2015-06-16 DNS failures
storage.live.com - users.storage.live.com
RFC2181, page 9, "The existence of a zone cut is indicated in the parent zone by the existence of NS records specifying the origin of the child zone".
dig storage.live.com any @ns2.msft.net ;; ANSWER SECTION: storage.live.com. 3600 IN CNAME storage.skyprod.akadns.net. dig users.storage.live.com ns @ns2.msft.net ;; ANSWER SECTION: users.storage.live.com. 3600 IN NS geodns.storage.skyprod.akadns.net.
So there is a zone cut in the live.com zone where all the names below users.storage.live.com are in the child zone; live.com is the parent zone containing that NS record. So we can query the child zone:
dig users.storage.live.com ns @geodns.storage.skyprod.akadns.net ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: storage.live.com. 0 IN SOA geodns.storage.skyprod.akadns.net. msnhst.microsoft.com. 2007010101 43200 21600 86400 0
Oops, the delegated dns server for the child zone says that the child zone users.storage.live.com does not exist. Instead it returns an authority section claiming there is a zone cut at storage.live.com.
dig storage.live.com ns @geodns.storage.skyprod.akadns.net ;; ANSWER SECTION: storage.live.com. 0 IN NS geodns.storage.skyprod.akadns.net.
secure-us.imrworldwide.com
dig secure-us.imrworldwide.com ns @pdns2.ultradns.net. ;; AUTHORITY SECTION: secure-us.imrworldwide.com. 86400 IN NS collectionsfo-gtm3.nielsen.com. secure-us.imrworldwide.com. 86400 IN NS collectionleb-gtm1.nielsen.com. secure-us.imrworldwide.com. 86400 IN NS collectioncin-gtm2.nielsen.com. dig secure-us.imrworldwide.com ns @collectionsfo-gtm3.nielsen.com. +norecur ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: imrworldwide.com. 60 IN SOA SFO-Collection-F5-GTM1.nielsen.com. hostmaster.SFO-Collection-F5-GTM1.nielsen.com. 2015060909 10800 3600 604800 60
Again, the dns server for the child zone does not know about the zone cut.
mcloud.mcafee.com
dig mcloud.mcafee.com ns @ns-a.mcafee.com. +norecur ;; AUTHORITY SECTION: mcloud.mcafee.com. 300 IN NS gtm2.mcafee.com. dig mcloud.mcafee.com ns @gtm2.mcafee.com. +norecur ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: mcafee.com. 86400 IN SOA ns0.mcafee.com. hostmaster.ns0.mcafee.com. 2004103684 10800 3600 604800 86400
Again, the dns server for the child zone does not know about the zone cut.
129.143.7.129.in-addr.arpa
RFC1034, page 15, "Domain names in RRs which point at another name should always point at the primary name and not the alias". Modern versions of Bind enforce this restriction with respect to NS records pointing to CNAMEs.
dig 129.143.7.129.in-addr.arpa ns @r.arin.net ;; AUTHORITY SECTION: 7.129.in-addr.arpa. 86400 IN NS ns2.uh.edu. 7.129.in-addr.arpa. 86400 IN NS ns1.uh.edu. 7.129.in-addr.arpa. 86400 IN NS ns3.uh.edu. dig ns1.uh.edu a @a.edu-servers.net. +norecur ;; AUTHORITY SECTION: uh.edu. 172800 IN NS ns2.uh.edu. uh.edu. 172800 IN NS ns1.uh.edu. uh.edu. 172800 IN NS mesquite.cc.uh.edu. dig ns3.uh.edu. any @ns1.uh.edu. +norecur ;; ANSWER SECTION: ns3.uh.edu. 28800 IN CNAME pong.uh.edu.