Re: Does this IP have reverse DNS?

Mon, 04 Mar 2013 11:53:34 -0800 


Robert Schetterer wrote the following on 3/4/2013 1:08 PM:

Am 04.03.2013 19:46, schrieb Blake Hudson:

Robert Schetterer wrote the following on 3/4/2013 12:37 PM:

Am 04.03.2013 19:31, schrieb Blake Hudson:

OK, so we ask for a PTR on 212.0.171.63.in-addr.arpa and instead receive
a CNAME (with additional). Did anyone notice that the CNAME does not
resolve?

yeah ,my dns cache didnt resolved it
had to be reloaded


Best Regards
MfG Robert Schetterer


Robert, you show the same problem as me (different version of bind
9.8.x). Seems to be a bind 9.8 specific behavior to return SERVFAIL on
this lookup. FWIW, Bind 9.2.x uses the additional info in the first
query results without performing any lookup/validation on the CNAME
(63.171.0.212.cust.lkq.sprintlink.net).

flushing cache or restarting bind does not resolve the issue. Unless you
can show me otherwise...

its by dnssec-validation auto in  BIND 9.8.1-P1

/usr/sbin/named -v
BIND 9.8.1-P1

dig @localhost -x 63.171.0.212

; <<>> DiG 9.8.1-P1 <<>> @localhost -x 63.171.0.212
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38497
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;212.0.171.63.in-addr.arpa.     IN      PTR

;; Query time: 3462 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar  4 20:01:51 2013
;; MSG SIZE  rcvd: 43


deconfigure or comment out

dnssec-validation auto


etc/init.d/bind9 restart
  * Stopping domain name service... bind9

                                     waiting for pid 28122 to die


                              [ OK ]
  * Starting domain name service... bind9

                              [ OK ]
root@newlinux:~# dig @localhost -x 63.171.0.212

; <<>> DiG 9.8.1-P1 <<>> @localhost -x 63.171.0.212
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47133
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6

;; QUESTION SECTION:
;212.0.171.63.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
212.0.171.63.in-addr.arpa. 86400 IN     CNAME
63.171.0.212.cust.lkq.sprintlink.net.
63.171.0.212.cust.lkq.sprintlink.net. 86400 IN PTR mail1.lkqcorp.com.

;; AUTHORITY SECTION:
cust.lkq.sprintlink.net. 86400  IN      NS      ns1-auth.sprintlink.net.
cust.lkq.sprintlink.net. 86400  IN      NS      ns3-auth.sprintlink.net.
cust.lkq.sprintlink.net. 86400  IN      NS      ns2-auth.sprintlink.net.

;; ADDITIONAL SECTION:
ns1-auth.sprintlink.net. 86399  IN      A       206.228.179.10
ns1-auth.sprintlink.net. 86399  IN      AAAA    2600::a1
ns2-auth.sprintlink.net. 86399  IN      A       144.228.254.10
ns2-auth.sprintlink.net. 86399  IN      AAAA    2600::a2
ns3-auth.sprintlink.net. 86399  IN      A       144.228.255.10
ns3-auth.sprintlink.net. 86399  IN      AAAA    2600::a3


compared

/usr/sbin/named -v
BIND 9.7.6-P4

dig @localhost -x 63.171.0.212

; <<>> DiG 9.7.6-P4 <<>> @localhost -x 63.171.0.212
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6

;; QUESTION SECTION:
;212.0.171.63.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
212.0.171.63.in-addr.arpa. 85099 IN     CNAME
63.171.0.212.cust.lkq.sprintlink.net.
63.171.0.212.cust.lkq.sprintlink.net. 85099 IN PTR mail1.lkqcorp.com.


try post bind list for details


Best Regards
MfG Robert Schetterer


# dig @8.8.8.8 PTR 63.171.0.212.cust.lkq.sprintlink.net +dnssec
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @8.8.8.8 PTR 63.171.0.212.cust.lkq.sprintlink.net +dnssec 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27767
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;63.171.0.212.cust.lkq.sprintlink.net. IN PTR

;; Query time: 441 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar  4 13:44:03 2013
;; MSG SIZE  rcvd: 65



# dig @8.8.8.8 PTR 63.171.0.212.cust.lkq.sprintlink.net +nodnssec
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @8.8.8.8 PTR 63.171.0.212.cust.lkq.sprintlink.net +nodnssec 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14054
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;63.171.0.212.cust.lkq.sprintlink.net. IN PTR

;; ANSWER SECTION:
63.171.0.212.cust.lkq.sprintlink.net. 390 IN PTR mail1.lkqcorp.com.

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar  4 13:44:09 2013
;; MSG SIZE  rcvd: 85
If Sprint has setup DNSSEC on their zones incorrectly, I would rather they resolve the issue they've created rather than turning of DNSSEC validation on my server (which I've intentionally enabled). I don't think posting to the bind list or any other action on my part is necessary at this point. Thanks for the recommendations and the pointer, as well as another set of eyes; It was helpful to have a point of reference from multiple people running different software in different configurations.

Reply via email to