[dns-operations] The strange case of fox.com

Marius Olafsson marius at isgate.is
Sun Mar 6 23:29:36 UTC 2016


> In message <CABSP1OcRAxWSRNgYAjef9VuCCsE5Jey9YRg7F-3j1aYKPDhrAg at mail.gmail.com

> > Some constructive feedback on this: some (larger) providers make regular
> > updates to their zone files, and therefore the serial numbers are in
> > constant flux.  As changes are deployed, their different NS IPs will
> > occasionally be seen advertising different serials.  And while this is all
> > works perfectly well, it's a bit disconcerting to receive occasional
> > threats from ISNIC about removing their delegations.  The false positive
> > originates because ISNIC is detecting that the serials differ for a while
> > (a week?), not that one is actually failing to receive updates.  A simple
> > improvement (that doesn't require recording all serial numbers) would be to
> > remember what the two (different) serials were when the discrepancy was
> > first detected, then only flagging it as a problem if they continue to
> > differ a week later, *and* one of them is still stuck at the old value.  If
> > they differ, but have both changed, then it's likely working as intended,
> > and you're just getting unlucky by probing them during a routine update.
> > Damian

Thank you Damian ... excellent suggestion, allowing us to continue
to still flag the 99% of the real zone-inconsistency errors we oberve 
(server failing to receive updates) but not send out "disconcerting" 
warnings where the serial numbers are in flux for other reasons.

On 07. March 2016, Mark Andrews wrote:

> What is missing is:
> 
> All the nameservers listed must resolve to a A or AAAA record and
> should resolve to both A and AAAA records.  The A and AAAA records
> must be consistent with those registered with ISNIC.  The A record
> must not be a RFC 1918 address.  The AAAA records must not be link
> local addresses, site local address, ULA addresses or mapped IPv4
> addresses.  The must not list is not exhaustive.  The A or AAAA
> lookup must not resolve to NXDOMAIN, be REFUSED or return NOTIMP.
> The resolution of the A and AAAA must not involve a CNAME or a
> DNAME.
> Mark

As we actully contact all the nameservers listed in the authoritative
NS record set and test if the zone exists on them .. the above is
kind of implied. If any of the above conditions where not true for 
any of the listed nameservers the domain would fail our tests.

--
Marius Olafsson
ISNIC ltd.                             http://www.isnic.is
Katrinartun 2
Reykjavik ICELAND                          marius at isgate.is



More information about the dns-operations mailing list