[134095] in North American Network Operators' Group
.gov registrar problem
daemon@ATHENA.MIT.EDU (Andy Harrison)
Thu Dec 23 18:12:21 2010
Date: Thu, 23 Dec 2010 18:12:17 -0500
From: Andy Harrison <aharrison@gmail.com>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In case anyone else notices spotty problems resolving .gov names, I
just sent the following message to=A0registrar@dotgov.gov:
----
I started investigating a dns issue after we received a few customer
complaints regarding intermittent problems resolving hostnames under
noaa.gov.=A0 After some in-depth investigation, I believe I=92ve
identified the issue.
First, the query to see the list of authoritative name servers for .gov:
# dig NS gov @c.root-servers.net
; <<>> DiG 9.6.1-P3 <<>> NS gov @c.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53495
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0 IN=A0=A0=A0=A0=A0 NS
;; AUTHORITY SECTION:
gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 17280=
0=A0 IN=A0=A0=A0=A0=A0 NS=A0=A0=A0=A0=A0 f.usadotgov.net.
gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0=A0=A0=A017280=
0=A0 IN=A0=A0=A0=A0=A0 NS=A0=A0=A0=A0=A0 a.usadotgov.net.
gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 17280=
0=A0 IN=A0=A0=A0=A0=A0 NS=A0=A0=A0=A0=A0 g.usadotgov.net.
gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 17280=
0=A0 IN=A0=A0=A0=A0=A0 NS=A0=A0=A0=A0=A0 b.usadotgov.net.
gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 17280=
0=A0 IN=A0=A0=A0=A0=A0 NS=A0=A0=A0=A0=A0 d.usadotgov.net.
gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0=A0=A0=A0=A0=A0=A0=A017280=
0=A0 IN=A0=A0=A0=A0=A0 NS=A0=A0=A0=A0=A0 e.usadotgov.net.
gov.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 17280=
0=A0 IN=A0=A0=A0=A0=A0 NS=A0=A0=A0=A0=A0 c.usadotgov.net.
;; ADDITIONAL SECTION:
a.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 172800=A0 IN=A0=A0=A0=A0=A0 A=
=A0=A0=A0=A0=A0=A0 74.208.172.129
b.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 172800=A0 IN=A0=A0=A0=A0=A0 A=
=A0=A0=A0=A0=A0=A0 206.204.217.151
c.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 172800=A0 IN=A0=A0=A0=A0=A0 A=
=A0=A0=A0=A0=A0=A0 69.72.142.35
d.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 172800=A0 IN=A0=A0=A0=A0=A0 A=
=A0=A0=A0=A0=A0=A0 204.168.112.71
e.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 172800=A0 IN=A0=A0=A0=A0=A0 A=
=A0=A0=A0=A0=A0=A0 213.165.80.240
f.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 172800=A0 IN=A0=A0=A0=A0=A0 A=
=A0=A0=A0=A0=A0=A0 66.207.175.172
g.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 172800=A0 IN=A0=A0=A0=A0=A0 A=
=A0=A0=A0=A0=A0=A0 64.62.200.134
;; Query time: 9 msec
;; SERVER: 192.33.4.12#53(192.33.4.12)
;; WHEN: Thu Dec 23 17:37:59 2010
;; MSG SIZE=A0 rcvd: 258
The glue records show a.usadotgov.net with an ip of 74.208.172.129.
Next, using one of the authoritative name servers for usadotgov.net,
we resolve the a.usadotgov.net name:
# dig a.usadotgov.net @DNSSEC7.DATAMTN.COM
; <<>> DiG 9.6.1-P3 <<>> a.usadotgov.net @DNSSEC7.DATAMTN.COM
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61276
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: =
10
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;a.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 IN=A0=
=A0=A0=A0=A0 A
;; ANSWER SECTION:
a.usadotgov.net.=A0=A0=A0=A0=A0=A0=A0 86400=A0=A0 IN=A0=A0=A0=A0=A0=
A=A0=A0=A0=A0=A0=A0 76.73.18.236
You can see that the ip address is incorrect for that hostname.=A0 This
is going to cause an issue where some responses for .gov addresses
will come from a non-authoritative source and should be taken care of
as soon as possible as this could potentially affect all .gov domains.
--
Andy Harrison
Lead Systems Engineer
Metrocast Cablevision
