[conspire] penlug DNS seems to be down...

Daniel Gimpelevich daniel at gimpelevich.san-francisco.ca.us
Wed Dec 14 17:16:49 PST 2005

Have you ever, when hearing about somebody doing something stupid and then
facing the consequences, been glad it wasn't you, while at the same time,
doing the exact same stupid thing? My SOA record has ns1.granitecanyon.com
as my primary DNS server. My registrar had that in their records, along
with ns1.zoneedit.com and ns3.zoneedit.com, which I had set up to get the
zonefile from ns1.granitecanyon.com. At some point I added a fourth NS
record to my zonefile for ns2.granitecanyon.com, but neglected to contact
my registrar. That wasn't causing any problems -- or so it seemed. This
week, I attempted to send an e-mail message to a bug number at
bugs.debian.org, and it bounced with a 451 error. I tried to resend the
following day, and this time it was silently discarded without even a
bounce message. When I googled the Debian mailing lists for 451 errors
from bugs.debian.org, I came across an incident where someone who had a
debian.org e-mail address, and also an address at their own domain, had
set up his zonefile in a way that was somehow interfering with the exim
configuration on the master.debian.org server. This left me wondering
"What if master.debian.org is the MX record for bugs.debian.org?" The
first thing I did then was go to http://www.dnsstuff.com in order to see
whether they had some no-fuss MX record lookup tool, but a link on their
front page immediately caught my eye that I never noticed before:
I decided to click it. Then my blissful obliviousness came to an end. I
was shocked and awed by the sight of the "Reverse DNS authenticity" line
telling me that my domain would not resolve. In a panic, I went ahead and
got the full DNS report on myself, and it became clear what had happened:
Some time ago, ns1.granitecanyon.com stopped responding. Eventually, the
SOA EXPIRE value had elapsed, and the ZoneEdit servers tried to get my
zonefile again. After being unable to do so, rather than report stale
data, they started making referrals. This left ns2.granitecanyon.com as
the only authoritative nameserver that would give a valid response, but
nobody was checking that one because it wasn't listed at my registrar,
despite my NS record. The last time I dealt with my registrar, they said I
should e-mail them instead of calling, but this time I was luckily able to
get them on the phone quickly by referencing an e-mail support ticket
number from three and a half years ago. They said they'd add the extra
nameserver within the hour, and if I needed anything else, I could call
back and reference that same ticket number. It took considerably longer
than that for their authoritative parent servers to reflect the change,
but I didn't wait for that. I told the ZoneEdit servers to get their
information from ns2.granitecanyon.com instead of ns1, and shortly
thereafter, ns1.zoneedit.com was making my domain resolve again. As soon
as I saw that, I resent that old e-mail through bugs.debian.org, and it
went through. Unfortunately, I am now getting the feeling that I am
lapsing back into blissful obliviousness to my DNS situation, so expect
more such foolishness from me in the future.

On Mon, 12 Dec 2005 15:10:37 -0800, Rick Moen wrote:

> Quoting Peter Knaggs (peter.knaggs at gmail.com):
>>    Wow, thanks for your explanation.
> No problem.  Since I'm on an "explain DNS" kick, I may do at least one 
> follow-up to my December 2005 "The Basics of DNS" article in _Linux Gazette_, 
> attempting to cover such matters.  In that article, you may have
> noticed, I explained about the four flavours of DNS service, explained
> the first three & showed that they were dead simple, and mostly punted
> on the fourth one, primary authoritative service.  Which is of course
> what we're talking about, now.
>>    So when you hinted about offering to do
>>    secondary DNS, would that mean we'd need
>>    to get the .org nameserver to add an NS entry
>>    for ns1.linuxmafia.org (and a glue record for
>>    ns1.linuxmafia.org pointing it to the real
>>    ns1.linuxmafia.com)? Sounds complicated :)
> There's a simple way, and there's a slightly more complex but better
> way.
> The simple way is just add an "NS" record for ns1.linuxmafia.com.  Boom,
> done.  You would have to add that to both the penlug.org zonefile and
> in the domain records at the registrar.  (The one aspect of primary
> authoritative DNS that people most often get wrong is failing to update
> records at the registrar when they change nameservers' NS or A records
> in their zonefiles.)
> The more-complex way is to first add NS and A records in penlug.org's
> zonefile for new hostname "ns4.penlug.org", with the A record pointing
> to ns1.linuxmafia.com's IP.  Then -- per usual -- do the same in records
> at the registrar.  Again, boom, done.
> In either case, someone would also have to adjust the master
> nameserver's security controls (ACLs) to let my IP pull down the zonefile
> from it.
> But that's really all that's required.  Everything else is automatic, 
> and I would neither have nor want any involvement in the actual contents
> of penlug.org's DNS, that being controlled 100% at the master
> nameserver, which according to the zonefile is "a.ns.joker.com".  The
> only difference is, PenLUG would have greater redundancy.

More information about the conspire mailing list