[dns-operations] Reporting glue as authoritive data -- Bug!

Joe Abley jabley at ca.afilias.info
Fri Jan 25 16:15:09 UTC 2008 

On 25-Jan-2008, at 10:47, Joe Abley wrote:

> The NUS practice of exposing glue in the answer section causes
> troubleshooting headaches, especially in the case where a single zone
> is served by an NS set which includes NUS, NSD and BIND9 servers (like
> ORG).

To add a little more flesh to these bones, the problems I have seen  
ran like this:

  - nameserver was renumbered by end user, but glue record was not  
updated
  - most resolvers which receive a BIND9/NSD response will follow the  
delegation
  - most resolvers which receive a NUS response will just cache the  
glue record
  - different servers in the same NS set appear to give different  
answers
  - random distribution of old and new A records cached around the place
  - diagnosis is initially "you just have to wait for records to expire"
  - after N*TTL has passed, "caches are broken, call the operator of  
the cache and ask it to be flushed"
  - after more days have passed, "this is a problem with the ORG zone,  
contact the registry"
  - ORG registry operator says "our contract doesn't let us handle  
problems reported by registrants, talk to your registrar"
  - registrar help desk struggles to understand what a glue record is
  - problem is escalated within registrar with much shouting
  - registrar finally opens angry, urgent, panic ticket with registry,  
insisting that some ORG servers (those running NSD/BIND9) are broken  
because they are not serving the A record that TLD1.ULTRADNS.NET returns
  - registry operator tries to explain differences in NUS/BIND9/NSD  
answer in this case, and confirms that this is to be expected and  
there is no problem to fix
  - registrar shouts
  - registry operator escalates from helpdesk to engineering staff,  
and the same answer is sent
  - more shouting from the registrar
  - eventually someone mentions that this whole mess started with  
someone renumbering a server, and then notices that there's a host  
record with the old address
  - the registry operator recommends changing the address associated  
with the host record
  - the registrar changes the host record
  - end user is still shouting
  - registrar says "it's ok, just wait N*TTL"
  - end user shouts "NO! WE DID THAT ALREADY! TWO WEEKS AGO! THAT IS  
NOT THE PROBLEM!"
  - everybody involved runs outside and lies down in front of the  
first bus they can find, hoping that peace will come swiftly

Oh, how we laughed.


Joe

More information about the dns-operations mailing list