Re: Nameserver update

To: Martin Marcher <martin.marcher@gmail.com>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: Nameserver update
From: Till Wimmer <g4-lisz@tonarchiv.ch>
Date: Thu, 28 Jun 2007 16:24:14 +0200
Message-id: <[🔎] 4683C48E.9000402@tonarchiv.ch>
In-reply-to: <[🔎] db90db6e0706271142g7067cc4dgd1ab83e5b3ea6760@mail.gmail.com>
References: <[🔎] db90db6e0706270802n7ecbe585q6f7bd84a3b00668c@mail.gmail.com> <[🔎] 46829D8D.4070204@tonarchiv.ch> <[🔎] db90db6e0706271142g7067cc4dgd1ab83e5b3ea6760@mail.gmail.com>

Hi Martin,

actually you could just follow the advices on dnsstuff.com to resolve
the at least red issues...

Let's start with the most simple one:
I) TTL of SOA is much to short!
My SOA looks like this:
        origin = dns.substring.ch
        mail addr = noc.substring.ch
        serial = 2007060701
        refresh = 21600
        retry = 3600
        expire = 604800
        minimum = 86400


II) For all the mailing related stuff you should make sure that your MX
names are the same the IP resolves to and vice versa.
Another problem is that  mx.openforce.com resolves to 62.99.149.109 and
is claiming to be openforce.com (HELO), but openforce.com resolves to
62.99.149.107.
||62.99.149.107 resolves to 62-99-149-107.ifo.net. A well configured MTA
doesn't like this...
You should configure your MTA to answer with mx.openforce.com in his
greeting sequence.

III) Then there is some contradiction in your NS' answers.
ns10.openforce.com ist claiming there are 3 NS, but the other say there
are only two:
develop@schlunze:~$ nslookup - ns10.openforce.com
> set type=NS
> openforce.com
Server:         ns10.openforce.com
Address:        81.223.107.117#53

openforce.com   nameserver = ns34.ifo.net.
openforce.com   nameserver = ns24.ifo.net.
openforce.com   nameserver = ns10.openforce.com.
> exit

develop@schlunze:~$ nslookup - ns34.ifo.net
> set type=ns
> openforce.com
Server:         ns34.ifo.net
Address:        217.29.159.131#53

openforce.com   nameserver = ns10.openforce.com.
openforce.com   nameserver = ns24.ifo.net.
> exit

develop@schlunze:~$ nslookup - ns24.ifo.net
> set type=ns
> openforce.com
Server:         ns24.ifo.net
Address:        217.29.159.135#53

openforce.com   nameserver = ns10.openforce.com.
openforce.com   nameserver = ns24.ifo.net.
>

IV) ns24.ifo.net is "Open DNS server". It can be queried for domains
which it's not authoritative for:
develop@schlunze:~$ nslookup - ns24.ifo.net
> substring.ch
Server:         ns24.ifo.net
Address:        217.29.159.135#53

Non-authoritative answer:
Name:   substring.ch
Address: 80.242.134.171

V) "Mismatched glue":
If this is not a caching /TTL issue, it's really a bad thing. The root
server says, ns10.openforce.com is at 62.99.149.110, but your NS says,
it's at 81.223.107.117.
Your domains registrar should update the root record:

develop@schlunze:~$ nslookup - i.gtld-servers.net
> set type=ns
> openforce.com
Server:         i.gtld-servers.net
Address:        192.43.172.30#53

Non-authoritative answer:
openforce.com   nameserver = ns10.openforce.com.
openforce.com   nameserver = ns34.ifo.net.

Authoritative answers can be found from:
ns10.openforce.com      internet address = 62.99.149.110
ns34.ifo.net    internet address = 217.29.159.131
> exit
develop@schlunze:~$ nslookup ns10.openforce.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
Name:   ns10.openforce.com
Address: 81.223.107.117

Bye,
Till
Martin Marcher wrote:
> Note to self: get rid of gmail and it's inability to handle mailing
> lists....
>
>> Hi Martin,
>>
>> actually this is not a debian related question...
>
> i do know but here is where the experts live :)
>
> however, i'd post to the appropriate list but i don't know where i
> should go, since it's not directly related to any software nor to any
> OS.
>
> details below, long story short: Is it normal that when I change the
> IP of my nameserver the parent nameservers aren't updated immediately
> (after my zone expires)?
>
>> If you post your zone file and tell us what version, ip etc. your server
>> is using, we could help you a little bit more...
>
> using powerdns with ldap backend here and all is set up fine to my
> knowledge, i'll put out the dig responses.
>
> So here's the story, we had or nameserver at (using bind syntax,
> typing here so forgive me typos but be assured that it _was_ fine)
>
> @ IN NS ns10.openforce.com.
> ns10 IN A 62.99.149.110
>
> i told our provider the IP will change and now it _should_ point to
> the a record below like this
>
> @ IN NS ns10.openforce.com.
> ns10 IN A 81.223.107.117
>
> so all that changes is the IP, the hostname is still the same (could
> that be the problem?)
>
> com servers still report that
>
> ns10.openforce.com.     172800  IN      A       62.99.149.110 ;;
> actual dig output from com. servers
>
> but they should report
>
> ns10.openforce.com.     3600    IN      A       81.223.107.117 ;;
> actual dig output from my nameserver
>
> the update was on 2007-06-27 0900h GMT+1 so the question is: Can I
> relax, sit back and wait until the com. nameservers catch up with the
> changes or did something go horribly wrong?
>
> dig info is below:
>
> My old nameserver (bind9 actually, split views, querying the public
> view of course, fine apart from that I set ns10 to point to the ip of
> the new nameserver, and i reflect the serial number from the new
> nameserver):
> ~ $ dig @62.99.149.110 openforce.com SOA
> openforce.com.          1800    IN      SOA     ns10.openforce.com.
> noc.openforce.com. 1182932271 1800 900 3600 900
> openforce.com.          1800    IN      NS      ns10.openforce.com.
> openforce.com.          1800    IN      NS      ns34.ifo.net.
> ns10.openforce.com.     1800    IN      A       81.223.107.117
> ;; Received 132 bytes from 62.99.149.110#53(62.99.149.110) in 21 ms
>
> My new nameserver (added the ns34 since debugging our provider showed
> that regardless of what they tell me ns24 and ns34 reflect the same
> information, ns34 will probably be removed, but the parent servers say
> ns34 is repsonsible but I never had it in my zone up to the point
> where I told them that the my nameservers IP changed):
> ~ $ dig @81.223.107.117 openforce.com SOA
> openforce.com.          3600    IN      SOA     ns10.openforce.com.
> noc.openforce.com. 1182950545 1800 900 3600 900
> ;; Received 89 bytes from 81.223.107.117#53(81.223.107.117) in 66 ms
>
> ~ $ dig @81.223.107.117 openforce.com NS
> openforce.com.          3600    IN      NS      ns24.ifo.net.
> openforce.com.          3600    IN      NS      ns10.openforce.com.
> openforce.com.          3600    IN      NS      ns34.ifo.net.
> ns10.openforce.com.     3600    IN      A       81.223.107.117
> ;; Received 111 bytes from 81.223.107.117#53(81.223.107.117) in 27 ms
>
> My DNS Providers nameserver:
> ~ $ dig @ns24.ifo.net openforce.com SOA
> openforce.com.          3600    IN      SOA     ns10.openforce.com.
> noc.openforce.com. 1182932271 1800 900 3600 900
> openforce.com.          3600    IN      NS      ns10.openforce.com.
> openforce.com.          3600    IN      NS      ns24.ifo.net.
> ns10.openforce.com.     3600    IN      A       81.223.107.117
> ns24.ifo.net.           7200    IN      A       217.29.159.135
> ;; Received 148 bytes from 217.29.159.135#53(217.29.159.135) in 58 ms
>
> ~ $ dig @ns34.ifo.net openforce.com SOA
> openforce.com.          3600    IN      SOA     ns10.openforce.com.
> noc.openforce.com. 1182932271 1800 900 3600 900
> openforce.com.          3600    IN      NS      ns10.openforce.com.
> openforce.com.          3600    IN      NS      ns24.ifo.net.
> ns10.openforce.com.     3600    IN      A       81.223.107.117
> ns24.ifo.net.           7200    IN      A       217.29.159.135
> ;; Received 148 bytes from 217.29.159.131#53(217.29.159.131) in 37 ms
>
> The com Nameservers say this:
> providing only the first output here since all report the same
> ~ $ for i in $(dig com NS|egrep '^com\.'|awk '{print $5}');do dig @$i
> openforce.com NS;done
> openforce.com.          172800  IN      NS      ns10.openforce.com.
> openforce.com.          172800  IN      NS      ns34.ifo.net.
> ns10.openforce.com.     172800  IN      A       62.99.149.110
> ns34.ifo.net.           172800  IN      A       217.29.159.131
> ;; Received 108 bytes from 192.52.178.30#53(192.52.178.30) in 53 ms
>
> thanks
> martin
>
> On 6/27/07, Till Wimmer <t.wimmer@tonarchiv.ch> wrote:
>> Hi Martin,
>>
>> actually this is not a debian related question...
>>
>> If you post your zone file and tell us what version, ip etc. your server
>> is using, we could help you a little bit more...
>>
>> bye
>> Till
>>
>> Martin Marcher wrote:
>> > hello,
>> >
>> > i needed to update our nameserver, now maintaining my own nameserver
>> > is fine but I don't know what procedure to follow if i need to point
>> > our ns a new IP. Having blindly trusted our dns provider to tell me
>> > about eventualities i just told them to update the ip address for the
>> > nameserver and tell me about possible problems. what can i say he told
>> > me everything is fine and now dnsreport.com tells me about mismatched
>> > glue for our nameservers
>> >
>> > http://www.dnsstuff.com/tools/dnsreport.ch?%26domain%3Dopenforce.com
>> >
>> > Do I just have to wait for the parent servers until propagation is
>> > finished or did something go horribly wrong?
>> >
>> > thanks
>> > martin
>> >
>> >
>>
>>
>
>

Reply to:

Follow-Ups:
- Re: Nameserver update
  - From: "Martin Marcher" <martin.marcher@gmail.com>

References:
- Nameserver update
  - From: "Martin Marcher" <martin.marcher@gmail.com>
- Re: Nameserver update
  - From: Till Wimmer <t.wimmer@tonarchiv.ch>
- Re: Nameserver update
  - From: "Martin Marcher" <martin.marcher@gmail.com>

Prev by Date: Re: RTF - proprietary or open?
Next by Date: triyng to setup pam-ldap..
Previous by thread: Re: Nameserver update
Next by thread: Re: Nameserver update
Index(es):
- Date
- Thread