[TriLUG] Ugh... More DNS questions
Brian Henning via TriLUG
trilug at trilug.org
Thu Aug 20 14:56:34 EDT 2015
Some day I will really understand DNS. That day has not yet arrived.
SO... in the midst of moving my DNS authority from 1and1 to he.net, my domain is currently unresolvable. Nobody except 1and1 ever responds with anything, and 1and1 still says it's a CNAME. But when I do a dig +trace, the delegation appears correct. Here's what I see (with some trimming):
First, if I ask 1and1 directly (aside: I do not know why it still answers with a CNAME; I changed the configuration over 4 hours ago):
$ dig undecidedgames.net @ns52.1and1.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6524
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;undecidedgames.net. IN A
;; ANSWER SECTION:
undecidedgames.net. 3600 IN CNAME cheetah.dynip.com.
If I ask my default resolver (which happens to be dnsmasq on localhost):
$ dig undecidedgames.net
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> undecidedgames.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36356
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;undecidedgames.net. IN A
The same result happens if I ask any of the other nameservers I happen to know. But then, if I do a +trace, I get this (trimmed for length):
$ dig +trace undecidedgames.net
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> +trace undecidedgames.net
;; global options: printcmd
. 11167 IN NS b.root-servers.net.
(...)
;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 24 ms
net. 172800 IN NS k.gtld-servers.net.
(...)
;; Received 493 bytes from 2001:500:84::b#53(b.root-servers.net) in 82 ms
undecidedgames.net. 172800 IN NS ns1.he.net.
undecidedgames.net. 172800 IN NS ns2.he.net.
undecidedgames.net. 172800 IN NS ns3.he.net.
undecidedgames.net. 172800 IN NS ns4.he.net.
;; Received 259 bytes from 192.52.178.30#53(k.gtld-servers.net) in 113 ms
;; Received 36 bytes from 216.218.130.2#53(ns1.he.net) in 30 ms
HE has explained that their nameserver won't respond until the delegation is complete as a security measure, and I know that a trace is a special kind of DNS operation that doesn't happen for ordinary lookups. But given that the trace does show what looks to be correct delegation, what's the missing piece? Why doesn't HE think delegation is complete? Why doesn't an nslookup -type=ns return anything unless I point it at a gtld-server directly?
$ nslookup -type=ns undecidedgames.net
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
*** Can't find undecidedgames.net: No answer
Authoritative answers can be found from:
...versus...
$ nslookup -type=ns undecidedgames.net h.gtld-servers.net
Server: h.gtld-servers.net
Address: 192.54.112.30#53
Non-authoritative answer:
*** Can't find undecidedgames.net: No answer
Authoritative answers can be found from:
undecidedgames.net nameserver = ns1.he.net.
undecidedgames.net nameserver = ns2.he.net.
undecidedgames.net nameserver = ns3.he.net.
undecidedgames.net nameserver = ns4.he.net.
ns1.he.net internet address = 216.218.130.2
ns2.he.net has AAAA address 2001:470:200::2
ns2.he.net internet address = 216.218.131.2
ns3.he.net has AAAA address 2001:470:300::2
ns3.he.net internet address = 216.218.132.2
ns4.he.net has AAAA address 2001:470:400::2
ns4.he.net internet address = 216.66.1.2
Oh, and the ICANN whois database is showing the correct nameserver info too, so that's not it.
So if he.net still thinks undecidedgames.net is a CNAME, why doesn't anyone else? Whom are they asking for that information? Nothing at large still points to 1and1 except 1and1 themselves. If I try to point my browser at undecidedgames.net, I get an unresolvable hostname error.
I'm sure it's something simple, but I sure feel pretty ignorant at the moment.
Thanks,
-Brian
More information about the TriLUG
mailing list