[H-SASIG] Move of Excalibur

James Iseppi james at iseppi.org
Fri Jan 1 10:15:28 EST 2010 

Hi Russell,

On 01/01/2010, at 6:57 PM, Russell Stuart wrote:

> On Fri, 2010-01-01 at 03:02 -0500, Robert Brockway wrote:
>> The glue record is really just an A record in the parent zone file,  
>> so the
>> TTL of the parent zone applies.
>
> There is no doubt clients who read the glue record get the glue  
> record's
> TTL.  But the question is when if ever, is the glue record itself
> updated in the parent zone.  My guess is the glue record is treated as
> authoritative, and thus never times out.

If you query the name server for the parent zone, the TTL of the glue  
record will always be the same [1]. The glue records should only ever  
be delivered as part of the additional section, not as part of the  
answer section within the response. Therefore, no client [2] will ever  
receive the glue records as an answer to a query as the data in the  
additional section of a response is not considered authoritative [3].

> Think of it this way.  Lets say all DNS servers for xyz.com are hosted
> on xyz.com servers.  Eg, they are ns1.xyz.com, ns2.xyz.com, and
> ns3.xyz.com.  If the parent zone invalidated all of those zones  
> because
> of TTL expiry, how is it going to look them up again?  It can't.  Ergo
> they don't ever expire.

The caching I was referring to was within a caching name server only  
and this is only relevant to the caching server knowing the IP address  
to query for more information about that particular zone. It would  
never leave the internal caches of that server and would definitely  
never be sent as an answer to a client [2] computer. It does get used  
by the caching server to determine when they need to ask the parent  
zone's servers again for the domains delegation details.

> You might hope they would be a bit smarter about it.  For example, in
> our case assume the servers for humbug.org.au where just
> cartman.pipegrep.com.au and excalibur.humbug.org.au.  If you enter
> excalibur.humbug.org.au after entering cartman.pipegrep.com.au, you
> might hope they would ask cartman.pipegrep.com.au for excalibur's IP
> address.  They don't though.  As far as I can tell, the glue records  
> are
> only every updated manually.

Correct, the glue records can only ever be updated in the registry for  
the parent zone. However, there is a complicating factor to all this.  
The authoritative answer to any query comes from the name servers  
themselves, not the parent zone. This essentially means the glue  
records are not used except to initially query the servers responsible  
for a domain.

Below is an example of a DNS query for excalibur.humbug.org.au. The  
final answer that would be returned to a client is in the very last  
answer section received from cartman.pipegrep.com.au. Notice how  
although it was received from cartman, excalibur is listed as one of  
the authoritative servers. This means that excalibur may receive  
further queries from the server that performed this query, although it  
will never receive initial queries from a caching name server that has  
never asked about humbug.org.au before, or if the TTL expires for it's  
previously cached results. Additionally, the opposite is also true,  
cartman will receive initial queries about humbug.org.au but will  
never receive followup queries about the domain from the same caching  
name server as it is no longer listed in it's own response. It is  
likely that this will eventually cause a problem, particularly if the  
zoneedit.com servers were to fail and cartman were to become out of  
sync with excalibur (like it did during the migration). This would  
lead to a situation where the first query will return one answer from  
server A (which is listed at the registrar), but when that answer  
expires from the cache, a different answer will be returned by server  
B (which isn't listed at the registrar but is listed at server A).

$ dig excalibur.humbug.org.au A +trace +additional

; <<>> DiG 9.4.3-P3 <<>> excalibur.humbug.org.au A +trace +additional
;; global options:  printcmd
.			48474	IN	NS	b.root-servers.net.
.			48474	IN	NS	l.root-servers.net.
.			48474	IN	NS	h.root-servers.net.
.			48474	IN	NS	g.root-servers.net.
.			48474	IN	NS	i.root-servers.net.
.			48474	IN	NS	f.root-servers.net.
.			48474	IN	NS	a.root-servers.net.
.			48474	IN	NS	j.root-servers.net.
.			48474	IN	NS	m.root-servers.net.
.			48474	IN	NS	e.root-servers.net.
.			48474	IN	NS	k.root-servers.net.
.			48474	IN	NS	c.root-servers.net.
.			48474	IN	NS	d.root-servers.net.
d.root-servers.net.	604647	IN	A	128.8.10.90
e.root-servers.net.	604626	IN	A	192.203.230.10
f.root-servers.net.	604634	IN	A	192.5.5.241
g.root-servers.net.	602629	IN	A	192.112.36.4
h.root-servers.net.	604406	IN	A	128.63.2.53
i.root-servers.net.	604645	IN	A	192.36.148.17
j.root-servers.net.	48474	IN	A	192.58.128.30
j.root-servers.net.	48474	IN	AAAA	2001:503:c27::2:30
l.root-servers.net.	139787	IN	A	199.7.83.42
m.root-servers.net.	603156	IN	A	202.12.27.33
;; Received 400 bytes from 192.168.7.1#53(192.168.7.1) in 2 ms

au.			172800	IN	NS	a1.audns.net.au.
au.			172800	IN	NS	b1.audns.net.au.
au.			172800	IN	NS	ns1.audns.net.au.
au.			172800	IN	NS	ns2.audns.net.au.
au.			172800	IN	NS	udns1.ausregistry.net.au.
au.			172800	IN	NS	udns2.ausregistry.net.au.
au.			172800	IN	NS	udns3.ausregistry.net.au.
au.			172800	IN	NS	udns4.ausregistry.net.au.
au.			172800	IN	NS	udns5.ausregistry.net.au.
a1.audns.net.au.	172800	IN	A	202.12.29.59
b1.audns.net.au.	172800	IN	A	128.32.136.3
ns1.audns.net.au.	172800	IN	A	58.65.255.73
ns2.audns.net.au.	172800	IN	A	58.65.249.73
udns1.ausregistry.net.au. 172800 IN	A	156.154.100.18
udns2.ausregistry.net.au. 172800 IN	A	156.154.101.18
udns3.ausregistry.net.au. 172800 IN	A	156.154.102.18
udns4.ausregistry.net.au. 172800 IN	A	156.154.103.18
udns5.ausregistry.net.au. 172800 IN	A	156.154.104.18
a1.audns.net.au.	172800	IN	AAAA	2001:dc0:2001:a:4608::59
b1.audns.net.au.	172800	IN	AAAA	2607:f140:ffff:fffe::3
;; Received 435 bytes from 128.63.2.53#53(h.root-servers.net) in 276 ms

humbug.org.au.		14400	IN	NS	ns2.zoneedit.com.
humbug.org.au.		14400	IN	NS	ns16.zoneedit.com.
humbug.org.au.		14400	IN	NS	cartman.pipegrep.com.au.
;; Received 155 bytes from 58.65.249.73#53(ns2.audns.net.au) in 377 ms

excalibur.humbug.org.au. 600	IN	A	74.207.240.123
humbug.org.au.		600	IN	NS	ns16.zoneedit.com.
humbug.org.au.		600	IN	NS	excalibur.humbug.org.au.
humbug.org.au.		600	IN	NS	ns2.zoneedit.com.
;; Received 120 bytes from 66.135.54.100#53(cartman.pipegrep.com.au)  
in 254 ms

Therefore it is very important to ensure that all records at the  
registry accurately reflect the entries in the zone file. I've logged  
into the registrar and made the necessary changes [4] so that  
excalibur has the correct glue entries for it's new IP address, and  
these appear to have been correctly reflected in the whois database  
and DNS almost instantly. I've also added excalibur back in as a name  
server for the domain at the registrar. This means the only anomaly  
left is that cartman is not listed in the zone that it is responsible  
for according to the registrar. The two ways to solve this are to  
update the DNS zone (which I wasn't sure how to do on excalibur), or  
to remove cartman as being a name server from the registry and stop it  
slaving the zone from excalibur. I'm happy with either of these  
options, so if the the sysadmin's could make a decision and implement  
it that would be appreciated.

Below is the same query as above after the mentioned changes. Note  
that although the query was for the A record for  
excalibur.humbug.org.au it did not stop at ns2.audns.net.au even  
though it had received details for the A record. This is because those  
details of the A record were only sent as part of the additional  
section of the response and therefore could not be considered  
authoritative.

Thanks
James

[1] 14400 for .au zones
[2] I use the term client to refer to a resolver on a workstation that  
would usually expect all of it's answers from a local caching name  
server.
[3] The one exception to this would be if the same server has complete  
copies of both zones, and therefore can be considered authoritative  
for the final answer.
[4] If you'd like more details on what I changed and where, or the  
details to login to the registrar, let me know and i'll pass the  
information on.

$ dig excalibur.humbug.org.au A +trace +additional

; <<>> DiG 9.4.3-P3 <<>> excalibur.humbug.org.au A +trace +additional
;; global options:  printcmd
.			48474	IN	NS	b.root-servers.net.
.			48474	IN	NS	l.root-servers.net.
.			48474	IN	NS	h.root-servers.net.
.			48474	IN	NS	g.root-servers.net.
.			48474	IN	NS	i.root-servers.net.
.			48474	IN	NS	f.root-servers.net.
.			48474	IN	NS	a.root-servers.net.
.			48474	IN	NS	j.root-servers.net.
.			48474	IN	NS	m.root-servers.net.
.			48474	IN	NS	e.root-servers.net.
.			48474	IN	NS	k.root-servers.net.
.			48474	IN	NS	c.root-servers.net.
.			48474	IN	NS	d.root-servers.net.
d.root-servers.net.	604647	IN	A	128.8.10.90
e.root-servers.net.	604626	IN	A	192.203.230.10
f.root-servers.net.	604634	IN	A	192.5.5.241
g.root-servers.net.	602629	IN	A	192.112.36.4
h.root-servers.net.	604406	IN	A	128.63.2.53
i.root-servers.net.	604645	IN	A	192.36.148.17
j.root-servers.net.	48474	IN	A	192.58.128.30
j.root-servers.net.	48474	IN	AAAA	2001:503:c27::2:30
l.root-servers.net.	139787	IN	A	199.7.83.42
m.root-servers.net.	603156	IN	A	202.12.27.33
;; Received 400 bytes from 192.168.7.1#53(192.168.7.1) in 2 ms

au.			172800	IN	NS	a1.audns.net.au.
au.			172800	IN	NS	b1.audns.net.au.
au.			172800	IN	NS	ns1.audns.net.au.
au.			172800	IN	NS	ns2.audns.net.au.
au.			172800	IN	NS	udns1.ausregistry.net.au.
au.			172800	IN	NS	udns2.ausregistry.net.au.
au.			172800	IN	NS	udns3.ausregistry.net.au.
au.			172800	IN	NS	udns4.ausregistry.net.au.
au.			172800	IN	NS	udns5.ausregistry.net.au.
a1.audns.net.au.	172800	IN	A	202.12.29.59
b1.audns.net.au.	172800	IN	A	128.32.136.3
ns1.audns.net.au.	172800	IN	A	58.65.255.73
ns2.audns.net.au.	172800	IN	A	58.65.249.73
udns1.ausregistry.net.au. 172800 IN	A	156.154.100.18
udns2.ausregistry.net.au. 172800 IN	A	156.154.101.18
udns3.ausregistry.net.au. 172800 IN	A	156.154.102.18
udns4.ausregistry.net.au. 172800 IN	A	156.154.103.18
udns5.ausregistry.net.au. 172800 IN	A	156.154.104.18
a1.audns.net.au.	172800	IN	AAAA	2001:dc0:2001:a:4608::59
b1.audns.net.au.	172800	IN	AAAA	2607:f140:ffff:fffe::3
;; Received 435 bytes from 128.63.2.53#53(h.root-servers.net) in 276 ms

humbug.org.au.		14400	IN	NS	excalibur.humbug.org.au.
humbug.org.au.		14400	IN	NS	ns2.zoneedit.com.
humbug.org.au.		14400	IN	NS	ns16.zoneedit.com.
humbug.org.au.		14400	IN	NS	cartman.pipegrep.com.au.
excalibur.humbug.org.au. 14400	IN	A	74.207.240.123
;; Received 155 bytes from 58.65.249.73#53(ns2.audns.net.au) in 377 ms

excalibur.humbug.org.au. 600	IN	A	74.207.240.123
humbug.org.au.		600	IN	NS	ns16.zoneedit.com.
humbug.org.au.		600	IN	NS	excalibur.humbug.org.au.
humbug.org.au.		600	IN	NS	ns2.zoneedit.com.
;; Received 120 bytes from 74.207.240.123#53(excalibur.humbug.org.au)  
in 210 ms

More information about the Sasig mailing list