DNS - also off topic?? :)

Jeff LaCoursiere jeff at jeff.net
Mon Sep 9 13:50:43 BST 2002

Hi all,

I am once again confused by a DNS issue.  Thanks to all who responded to
my query about TTLs when CNAMEs are in use.  Let me see if I can describe
the situation.

A remote site has a number of DNS servers, none of which I have access to
other than queries.  These DNS servers are authoritative (master and
several secondaries) for domain foo.com.  Inside foo.com is a CNAME record
(server.foo.com) pointing to a record in bar.com (server.bar.com), which
is registered with the NIC to be managed by MY name servers.

My name servers are authoritative (master and several secondaries) for
bar.com, and inside is an A record (server.bar.com), pointed at by the
CNAME in foo.com.

All of this is very normal, and for most sites out on the net a lookup of
server.foo.com gives you the IP of server.bar.com.  Happiness.

Now take one of my internal name servers.  It is NOT authoritative for
foo.com OR bar.com, and has forwarders for Internet lookups to external
name servers managed by our ISP.  When I try to lookup server.bar.com I
get "NX domain - no such host".  Even worse, when I try to lookup
server.foo.com I get the same thing.

Debugging this I discovered that the servers that are authoritative for
bar.com (out of my control) actually have a zone file for foo.com.  I
guess this, actually, as when I dig directly to their name server and
request the SOA record for foo.com I get back an SOA listing their name
servers as authoritative, and a completely different set of SOA options
than what we are managing on our servers.  If I ask this server to resolve
server.foo.com it returns "host unknown".  It goes without saying that
this is wrong, and that they need to delete the zone.  What confuses me is
this error seems to have poisoned my internal name server somehow, and I
don't understand why.

My internal name server, not authoritative for either foo.com or bar.com
cannot lookup any valid records in foo.com.  With tcpdump I can see that
it actually asks the bar.com server instead of my authoritative
servers.  I can understand that asking for server.bar.com would
recursively cause the foo.com lookup in the bar.com server (and fail
becuase of the extra zone), but why if I ask for foo.com records directly?

How can this happen??

Hope this made some amount of sense :)

Jeff LaCoursiere
Infrastructure Specialist

More information about the Ukfreebsd mailing list