How not to set up your DNS (part 18)

March 3, 2008

We got contacted by a user reporting that he couldn't get mail with an address in; our inbound mail gateway was consistently rejecting the address as temporarily unresolvable. When I started looking into the DNS situation, all sorts of peculiar things started crawling out of the woodwork.

  • in the root zone, the bd country domain has two servers, and
  • if you query either of them you get a third server as well,
  • all three nameservers allow recursion.
  • returns non-authoritative answers, which is especially fun when it returns a non-authoritative SOA for the bd country domain that lists itself as the primary nameserver.

  • everything except knows that the nameserver for the subdomain is (under a different name).
  • returns SERVFAIL when queried for the nameservers, much like a slave nameserver without the zone available. It does this even if you make a recursive query for the information.

  • if you directly query any of the three about the nameservers for you'll get the correct answer back. Yes, including from

We're not done yet: once you actually find the two nameservers for, one of them doesn't respond at all. (It's not a simple connectivity failure either, since they have adjacent IP addresses.)

(Going along with the theme so far, the nameserver that answers will also do recursive lookups for you.)

In theory there is a lookup chain that will get you the correct information, but in practice I don't blame our nameservers for throwing up their hands and returning a temporary failure for long enough to time out some email.

Written on 03 March 2008.
« How ZFS's version of RAID-5 can be better than normal RAID-5
How we deal with the spam forwarding problem »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Mar 3 23:03:56 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.