510 Software Group

2015-06-16 DNS failures

storage.live.com - users.storage.live.com

RFC2181, page 9, "The existence of a zone cut is indicated in the parent zone by the existence of NS records specifying the origin of the child zone".

dig storage.live.com any @ns2.msft.net
;; ANSWER SECTION:
storage.live.com.   3600    IN  CNAME   storage.skyprod.akadns.net.


dig users.storage.live.com ns @ns2.msft.net
;; ANSWER SECTION:
users.storage.live.com. 3600    IN  NS  geodns.storage.skyprod.akadns.net.

So there is a zone cut in the live.com zone where all the names below users.storage.live.com are in the child zone; live.com is the parent zone containing that NS record. So we can query the child zone:

dig users.storage.live.com ns @geodns.storage.skyprod.akadns.net
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; AUTHORITY SECTION:
storage.live.com.   0   IN  SOA geodns.storage.skyprod.akadns.net. msnhst.microsoft.com. 2007010101 43200 21600 86400 0

Oops, the delegated dns server for the child zone says that the child zone users.storage.live.com does not exist. Instead it returns an authority section claiming there is a zone cut at storage.live.com.

dig storage.live.com ns @geodns.storage.skyprod.akadns.net
;; ANSWER SECTION:
storage.live.com.   0   IN  NS  geodns.storage.skyprod.akadns.net.

secure-us.imrworldwide.com

dig secure-us.imrworldwide.com ns @pdns2.ultradns.net.
;; AUTHORITY SECTION:
secure-us.imrworldwide.com. 86400 IN    NS  collectionsfo-gtm3.nielsen.com.
secure-us.imrworldwide.com. 86400 IN    NS  collectionleb-gtm1.nielsen.com.
secure-us.imrworldwide.com. 86400 IN    NS  collectioncin-gtm2.nielsen.com.


dig secure-us.imrworldwide.com ns @collectionsfo-gtm3.nielsen.com. +norecur
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; AUTHORITY SECTION:
imrworldwide.com.   60  IN  SOA SFO-Collection-F5-GTM1.nielsen.com. hostmaster.SFO-Collection-F5-GTM1.nielsen.com. 2015060909 10800 3600 604800 60

Again, the dns server for the child zone does not know about the zone cut.

mcloud.mcafee.com

dig mcloud.mcafee.com ns @ns-a.mcafee.com. +norecur
;; AUTHORITY SECTION:
mcloud.mcafee.com.  300 IN  NS  gtm2.mcafee.com.


dig mcloud.mcafee.com ns @gtm2.mcafee.com. +norecur
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; AUTHORITY SECTION:
mcafee.com.     86400   IN  SOA ns0.mcafee.com. hostmaster.ns0.mcafee.com. 2004103684 10800 3600 604800 86400

Again, the dns server for the child zone does not know about the zone cut.

129.143.7.129.in-addr.arpa

RFC1034, page 15, "Domain names in RRs which point at another name should always point at the primary name and not the alias". Modern versions of Bind enforce this restriction with respect to NS records pointing to CNAMEs.

dig 129.143.7.129.in-addr.arpa ns @r.arin.net
;; AUTHORITY SECTION:
7.129.in-addr.arpa. 86400   IN  NS  ns2.uh.edu.
7.129.in-addr.arpa. 86400   IN  NS  ns1.uh.edu.
7.129.in-addr.arpa. 86400   IN  NS  ns3.uh.edu.


dig ns1.uh.edu a @a.edu-servers.net. +norecur
;; AUTHORITY SECTION:
uh.edu.         172800  IN  NS  ns2.uh.edu.
uh.edu.         172800  IN  NS  ns1.uh.edu.
uh.edu.         172800  IN  NS  mesquite.cc.uh.edu.


dig ns3.uh.edu. any @ns1.uh.edu. +norecur
;; ANSWER SECTION:
ns3.uh.edu.     28800   IN  CNAME   pong.uh.edu.