Stefan Schmidt wrote:
On Thu, Apr 26, 2007 at 10:06:32AM +0100, Randy Bush wrote:
roam.psg.com:/usr/home/randy> doc -p -w www.cnn.com. Doc-2.2.3: doc -p -w www.cnn.com. Doc-2.2.3: Starting test of www.cnn.com. parent is cnn.com. Doc-2.2.3: Test date - Thu Apr 26 09:04:52 GMT 2007 DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.com. failed DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.com. failed
I think your debugging tool is faulty, as a dig ns cnn.com [..]
All of the above answer to me and have the same serial for cnn.com.
Randy is looking at www.cnn.com (note the www portion) and if you would do a 'dig +trace www.cnn.com' you would see: www.cnn.com. 3600 IN NS dmtns01.turner.com. www.cnn.com. 3600 IN NS dmtns02.turner.com. ;; Received 112 bytes from 207.200.73.85#53(twdns-03.ns.aol.com) in 176 ms www.cnn.com. 600 IN A 64.236.16.20 [..9 ip's..] ;; Received 157 bytes from 64.236.22.150#53(dmtns02.turner.com) in 100 ms And dmtns0{1|2}.turner.com. don't have a SOA for www.cnn.com although they are authoritive. They only respond to queries for "A". Fortunatily they do respond for "AAAA" queries, 0 records result, but it doesn't break. They do simply drop queries asking for SOA,MX,TXT and prolly others. Aka just another peeped up "DNS loadbalancer" for which the implementers didn't read the RFCs or where the configurators decided that they can ignore other stuff for "anti-ddos" or other reasons. Greets, Jeroen