Help again please Fwd: please fix your broken DNS server

Kevin Miller kcmiller at duke.edu
Fri Jul 8 22:40:55 CEST 2005 

David Malone wrote:
> On Fri, Jul 08, 2005 at 11:32:41AM -0500, Joseph T. Klein wrote:
> 
>>Why the direct dig work and the indirect resolution not?
> 
> 
> The problem is a little bit subtle, because it is with an upstream
> name server, and so the query never makes it to the name servers
> that he mentions. The real problem queries are:
> 
> 	dig AAAA gwise.milwaukee.gov @itmddns1x.milwaukee.gov
> 	dig AAAA gwise.milwaukee.gov @itmddns2x.milwaukee.gov
> 	dig AAAA gwise.milwaukee.gov @itmddns3x.milwaukee.gov
> 	dig AAAA gwise.milwaukee.gov @itmddns4x.milwaukee.gov

I actually suspect the problem lies with lpitmd-isp1.mpw.net and
lpitmd-isp2.mpw.net, which are in theory authoritative for
gwise.ci.mil.wi.us. notice:

$ dig a gwise.ci.mil.wi.us @lpitmd-isp1.mpw.net

; <<>> DiG 9.2.4 <<>> a gwise.ci.mil.wi.us @lpitmd-isp1.mpw.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13833
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gwise.ci.mil.wi.us.            IN      A

;; ANSWER SECTION:
gwise.ci.mil.wi.us.     0       IN      A       216.54.131.198
gwise.ci.mil.wi.us.     0       IN      A       216.56.88.101

$ dig aaaa gwise.ci.mil.wi.us @lpitmd-isp1.mpw.net

; <<>> DiG 9.2.4 <<>> aaaa gwise.ci.mil.wi.us @lpitmd-isp1.mpw.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5071
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;gwise.ci.mil.wi.us.            IN      AAAA

;; AUTHORITY SECTION:
ci.mil.wi.us.           86400   IN      SOA     ci.mil.wi.us.
administrator.ci.mil.wi.us. 998545544 28800 7200 604800 86400

----

Thus we're getting an SOA for 'ci.mil.wi.us' when we asked for a AAAA of
gwise.ci.mil.wi.us. I suspect this is what's causing SERVFAIL's of every
server trying to track down the AAAAs, including the SERVFAILs from
itmddnsYx.milwaukee.gov.

Also note that lpitmd-isp*.mpw.net are actually in the (v4) path (at
least from my POV) to their other nameservers:

...
16  core-01-ge-3-1-2-1.chcg.twtelecom.net (66.192.244.32)  28.135 ms
28.394 ms  27.973 ms
17  dist-02-so-0-0-0-0.milw.twtelecom.net (66.192.244.103)  30.387 ms
29.867 ms  30.056 ms
18  hagg-01-ge-1-3-0-508.milw.twtelecom.net (66.192.244.115)  30.397 ms
 30.440 ms  30.379 ms
19  207.250.123.18 (207.250.123.18)  30.448 ms  30.430 ms  30.418 ms
20  lp-isp1.mpw.net (216.54.131.251)  30.446 ms  30.621 ms  30.476 ms

(216.54.131.251 == lpitmd-isp1.mpw.net), so I suspect these nameservers
are some sort of router/firewall, and likely not handling AAAAs very well.

-Kevin

More information about the ipv6-ops mailing list