:20 AM To: frnk...@iname.com Cc: bind-users@lists.isc.org Subject: Re: dig printout doesn't appear to match reality One could certainly argue that DNS3.UIOWA.EDU should not behave this way. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
> It doesn't make sense to me how DNS3.UIOWA.EDU can return the correct cached > result for the NS records of sioux-center.k12.ia.us but an incorrect "norec" > result. Doesn't specifying "no recursion" mean that it has to be either > authoritative for that domain or have the entry cached in order to return > any result at all? No. If that was the case no delegations would work unless the name server was also authoritative for the subdomain. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dig printout doesn't appear to match reality
Ok, now I'm following youI don't live and breathe this like you and Chris do. =) If the dns3.uiowa.edu's cache was flushed for sioux-center.k12.ia.us, what do you think the query results for dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer would be? Frank -Original Message- From: sth...@nethelp.no [mailto:sth...@nethelp.no] Sent: Saturday, May 16, 2009 11:35 AM To: frnk...@iname.com Cc: cbux...@menandmice.com; bind-users@lists.isc.org Subject: Re: dig printout doesn't appear to match reality > It doesn't make sense to me how DNS3.UIOWA.EDU can return the correct cached > result for the NS records of sioux-center.k12.ia.us but an incorrect "norec" > result. Doesn't specifying "no recursion" mean that it has to be either > authoritative for that domain or have the entry cached in order to return > any result at all? No. If that was the case no delegations would work unless the name server was also authoritative for the subdomain. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
> If the dns3.uiowa.edu's cache was flushed for sioux-center.k12.ia.us, what > do you think the query results for > dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer > would be? I think you would get what you get right now with +norec, *until* the name server acquired some of the other records in its cache. At which point you'd be back to where you are without +norec now. The solution, of course, is to fix the inconsistency. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
At 08:53 16-05-2009, Frank Bulk wrote: It appears that dig is printing results that it attributes to the wrong server. While troubleshooting an inconsistent NS issue (upstream from us), a trace [snip] sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. This is unrelated to your original question. dns.mtcnet.net does not resolve. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dig printout doesn't appear to match reality
Yes, dns.mtcnet.net does not resolve because that host name been deprecated, although the IP address it represented still functions, but only as a caching-only server limited to our customer base. The organization that manages k12.ia.us was informed of the changes over a month ago and almost all of them were fixed up correctly, but two of them aren't 100%. The issue was discovered because I have a cron job that gives me the top 20 hosts that are generating "cache denied". This cron job has alerted me to more inconsistencies than I care to mention. =) Frank -Original Message- From: SM [mailto:s...@resistor.net] Sent: Saturday, May 16, 2009 12:46 PM To: Frank Bulk Cc: bind-users@lists.isc.org Subject: Re: dig printout doesn't appear to match reality At 08:53 16-05-2009, Frank Bulk wrote: >It appears that dig is printing results that it attributes to the wrong >server. > >While troubleshooting an inconsistent NS issue (upstream from us), a trace [snip] >sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. >sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. This is unrelated to your original question. dns.mtcnet.net does not resolve. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
In message , "Frank Bulk" write s: > Wow, I wasn't aware of that nuance. I have been making incorrect > assumptions. > > It doesn't make sense to me how DNS3.UIOWA.EDU can return the correct cached > result for the NS records of sioux-center.k12.ia.us but an incorrect "norec" > result. Doesn't specifying "no recursion" mean that it has to be either > authoritative for that domain or have the entry cached in order to return > any result at all? No. It is a server for a parent domain so it returns a referral to where the real information is. > But the 'aa' bit is not set, which seems to me that it > must have obtained the result from its cache. Note there is nothing in the answer section to set "aa=1" against. ; <<>> DiG 9.3.6-P1 <<>> +norec sioux-center.k12.ia.us ns @DNS3.UIOWA.EDU ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8795 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;sioux-center.k12.ia.us.IN NS ;; AUTHORITY SECTION: sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. ;; ADDITIONAL SECTION: ns1.netins.net. 61323 IN A 167.142.225.5 ;; Query time: 223 msec ;; SERVER: 128.255.1.8#53(128.255.1.8) ;; WHEN: Sun May 17 07:48:51 2009 ;; MSG SIZE rcvd: 109 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
