IJAH400@INDYVAX.IUPUI.EDU ("James A. Harvey") (03/22/91)
Hello. Lately I've been having to reload my nameservers occasionally to get rid of bogus NS RRs for the domains "*" and "EDU". It seems that the NIC now lists NIC.NORDU.NET as authoritative for the EDU domain, and the nameserver on NIC.NORDU.NET has a bogus NS RR for "*" pointing to RA.MSSTATE.EDU, as shown by the nslookup output included below after my signature. Our BIND pre-4.8.3 nameserver (hummer.iupui.edu) ends up with a bogus NS RR for "*". On the one machine we have running a nameserver derived from Tahoe distribution of BIND, version 4.8.3 (on indyvax.iupui.edu) it seems to convert the bogon to one for "EDU" only (is this is a feature of BIND 4.8.3 to limit the damage bogons can do?) This makes me suspect that the bogon's source is NIC.NORDU.NET. I've also seen bogus NS RRs at C.NYSER.NET for "*" and "EDU", pointing to ADMIN.JSUMS.EDU. At the time I made the log these bogons had been removed from C.NYSER.NET. I've seen this problem before. The fatal mix seems to require (1) root or top-level domain servers running old versions of BIND (C.NYSER.NET and NIC.NORDU.NET?) and (2) someone putting entries for "*" or top-level domains (EDU) in the cache preload file of a host that is (or recently was) an authoritative nameserver for a domain. James Harvey IUPUI Computing Services IJAH400@IUPUI.EDU or HARVEY@INDIANA.EDU [PHOTO: Recording initiated 21-MAR-1991 14:25] system@indyvax> nslookup Default Server: indyvax.iupui.edu Address: 0.0.0.0 > lserver ns.nic.ddn.mil. Default Server: ns.nic.ddn.mil Address: 192.67.67.53 > set q=ns > edu. Server: ns.nic.ddn.mil Address: 192.67.67.53 edu nameserver = NS.NIC.DDN.MIL edu nameserver = A.ISI.EDU edu nameserver = C.NYSER.NET edu nameserver = TERP.UMD.EDU edu nameserver = NS.NASA.GOV edu nameserver = AOS.BRL.MIL edu nameserver = GUNTER-ADAM.AF.MIL edu nameserver = NIC.NORDU.NET NS.NIC.DDN.MIL internet address = 192.67.67.53 A.ISI.EDU internet address = 26.3.0.103 A.ISI.EDU internet address = 128.9.0.107 C.NYSER.NET internet address = 192.33.4.12 TERP.UMD.EDU internet address = 128.8.10.90 NS.NASA.GOV internet address = 128.102.16.10 NS.NASA.GOV internet address = 192.52.195.10 AOS.BRL.MIL internet address = 192.5.25.82 GUNTER-ADAM.AF.MIL internet address = 26.1.0.13 NIC.NORDU.NET internet address = 192.36.148.17 > lserver nic.nordu.net Default Server: nic.nordu.net Address: 192.36.148.17 > set d2 > *. Server: nic.nordu.net Address: 192.36.148.17 res_mkquery(0, *, 1, 2) ------------ SendRequest(), len 19 HEADER: opcode = QUERY, id = 5, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: *, type = NS, class = IN ------------ ------------ Got answer (77 bytes): HEADER: opcode = QUERY, id = 5, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 1, additional = 1 QUESTIONS: *, type = NS, class = IN ANSWERS: -> * type = NS, class = IN, dlen = 16 nameserver = RA.MSSTATE.EDU ttl = 589486 (6 days 19 hours 44 mins 46 secs) AUTHORITY RECORDS: -> * type = NS, class = IN, dlen = 2 nameserver = RA.MSSTATE.EDU ttl = 589486 (6 days 19 hours 44 mins 46 secs) ADDITIONAL RECORDS: -> RA.MSSTATE.EDU type = A, class = IN, dlen = 4 internet address = 130.18.80.10 ttl = 172800 (2 days) ------------ Non-authoritative answer: * type = NS, class = IN, dlen = 16 nameserver = RA.MSSTATE.EDU ttl = 589486 (6 days 19 hours 44 mins 46 secs) Authoritative answers can be found from: * type = NS, class = IN, dlen = 2 nameserver = RA.MSSTATE.EDU ttl = 589486 (6 days 19 hours 44 mins 46 secs) RA.MSSTATE.EDU type = A, class = IN, dlen = 4 internet address = 130.18.80.10 ttl = 172800 (2 days) > exit system@indyvax> logout Process PHOTO_000146AC logged out at 21-MAR-1991 14:26:06.67 [PHOTO: Recording terminated 21-MAR-1991 14:26 TWG$SPECIFIC:BOGON.LOG;1]
ber@SUNIC.SUNET.SE (03/22/91)
>It seems that the NIC >now lists NIC.NORDU.NET as authoritative for the EDU domain, and the >nameserver on NIC.NORDU.NET has a bogus NS RR for "*" pointing to >RA.MSSTATE.EDU, James, This seems to have been a temporary problem, at least I'm not currently able to reproduce that bogous RR for "*" on nic.nordu.net, moreover nic.nordu.net is running the 4.8.3 version of Bind. The ADMIN.JSUMS.EDU problem has also been seen by others and as far as I know, also reported to NIC. -------- Bjorn Eriksen NORDUnet Operation Center, Royal Institute of Technology, KTH, phone +46 8 7906513 Internet: ber@sunet.se UUCP: {uunet,mcsun}!sunic!ber BITNET: BER@SEARN