[dns-operations] Reporting glue as authoritive data -- Bug!
jabley at ca.afilias.info
Fri Jan 25 16:15:09 UTC 2008
On 25-Jan-2008, at 10:47, Joe Abley wrote:
> The NUS practice of exposing glue in the answer section causes
> troubleshooting headaches, especially in the case where a single zone
> is served by an NS set which includes NUS, NSD and BIND9 servers (like
To add a little more flesh to these bones, the problems I have seen
ran like this:
- nameserver was renumbered by end user, but glue record was not
- most resolvers which receive a BIND9/NSD response will follow the
- most resolvers which receive a NUS response will just cache the
- different servers in the same NS set appear to give different
- random distribution of old and new A records cached around the place
- diagnosis is initially "you just have to wait for records to expire"
- after N*TTL has passed, "caches are broken, call the operator of
the cache and ask it to be flushed"
- after more days have passed, "this is a problem with the ORG zone,
contact the registry"
- ORG registry operator says "our contract doesn't let us handle
problems reported by registrants, talk to your registrar"
- registrar help desk struggles to understand what a glue record is
- problem is escalated within registrar with much shouting
- registrar finally opens angry, urgent, panic ticket with registry,
insisting that some ORG servers (those running NSD/BIND9) are broken
because they are not serving the A record that TLD1.ULTRADNS.NET returns
- registry operator tries to explain differences in NUS/BIND9/NSD
answer in this case, and confirms that this is to be expected and
there is no problem to fix
- registrar shouts
- registry operator escalates from helpdesk to engineering staff,
and the same answer is sent
- more shouting from the registrar
- eventually someone mentions that this whole mess started with
someone renumbering a server, and then notices that there's a host
record with the old address
- the registry operator recommends changing the address associated
with the host record
- the registrar changes the host record
- end user is still shouting
- registrar says "it's ok, just wait N*TTL"
- end user shouts "NO! WE DID THAT ALREADY! TWO WEEKS AGO! THAT IS
NOT THE PROBLEM!"
- everybody involved runs outside and lies down in front of the
first bus they can find, hoping that peace will come swiftly
Oh, how we laughed.
More information about the dns-operations