On Thu, Apr 26, 2007 at 10:06:32AM +0100, Randy Bush wrote:
roam.psg.com:/usr/home/randy> doc -p -w www.cnn.com. Doc-2.2.3: doc -p -w www.cnn.com. Doc-2.2.3: Starting test of www.cnn.com. parent is cnn.com. Doc-2.2.3: Test date - Thu Apr 26 09:04:52 GMT 2007 DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.com. failed DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.com. failed
I think your debugging tool is faulty, as a dig ns cnn.com @a.gtld-servers.net gives: cnn.com. 172800 IN NS twdns-01.ns.aol.com. cnn.com. 172800 IN NS twdns-02.ns.aol.com. cnn.com. 172800 IN NS twdns-03.ns.aol.com. cnn.com. 172800 IN NS twdns-04.ns.aol.com. twdns-01.ns.aol.com. 172800 IN A 149.174.213.151 twdns-02.ns.aol.com. 172800 IN A 152.163.239.216 twdns-03.ns.aol.com. 172800 IN A 207.200.73.85 twdns-04.ns.aol.com. 172800 IN A 64.12.147.120 All of the above answer to me and have the same serial for cnn.com. I guess your tool probably asks a faulty caching nameserver for the NS records of cnn.com - there are several misguided implementations that cache for a longer period than the TTL of the record states. Having said that and beeing a hostmaster for a large german broadband ISP i am indeed quite thankful for Microsoft ignoring low TTLs in most Windows XP installations especially as todays drones do no seem to care about asking proper IN MX questions. ;-) Stefan -- My software never has bugs. It just develops random features.
well, close but i think not randy --- Doc-2.2.3: doc www.cnn.com. Doc-2.2.3: Starting test of www.cnn.com. parent is cnn.com. Doc-2.2.3: Test date - Thu Apr 26 10:03:12 WAT 2007 soa @twdns-01.ns.aol.com. for cnn.com. has serial: 2007042001 soa @twdns-02.ns.aol.com. for cnn.com. has serial: 2007042001 soa @twdns-03.ns.aol.com. for cnn.com. has serial: 2007042001 soa @twdns-04.ns.aol.com. for cnn.com. has serial: 2007042001 SOA serial #'s agree for cnn.com. domain Found 2 NS and 2 glue records for www.cnn.com. @twdns-01.ns.aol.com. (non-AUTH) Found 2 NS and 2 glue records for www.cnn.com. @twdns-02.ns.aol.com. (non-AUTH) Found 2 NS and 2 glue records for www.cnn.com. @twdns-03.ns.aol.com. (non-AUTH) Found 2 NS and 2 glue records for www.cnn.com. @twdns-04.ns.aol.com. (non-AUTH) DNServers for cnn.com. === 0 were also authoritatve for www.cnn.com. === 4 were non-authoritative for www.cnn.com. Servers for cnn.com. (not also authoritative for www.cnn.com.) === agree on NS records for www.cnn.com. NS list summary for www.cnn.com. from parent (cnn.com.) servers == dmtns01.turner.com. dmtns02.turner.com. DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.com. failed DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.com. failed SYSerr: No servers for www.cnn.com. returned SOAs ... Summary: YIKES: doc aborted while testing www.cnn.com. parent cnn.com. Incomplete test for www.cnn.com. (3) Done testing www.cnn.com. Thu Apr 26 10:03:46 WAT 2007 ######## Query Log ######## ## Nameservers for cnn.com. (dig ns cnn.com.): twdns-01.ns.aol.com. twdns-02.ns.aol.com. twdns-03.ns.aol.com. twdns-04.ns.aol.com. =================== ## SOA record for cnn.com. domain from nameserver twdns-01.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 13871 ;; flags: qr aa; query: 1, answer: 1, authority: 4, additional: 0 ;; answer section: cnn.com. 3600 in soa twdns-01.ns.aol.com. hostmaster.tbsnames.turner.com. 2007042001 900 300 604801 900 =================== ## Version.bind for nameserver twdns-01.ns.aol.com. (cnn.com.) ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 12357 ;; flags: qr aa; query: 1, answer: 1, authority: 1, additional: 0 ;; answer section: version.bind. 0 ch txt "contact dns-eng@aol.net for version information." =================== ## SOA record for cnn.com. domain from nameserver twdns-02.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 7435 ;; flags: qr aa; query: 1, answer: 1, authority: 4, additional: 0 ;; answer section: cnn.com. 3600 in soa twdns-01.ns.aol.com. hostmaster.tbsnames.turner.com. 2007042001 900 300 604801 900 =================== ## Version.bind for nameserver twdns-02.ns.aol.com. (cnn.com.) ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 5116 ;; flags: qr aa; query: 1, answer: 1, authority: 1, additional: 0 ;; answer section: version.bind. 0 ch txt "contact dns-eng@aol.net for version information." =================== ## SOA record for cnn.com. domain from nameserver twdns-03.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 32380 ;; flags: qr aa; query: 1, answer: 1, authority: 4, additional: 0 ;; answer section: cnn.com. 3600 in soa twdns-01.ns.aol.com. hostmaster.tbsnames.turner.com. 2007042001 900 300 604801 900 =================== ## Version.bind for nameserver twdns-03.ns.aol.com. (cnn.com.) ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 1759 ;; flags: qr aa; query: 1, answer: 1, authority: 1, additional: 0 ;; answer section: version.bind. 0 ch txt "contact dns-eng@aol.net for version information." =================== ## SOA record for cnn.com. domain from nameserver twdns-04.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 20690 ;; flags: qr aa; query: 1, answer: 1, authority: 4, additional: 0 ;; answer section: cnn.com. 3600 in soa twdns-01.ns.aol.com. hostmaster.tbsnames.turner.com. 2007042001 900 300 604801 900 =================== ## Version.bind for nameserver twdns-04.ns.aol.com. (cnn.com.) ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 16062 ;; flags: qr aa; query: 1, answer: 1, authority: 1, additional: 0 ;; answer section: version.bind. 0 ch txt "contact dns-eng@aol.net for version information." =================== ## NS records for www.cnn.com. domain from nameserver twdns-01.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 26769 ;; flags: qr; query: 1, answer: 0, authority: 2, additional: 2 ;; authority section: www.cnn.com. 3600 in ns dmtns01.turner.com. www.cnn.com. 3600 in ns dmtns02.turner.com. ;; additional section: dmtns01.turner.com. 3608 in a 64.236.29.150 dmtns02.turner.com. 3608 in a 64.236.22.150 =================== ## NS records for www.cnn.com. domain from nameserver twdns-02.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 60438 ;; flags: qr; query: 1, answer: 0, authority: 2, additional: 2 ;; authority section: www.cnn.com. 3600 in ns dmtns02.turner.com. www.cnn.com. 3600 in ns dmtns01.turner.com. ;; additional section: dmtns01.turner.com. 3608 in a 64.236.29.150 dmtns02.turner.com. 3608 in a 64.236.22.150 =================== ## NS records for www.cnn.com. domain from nameserver twdns-03.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 34161 ;; flags: qr; query: 1, answer: 0, authority: 2, additional: 2 ;; authority section: www.cnn.com. 3600 in ns dmtns01.turner.com. www.cnn.com. 3600 in ns dmtns02.turner.com. ;; additional section: dmtns01.turner.com. 3608 in a 64.236.29.150 dmtns02.turner.com. 3608 in a 64.236.22.150 =================== ## NS records for www.cnn.com. domain from nameserver twdns-04.ns.aol.com. ;; got answer: ;; ->>header<<- opcode: query, status: noerror, id: 19402 ;; flags: qr; query: 1, answer: 0, authority: 2, additional: 2 ;; authority section: www.cnn.com. 3600 in ns dmtns02.turner.com. www.cnn.com. 3600 in ns dmtns01.turner.com. ;; additional section: dmtns01.turner.com. 3608 in a 64.236.29.150 dmtns02.turner.com. 3608 in a 64.236.22.150 ===================
On Thursday 26 April 2007 11:32, Stefan Schmidt wrote:
I think your debugging tool is faulty, as a dig ns cnn.com @a.gtld-servers.net gives:
cnn.com is not www.cnn.com ;) dig @twdns-03.ns.aol.com www.cnn.com ns Although "doc" is very long in the tooth, at least the last version I was using in anger. As to what CNN are doing with their DNS, I've no idea, but I don't think it concerns Nanog, unless these nameservers host a lot of important domains ;)
Stefan Schmidt wrote:
On Thu, Apr 26, 2007 at 10:06:32AM +0100, Randy Bush wrote:
roam.psg.com:/usr/home/randy> doc -p -w www.cnn.com. Doc-2.2.3: doc -p -w www.cnn.com. Doc-2.2.3: Starting test of www.cnn.com. parent is cnn.com. Doc-2.2.3: Test date - Thu Apr 26 09:04:52 GMT 2007 DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.com. failed DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.com. failed
I think your debugging tool is faulty, as a dig ns cnn.com [..]
All of the above answer to me and have the same serial for cnn.com.
Randy is looking at www.cnn.com (note the www portion) and if you would do a 'dig +trace www.cnn.com' you would see: www.cnn.com. 3600 IN NS dmtns01.turner.com. www.cnn.com. 3600 IN NS dmtns02.turner.com. ;; Received 112 bytes from 207.200.73.85#53(twdns-03.ns.aol.com) in 176 ms www.cnn.com. 600 IN A 64.236.16.20 [..9 ip's..] ;; Received 157 bytes from 64.236.22.150#53(dmtns02.turner.com) in 100 ms And dmtns0{1|2}.turner.com. don't have a SOA for www.cnn.com although they are authoritive. They only respond to queries for "A". Fortunatily they do respond for "AAAA" queries, 0 records result, but it doesn't break. They do simply drop queries asking for SOA,MX,TXT and prolly others. Aka just another peeped up "DNS loadbalancer" for which the implementers didn't read the RFCs or where the configurators decided that they can ignore other stuff for "anti-ddos" or other reasons. Greets, Jeroen
participants (4)
-
Jeroen Massar
-
Randy Bush
-
Simon Waters
-
Stefan Schmidt