Help again please Fwd: please fix your broken DNS server
Kevin Miller
kcmiller at duke.edu
Sat Jul 9 05:28:18 CEST 2005
>>Thus we're getting an SOA for 'ci.mil.wi.us' when we asked for a AAAA of
>>gwise.ci.mil.wi.us. I suspect this is what's causing SERVFAIL's of every
>>server trying to track down the AAAAs, including the SERVFAILs from
>>itmddnsYx.milwaukee.gov.
>>
>>
>
>The respones looks correct to me - we asked for AAAA records for
>gwise.ci.mil.wi.us and the server said that there were 0 records
>of that type and points us at ci.mil.wi.us as being authorititive.
>AFAIK, that's a perfectly reasonable thing to do.
>
>
Caching resolvers that query itmddnsYx.milwaukee.gov for A records of
gwise.ci.mil.wi.us will receive NS records pointing at
lpitmd-ispX.mpw.net, and will cache this. On subsequent queries for AAAA
requests for gwise.ci.mil.wi.us, they will query lpitmd-ispX directly,
and receive the SOA record with a label of ci.mil.wi.us. This is
inconsistent, as the NS records would indicate that gwise.ci.mil.wi.us
should be a zone apex (and lpitmd should have the SOA for gwise, not
giving us an SOA for ci.mil). I suspect this is what is causing the
SERVFAILs to be generated (by the resolvers).
$ dig gwise.ci.mil.wi.us a @itmddns1x.milwaukee.gov
; <<>> DiG 9.2.4 <<>> gwise.ci.mil.wi.us a @itmddns1x.milwaukee.gov
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31628
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;gwise.ci.mil.wi.us. IN A
;; ANSWER SECTION:
gwise.ci.mil.wi.us. 0 IN A 216.54.131.198
gwise.ci.mil.wi.us. 0 IN A 216.56.88.101
;; AUTHORITY SECTION:
gwise.ci.mil.wi.us. 60 IN NS lpitmd-isp1.mpw.net.
gwise.ci.mil.wi.us. 60 IN NS lpitmd-isp2.mpw.net.
It definitely seems like some sort of DNS load balancing is causing an
inconsistent presentation of the service.
A dig +trace aaaa gwise.ci.mil.wi.us demonstrates this nicely. Note that
+trace will fall back to an 'a' query when it doesn't get an answer for
AAAA, as it does when querying @itmddns1x.milwaukee.gov.
-Kevin
More information about the ipv6-ops
mailing list