[dns-operations] Google name servers: different serial numbers when NXDOMAIN or not
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Feb 13 13:33:07 UTC 2012
David Gavarret discovered a strange thing on Google's name
servers. The serial number in the SOA record is not the same when
queried directly than when returned with a NXDOMAIN.
% dig @ns1.google.com SOA google.fr
; <<>> DiG 9.7.3 <<>> @ns1.google.com SOA google.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59682
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;google.fr. IN SOA
;; ANSWER SECTION:
google.fr. 86400 IN SOA ns1.google.com. dns-admin.google.com. 2012010600 21600 3600 1209600 300
;; AUTHORITY SECTION:
google.fr. 345600 IN NS ns1.google.com.
google.fr. 345600 IN NS ns4.google.com.
google.fr. 345600 IN NS ns3.google.com.
google.fr. 345600 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 345600 IN A 216.239.32.10
ns4.google.com. 345600 IN A 216.239.38.10
ns3.google.com. 345600 IN A 216.239.36.10
ns2.google.com. 345600 IN A 216.239.34.10
;; Query time: 51 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Thu Feb 9 21:25:01 2012
;; MSG SIZE rcvd: 219
% dig @ns1.google.com SOA doesnotexistatall.google.fr
; <<>> DiG 9.7.3 <<>> @ns1.google.com SOA doesnotexistatall.google.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21855
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;doesnotexistatall.google.fr. IN SOA
;; AUTHORITY SECTION:
google.fr. 60 IN SOA ns1.google.com. dns-admin.google.com. 1476465 21600 3600 1209600 300
;; Query time: 48 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Thu Feb 9 21:25:53 2012
;; MSG SIZE rcvd: 105
As a result, some tools which allow to monitor the rejuvenation of
zones fail. For instance, check google.fr on
<http://www.migrationdns.com/?ndd=google.fr>, the numbers are
different (depending whether the resolver started with a non existing
name or not).
More information about the dns-operations
mailing list