Wandering Thoughts archives

2008-03-03

How not to set up your DNS (part 18)

We got contacted by a user reporting that he couldn't get mail with an address in kuet.ac.bd; our inbound mail gateway was consistently rejecting the address as temporarily unresolvable. When I started looking into the DNS situation, all sorts of peculiar things started crawling out of the woodwork.

  • in the root zone, the bd country domain has two servers, dns.bd and slave.bttb.net.
  • if you query either of them you get a third server as well, dns.bttb.net.
  • all three nameservers allow recursion.
  • dns.bd returns non-authoritative answers, which is especially fun when it returns a non-authoritative SOA for the bd country domain that lists itself as the primary nameserver.

  • everything except dns.bd knows that the nameserver for the ac.bd subdomain is slave.bttb.net (under a different name).
  • dns.bd returns SERVFAIL when queried for the ac.bd nameservers, much like a slave nameserver without the zone available. It does this even if you make a recursive query for the information.

  • if you directly query any of the three about the nameservers for kuet.ac.bd you'll get the correct answer back. Yes, including from dns.bd.

We're not done yet: once you actually find the two nameservers for kuet.ac.bd, one of them doesn't respond at all. (It's not a simple connectivity failure either, since they have adjacent IP addresses.)

(Going along with the theme so far, the kuet.ac.bd nameserver that answers will also do recursive lookups for you.)

In theory there is a lookup chain that will get you the correct information, but in practice I don't blame our nameservers for throwing up their hands and returning a temporary failure for long enough to time out some email.

sysadmin/HowNotToDoDNSXVIII written at 23:03:56; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.