[96275] in North American Network Operators' Group
Re: www.cnn.com
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Thu Apr 26 07:01:18 2007
Date: Thu, 26 Apr 2007 11:56:16 +0100
From: Jeroen Massar <jeroen@unfix.org>
To: Stefan Schmidt <s.schmidt--nanog@mcbone.net>,
Randy Bush <randy@psg.com>,
North American Network Operators Group <nanog@merit.edu>
In-Reply-To: <20070426103232.GN17505@giscard.mcbone.net>
Errors-To: owner-nanog@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF6BC17AEE4815D5F89AEC4A1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Stefan Schmidt wrote:
> On Thu, Apr 26, 2007 at 10:06:32AM +0100, Randy Bush wrote:
>> roam.psg.com:/usr/home/randy> doc -p -w www.cnn.com.
>> Doc-2.2.3: doc -p -w www.cnn.com.
>> Doc-2.2.3: Starting test of www.cnn.com. parent is cnn.com.
>> Doc-2.2.3: Test date - Thu Apr 26 09:04:52 GMT 2007
>> DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.c=
om. failed
>> DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.c=
om. failed
>=20
> I think your debugging tool is faulty, as a dig ns cnn.com
[..]
> All of the above answer to me and have the same serial for cnn.com.
Randy is looking at www.cnn.com (note the www portion) and if you would
do a 'dig +trace www.cnn.com' you would see:
www.cnn.com. 3600 IN NS dmtns01.turner.com.
www.cnn.com. 3600 IN NS dmtns02.turner.com.
;; Received 112 bytes from 207.200.73.85#53(twdns-03.ns.aol.com) in 176 m=
s
www.cnn.com. 600 IN A 64.236.16.20
[..9 ip's..]
;; Received 157 bytes from 64.236.22.150#53(dmtns02.turner.com) in 100 ms=
And dmtns0{1|2}.turner.com. don't have a SOA for www.cnn.com although
they are authoritive. They only respond to queries for "A". Fortunatily
they do respond for "AAAA" queries, 0 records result, but it doesn't
break. They do simply drop queries asking for SOA,MX,TXT and prolly other=
s.
Aka just another peeped up "DNS loadbalancer" for which the implementers
didn't read the RFCs or where the configurators decided that they can
ignore other stuff for "anti-ddos" or other reasons.
Greets,
Jeroen
--------------enigF6BC17AEE4815D5F89AEC4A1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iHUEARECADUFAkYwhVUuFIAAAAAAFQAQcGthLWFkZHJlc3NAZ251cGcub3JnamVy
b2VuQHVuZml4Lm9yZwAKCRApqihSMz58I6SXAJ9Mzkj48rJwjeA1iIlDOtE1EwEO
XwCggFQNO7owQnlzRoCckbRa/jY/N7c=
=wP4X
-----END PGP SIGNATURE-----
--------------enigF6BC17AEE4815D5F89AEC4A1--
