How not to set up your DNS (part 6)

December 10, 2005

Today's illustrative example is about the odd things that can happen if you rename a nameserver without making sure that you tell the people delegating zones to you.

There are four nameservers for ns1, ns2, bay.cs, and (following local practice, I'm dropping the bit a lot). Three of those four (everything except ns1) are also secondaries for all campus subdomains, including the domain

; sdig ns
; sdig a

There is also another machine, mto.jpint. Most of the time, if I asked for its IP address I got Except once or twice, I didn't; I got, ns1.jpint's IP address.

Unfortunately, this nice proper set of NS records was a lie. The lie was exposed by asking for NS information for jpint; it was of the opinion that the right nameserver was mto.jpint, to be found at the IP address

What had happened is that jpint had renamed their primary nameserver; what had been 'mto.jpint' became 'ns1.jpint', and the 'mto.jpint' name was given a new IP address. But no one told the campus nameserver people about this, so the zone carried the old NS data, with the old glue record for mto.jpint with its old IP address.

As secondaries, three out of four of the nameservers then fetched the jpint zone from, and replaced their own idea of the jpint NS records and mto.jpint's IP address with the zone's information. Because it is not a campus secondary, did not, preserving the original info to be handed out when queried.

As you can see, this is really quite hard to notice; the only real sign was the 'blue moon' wrong IP address for mto.jpint. I only really chased this down when I ran the domain through the DNS consistency checker and it picked to pull DNS information from, leading me to wonder just why ns1.jpint was being reported as a 'stealth NS record'.

This isn't a new problem; similar issues (but worse) used to happen in the old InterNIC days. (An explanation of those problems does not fit in the margin of this entry.)

(The jpint situation is in the process of being fixed, so hopefully soon you won't be able to see this for yourself.)

Written on 10 December 2005.
« A surprising hazard of running as root all the time
Weekly spam summary on December 10th, 2005 »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Dec 10 01:11:53 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.