Tim Nicholas
Hi all,
Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful information?
That's because they don't have "useful information". They have delegations to name servers that do. Let's look at a NS4's actual response to your query: $ dig dnc.net.nz. NS @ns4.dns.net.nz ; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns4.dns.net.nz ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20937 ;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2 ;; QUERY SECTION: ;; dnc.net.nz, type = NS, class = IN ;; ANSWER SECTION: dnc.net.nz. 1D IN NS ns2.actrix.co.nz. dnc.net.nz. 1D IN NS internetnz.net.nz. dnc.net.nz. 1D IN NS ns1.actrix.co.nz. ;; ADDITIONAL SECTION: ns2.actrix.co.nz. 1D IN A 203.96.16.36 ns1.actrix.co.nz. 1D IN A 203.96.16.35 The NS records are placed in the answer section of the response, and 'host" considers these answers, although note that the 'aa' flag (authoritative answer) is not set. That's because delegation information is not considered authoritative; if you want an authoritative answer for the NS records of dns.net.nz, you should ask (according to this answer) one of ns2.actrix.co.nz, internetnz.net.nz or ns1.actrix.co.nz. This answer is "wrong". This answer should still be delegating responsibility for records in the dnc.net.nz domain to the name servers mentioned in the NS list; the NS records held by ns4.dns.net.nz are really just to help you find something that has the answer, and thus they should really be returned in the authority section, not the answer section, as happens when you look up something else in the delegated zone such as an address query: $ dig dnc.net.nz. A @ns4.dns.net.nz ; <<>> DiG 8.3 <<>> dnc.net.nz. A @ns4.dns.net.nz ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4940 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2 ;; QUERY SECTION: ;; dnc.net.nz, type = A, class = IN ;; AUTHORITY SECTION: dnc.net.nz. 1D IN NS ns1.actrix.co.nz. dnc.net.nz. 1D IN NS ns2.actrix.co.nz. dnc.net.nz. 1D IN NS internetnz.net.nz. ;; ADDITIONAL SECTION: ns1.actrix.co.nz. 1D IN A 203.96.16.35 ns2.actrix.co.nz. 1D IN A 203.96.16.36 NS4 and NS7 run BIND 8, whose logic basically goes, "do I have anything, anywhere that matches the query? If yes, put the records in the answer section, otherwise, put any available authority data in the authority section." This is different from BIND 9's (more correct) logic, which goes, "is this domain delegated? If so, just put authority data in the authority section, and never return data in the answer section." Thus you get the same format answers for an NS query as for an A query; the NS records are in the authority section, not the answer section. For example: $ dig dnc.net.nz. NS @ns1.dns.net.nz ; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns1.dns.net.nz ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3432 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 ;; QUERY SECTION: ;; dnc.net.nz, type = NS, class = IN ;; AUTHORITY SECTION: dnc.net.nz. 1D IN NS ns1.actrix.co.nz. dnc.net.nz. 1D IN NS ns2.actrix.co.nz. dnc.net.nz. 1D IN NS internetnz.net.nz. NS1, NS2 & NS3 all run BIND 9. NS5 & NS6 are operated by UltraDNS, which uses their own software but has the same behaviour regarding delegated responses. Also, note that in the BIND 9 (and UltraDNS) responses, there are no additional "glue" address records, because none of the delegated name servers are within the "dnc.net.nz" domain, and therefore don't actually need glue. (There's a bunch of reasons why putting in glue where it's not needed is not a good idea, mostly relating to stale glue data. BIND 8 is rather generous with additional glue.) Basically, the BIND 8 servers give "answers" to NS records queries when they don't actually have "answers" to give. All the rest give delegation responses, just as when faced with a non-NS record (which is the usual case). It's all working fine. You'll see the same behaviour in other name servers. Hope this helps. -- don
That's 4 of 7 primary servers for all of .nz and seems to be affecting all of the second level domains.
22:35:04 tim(a)stella ~$ for i in 1 2 3 4 5 6 7; do host -t ns dnc.net.nz ns$i.dns.net.nz;echo; done dnc.net.nz NS record currently not present at ns1.dns.net.nz
dnc.net.nz NS record currently not present at ns2.dns.net.nz
dnc.net.nz NS record currently not present at ns3.dns.net.nz
dnc.net.nz NS ns2.actrix.co.nz dnc.net.nz NS internetnz.net.nz dnc.net.nz NS ns1.actrix.co.nz
dnc.net.nz NS record currently not present at ns5.dns.net.nz
dnc.net.nz NS ns2.actrix.co.nz dnc.net.nz NS ns1.actrix.co.nz dnc.net.nz NS internetnz.net.nz
dnc.net.nz NS internetnz.net.nz dnc.net.nz NS ns1.actrix.co.nz dnc.net.nz NS ns2.actrix.co.nz
22:37:40 tim(a)stella ~$
Cheers, Tim