[dns-operations] The strange case of fox.com

Johannes Erdfelt johannes at erdfelt.com
Wed Mar 2 21:42:16 UTC 2016 

On Wed, Mar 02, 2016, Johannes Erdfelt <johannes at erdfelt.com> wrote:
> It's funny you bring you up the .is delegation checks because I've had
> a poor experience with them recently.
> 
> I run three of my own nameservers and configured my domains at .is to
> use those nameservers. Everything was fine for a year until the .is
> registry started complaining about timeouts reaching one of the
> servers.

I received a followup email off list and I want to clarify a couple of
things.

I got the messaging from the registry wrong. The error was along the
lines of:

"The IP address xxx.xxx.xxx.xxx of nameserver xxxx.xxx is missing its PTR
record or has an incorrect PTR record."

I misremembered the problem because it looked like a network
connectivity problem that was causing it to report a missing PTR record.

Ironically, the problem in my case is exactly the same problem that
started this thread.

I did a lot of testing at the time, including using various recursive
nameservers (local, Google, etc), manually following delegations up from
the root and finally even using a web tool to query from many
geographically diverse locations.

Everything returned the correct PTR with no problems.

Turns out my ISP has their in-addr.arpa zone misconfigured with the
wrong nameservers. It's exactly the same problem as fox.com.

> There doesn't appear to be any way to contact the NIC about
> troubleshooting this issue. My ISP can't do anything without details
> about what network the problems are coming from. It's a frustrating
> situation to be in as a customer.

In retrospect, I should have tried harder to contact the NIC.

> Since it looks like the .is NIC is the only one having problems
> contacting that nameserver, their policy appears to have had the
> opposite effect. Instead of making DNS faster and more reliable, it's
> forced me to remove a nameserver which works for the vast majority of
> the Internet. Sure, it's just a couple of low-volume domains, but it's
> still frustrating.

My particular problem is likely to be rare, but it's also one that would
have been very difficult to for any end-users to have seen.

As a policy, is something that likely wouldn't affect end-users
something worthy of actively breaking a zone? (In this case, .is
changes the nameservers to parking nameservers)

I'm following up with my ISP to get their misconfiguration fixed.

I'm also going to follow up with some better tooling for myself now that
I better understand the underlying problem.

JE

More information about the dns-operations mailing list