Anyone else noticing an increase in .mil nameserver problems today? Our resolvers aren't able to find NS info for various .mil domains such as pacom.mil and usfj.mil. % dig +trace pacom.mil ; <<>> DiG 9.5.0-P1 <<>> +trace pacom.mil ;; global options: printcmd . 491372 IN NS E.ROOT-SERVERS.NET. . 491372 IN NS F.ROOT-SERVERS.NET. . 491372 IN NS G.ROOT-SERVERS.NET. . 491372 IN NS H.ROOT-SERVERS.NET. . 491372 IN NS I.ROOT-SERVERS.NET. . 491372 IN NS J.ROOT-SERVERS.NET. . 491372 IN NS K.ROOT-SERVERS.NET. . 491372 IN NS L.ROOT-SERVERS.NET. . 491372 IN NS M.ROOT-SERVERS.NET. . 491372 IN NS A.ROOT-SERVERS.NET. . 491372 IN NS B.ROOT-SERVERS.NET. . 491372 IN NS C.ROOT-SERVERS.NET. . 491372 IN NS D.ROOT-SERVERS.NET. ;; Received 500 bytes from 64.65.64.1#53(64.65.64.1) in 4 ms mil. 172800 IN NS con1.nipr.mil. mil. 172800 IN NS con2.nipr.mil. mil. 172800 IN NS eur1.nipr.mil. mil. 172800 IN NS eur2.nipr.mil. mil. 172800 IN NS pac1.nipr.mil. mil. 172800 IN NS pac2.nipr.mil. ;; Received 245 bytes from 199.7.83.42#53(L.ROOT-SERVERS.NET) in 198 ms pacom.mil. 86400 IN NS DNS2.pacom.mil. pacom.mil. 86400 IN NS DNS1.pacom.mil. pacom.mil. 86400 IN NS NS01.USFJ.mil. ;; Received 137 bytes from 199.252.154.234#53(eur1.nipr.mil) in 234 ms dig: couldn't get address for 'NS01.USFJ.mil': not found Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony@lava.net
On Tue, Feb 16, 2010 at 6:55 PM, Antonio Querubin <tony@lava.net> wrote:
Anyone else noticing an increase in .mil nameserver problems today? Our resolvers aren't able to find NS info for various .mil domains such as pacom.mil and usfj.mil.
% dig +trace pacom.mil
Actually, a number of the .mil zones are exceptionally broken, and pacom.mil is no exception. :-) The .mil TLD servers seem to have loaded the entire zones and are serving borked zones as a result. For example, ask the TLD about www.pacom.mil: $ dig @PAC1.NIPR.mil. www.pacom.mil ; <<>> DiG 9.4.3-P3 <<>> @PAC1.NIPR.mil. www.pacom.mil ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35118 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.pacom.mil. IN A ;; ANSWER SECTION: www.pacom.mil. 1722 IN CNAME www.pacom.mil.edgesuite.net. www.pacom.mil.edgesuite.net. 401 IN CNAME a1112.g.akamai.net. a1112.g.akamai.net. 20 IN A 209.107.205.160 a1112.g.akamai.net. 20 IN A 209.107.205.88 ;; Query time: 234 msec ;; SERVER: 199.252.180.234#53(199.252.180.234) ;; WHEN: Tue Feb 16 19:14:13 2010 ;; MSG SIZE rcvd: 133 And if you ask for an NS record for pacom.mil, it'll give you that, but without an additional section despite having the answers, because it thinks it is the authoritative for that zone (I'm guessing that explains the behavior but don't know their software). -David
In message <589775371002161915h513bd247wcc4776856ed4487a@mail.gmail.com>, David Ulevitch writes:
On Tue, Feb 16, 2010 at 6:55 PM, Antonio Querubin <tony@lava.net> wrote:
Anyone else noticing an increase in .mil nameserver problems today? Our resolvers aren't able to find NS info for various .mil domains such as pacom.mil and usfj.mil.
% dig +trace pacom.mil
Actually, a number of the .mil zones are exceptionally broken, and pacom.mil is no exception. :-)
The .mil TLD servers seem to have loaded the entire zones and are serving borked zones as a result. For example, ask the TLD about www.pacom.mil:
No. Just a failure to seperate authoritative and recursive functionality. You can workout how many servers there are by looking at the TTL decays.
$ dig @PAC1.NIPR.mil. www.pacom.mil
; <<>> DiG 9.4.3-P3 <<>> @PAC1.NIPR.mil. www.pacom.mil ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35118 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.pacom.mil. IN A
;; ANSWER SECTION: www.pacom.mil. 1722 IN CNAME www.pacom.mil.edgesuite .net. www.pacom.mil.edgesuite.net. 401 IN CNAME a1112.g.akamai.net. a1112.g.akamai.net. 20 IN A 209.107.205.160 a1112.g.akamai.net. 20 IN A 209.107.205.88
;; Query time: 234 msec ;; SERVER: 199.252.180.234#53(199.252.180.234) ;; WHEN: Tue Feb 16 19:14:13 2010 ;; MSG SIZE rcvd: 133
And if you ask for an NS record for pacom.mil, it'll give you that, but without an additional section despite having the answers, because it thinks it is the authoritative for that zone (I'm guessing that explains the behavior but don't know their software).
-David
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (3)
-
Antonio Querubin -
David Ulevitch -
Mark Andrews