[Pdns-users] recursor fails on immigration.gov
Ben Beuchler
insyte at gmail.com
Wed Mar 15 01:33:43 UTC 2006
The recursor in pdns-2.9.19 fails to resolve immigration.gov.
Admittedly, immigration.gov is badly hosed:
http://www.dnsreport.com/tools/dnsreport.ch?domain=immigration.gov
tarja:~ ben$ dig immigration.gov @a.gov.zoneedit.com
; <<>> DiG 9.2.2 <<>> immigration.gov @a.gov.zoneedit.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47185
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;immigration.gov. IN A
;; AUTHORITY SECTION:
immigration.gov. 86400 IN NS AUTH100.NS.UU.NET.
immigration.gov. 86400 IN NS AUTH110.NS.UU.NET.
immigration.gov. 86400 IN NS JUSTICE2.USDOJ.gov.
;; ADDITIONAL SECTION:
JUSTICE2.USDOJ.gov. 86400 IN A 149.101.1.3
JUSTICE2.USDOJ.gov. 86400 IN A 149.101.1.4
;; Query time: 86 msec
;; SERVER: 216.55.155.29#53(a.gov.zoneedit.com)
;; WHEN: Tue Mar 14 19:20:57 2006
;; MSG SIZE rcvd: 147
Two of the listed nameservers for immigration.gov are lame, but
JUSTICE2.USDOJ.gov *does* correctly resolve the domain.
Unfortunately, it has two glue records, the second of which does not
actually exist:
tarja:~ ben$ dig immigration.gov @149.101.1.3
; <<>> DiG 9.2.2 <<>> immigration.gov @149.101.1.3
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54530
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;immigration.gov. IN A
;; ANSWER SECTION:
immigration.gov. 600 IN A 149.101.23.15
;; AUTHORITY SECTION:
immigration.gov. 86400 IN NS ns22.usdoj.gov.
immigration.gov. 86400 IN NS justice2.usdoj.gov.
;; ADDITIONAL SECTION:
ns22.usdoj.gov. 3601 IN A 149.101.1.6
justice2.usdoj.gov. 3601 IN A 149.101.1.3
;; Query time: 138 msec
;; SERVER: 149.101.1.3#53(149.101.1.3)
;; WHEN: Tue Mar 14 19:32:23 2006
;; MSG SIZE rcvd: 129
tarja:~ ben$ dig immigration.gov @149.101.1.4
; <<>> DiG 9.2.2 <<>> immigration.gov @149.101.1.4
;; global options: printcmd
;; connection timed out; no servers could be reached
The trace output from pdns-recursor indicates that it accepts both IP
addresses as valid resolvers:
Mar 14 18:55:02 [7] immigration.gov: Resolved 'gov' NS
f.gov.zoneedit.com to 66.197.185.229, asking 'immigration.gov|A'
Mar 14 18:55:02 [7] immigration.gov: Got 5 answers from
f.gov.zoneedit.com (66.197.185.229), rcode=0, in 62ms
Mar 14 18:55:02 [7] immigration.gov: accept answer
'immigration.gov|NS|JUSTICE2.USDOJ.gov.' from 'gov' nameservers? YES!
Mar 14 18:55:02 [7] immigration.gov: accept answer
'immigration.gov|NS|AUTH100.NS.UU.NET.' from 'gov' nameservers? YES!
Mar 14 18:55:02 [7] immigration.gov: accept answer
'immigration.gov|NS|AUTH110.NS.UU.NET.' from 'gov' nameservers? YES!
Mar 14 18:55:02 [7] immigration.gov: accept answer
'JUSTICE2.USDOJ.gov|A|149.101.1.3' from 'gov' nameservers? YES!
Mar 14 18:55:02 [7] immigration.gov: accept answer
'JUSTICE2.USDOJ.gov|A|149.101.1.4' from 'gov' nameservers? YES!
After trying the two lame servers, pdns-recursor gets around to
justice2.usdoj.gov:
Mar 14 18:55:02 [7] immigration.gov: Trying to resolve NS
justice2.usdoj.gov (3/3)
Mar 14 18:55:02 [7] justice2.usdoj.gov: Looking for CNAME cache hit
of 'justice2.usdoj.gov|CNAME'
Mar 14 18:55:02 [7] justice2.usdoj.gov: No CNAME cache hit of
'justice2.usdoj.gov|CNAME' found
Mar 14 18:55:02 [7] justice2.usdoj.gov: Looking for direct cache hit
of 'justice2.usdoj.gov|A', negative cached: 0
Mar 14 18:55:02 [7] justice2.usdoj.gov: Found cache hit for A:
149.101.1.3[ttl=86400] 149.101.1.4[ttl=86400]
Mar 14 18:55:02 [7] immigration.gov: Resolved 'immigration.gov' NS
justice2.usdoj.gov to 149.101.1.4, asking 'immigration.gov|A'
Mar 14 18:55:04 [7] immigration.gov: timeout resolving
Mar 14 18:55:04 [7] immigration.gov: Failed to resolve via any of the
3 offered NS
Mar 14 18:55:04 [7] immigration.gov: failed
>From the look of things, pdns-recursor isn't prepared to handle a host
nameserver with 2 A records and just uses the last one it sees. Is
this correct?
Anything I can do as a workaround?
Thanks!
-Ben
More information about the Pdns-users
mailing list