[bdNOG] .BD DNS Problem
Brian Candler
brian at nsrc.org
Fri Sep 9 14:47:38 BDT 2016
On 09/09/2016 08:50, Kabindra Shrestha wrote:
> The analysis and solution was for .BD. As we know, for sub domains to work there needs to be a proper delegation which is missing in .BD
Yes, you are quite right - my apologies.
What confused me is when I got the correct answer here:
$ dig +norec @dns.bd. com.bd. ns
...
;; ANSWER SECTION:
com.bd. 86400 IN NS dns.bd.
com.bd. 86400 IN NS surma.btcl.net.bd.
com.bd. 86400 IN NS jamuna.btcl.net.bd.
;; ADDITIONAL SECTION:
dns.bd. 86400 IN A 209.58.24.3
dns.bd. 86400 IN AAAA 2407:5000:88:5::3
surma.btcl.net.bd. 2849 IN A 203.112.194.232
surma.btcl.net.bd. 2849 IN AAAA 2407:5000:88:4::232
jamuna.btcl.net.bd. 2849 IN A 203.112.194.231
jamuna.btcl.net.bd. 2849 IN AAAA 2407:5000:88:4::231
In fact, what this shows is the NS records *within* the com.bd zone,
which happens to be stored on the same nameserver; this is not the
delegation from the parent zone.
The same query to PCH doesn't return any such delegation:
$ dig +norec @bd-ns.anycast.pch.net. com.bd. ns
...
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52571
$ dig +norec @bd-ns.anycast.pch.net. foobar.com.bd. a
...
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30903
What this means is:
* bd, com.bd and net.bd (etc) are separate zone files
* Inside each zone file it lists the correct set of nameservers for that
zone. So if I query a nameserver which holds the com.bd zone, I get the
NS records for com.bd
* But as you said, inside the bd zone it is missing the NS records (and
glue, where needed) to delegate to the child zones.
So a server which holds bd but not com.bd treats all com.bd names as
non-existent, rather than delegating.
This in turn means that up to 1/4 of name resolutions for .bd are
currently being returned as NXDOMAIN, which is a REALLY REALLY BAD
situation. Customers are being affected.
This needs immediate action. If you can't get the delegation NS records
added to the .bd zone quickly then:
- remove the NS record pointing at PCH server from the .bd zone file
Even this will take some time to propagate, so:
- PCH server should also be configured to stop answering for .bd (a
lame delegation is better than returning wrong NXDOMAIN responses)
Regards,
Brian.
More information about the nog
mailing list