[Smaug] scruz.org domain records and DNS: fixed

Rick Moen rick at linuxmafia.com
Wed Nov 30 13:39:33 PST 2005

With the kind help of Crawford Rainwater, our friend in Colorado who 
has personally underwritten Smaug's domain registration (for SCRUZ.ORG)
since December 2003, I've banged our DNS fully into shape:  Updates at
our registrar went through yesterday.  I thought y'all might be
interested in details:

After removing a few nameservers that had, somewhat disappointingly, 
stopped doing secondary for us without notice[1], we were down to these

NS1.LINUXMAFIA.COM at (Rick Moen's box)
NS1.PHOSPHOR.NET at (Eric Cain's box)
NS.INFINITELOOPFILMS.COM at (David A. Gatwood's box)

After a little work at Crawford's end with domain registrar
DomainDiscover, all our records were functional and consistent _both_ at
the primary scruz.org zonefile (on NS1.LINUXMAFIA.COM) and in our
parent .ORG domain's records, which Crawford adjusts at DomainDiscover.

As an aside:  The _biggest_ area of DNS errors by far, generally, is
forgetting to adjust the parent-zone (i.e., registrar) nameserver
records when you change those in your zonefile.

There remained one problem:  No glue records at the parent .ORG zone.
"What are glue records, and why should I care?", I hear you ask.  I'll

Consider the situation of someone out on the Net attempting to browse 
our Web site.  The user's Web browser wants to look up "www.scruz.org".
To do so, it must first find out where scruz.org's nameservers are.
so it hands off the request to the machine's DNS resolver library.
(In Linux, this is code borrowed from BIND8 that's been bundled into
glibc.)  The resolver library looks up (i.e., via /etc/resolv.conf
on Linux) a nearby caching nameserver, and passes the "Where are
scruz.org's nameserver, i.e., its NS records?" query to there.

Let's say the caching nameserver doesn't know, yet.  So, it has to ask
.ORG's (our parent zone's) nameservers.  If necessary, it looks _those_
nameservers up via the root nameservers, but probably already has them 
in cache, and let's say it decides to ask TLD6.ULTRADNS.CO.UK.[2]

It asks TLD6.ULTRADNS.CO.UK for the "NS" records of domain scruz.org, 
and hears back some return values that equate to 


...but _not_ their IP addresses (which it needs, to actual talk to
them).  So, the caching nameserver is obliged to come right back and
say, "OK, TLD6.ULTRADNS.CO.UK, what are the "A" records (IP addresses)
for those three names?"

The designers of DNS decided that routinely making such follow-up
queries was silly:  Since the querying nameserver is going to _need_ 
the matching "A" information every time it asks for an NS record, that
extra information might as well get sent along, the first time.

That's what glue records are.  It's the "A" (IP address) information 
that corresponds to NS names, sent back along with the latter
automatically:  Glue records make DNS faster, by averting the need for 
those follow-up "A" queries.  (In the special case of a nameserver whose
own name is in-zone, they also are necessary to avert a chicken-and-egg
problem where you cannot find ns1.foo.com in order to resolve foo.com
names because need to be able resolve foo.com names generically before
you can resolve ns1.foo.com.)

And we didn't have glue records.  Upon reflection, I realised that this
was because .ORG's nameservers _could not_ store glue records for .COM
and .NET hostnames, because .ORG's nameservers _lack authority_ over
those other namespaces.  This is called the "out-of-bailiwick" problem:
Glue names from outside a nameserver's authority are invalid and cannot
be permitted, because they could be used by malign nameservers (or
intruders who've compromised nameservers) to do "cache poisoning" on 
other nameservers.  (Cache poisoning is very bad, letting bad guys
effectively redirect entire domains' traffic to elsewhere.)

Many people ignore glue problems.  Either their glue records got created
automatically in their domains' parent zones (e.g., because all
nameservers are in .NET/.COM and so is the domain itself), or this gets
flubbed entirely and they never notice.  In the former case, many if not
most people _completely fail_ to realise that it needs fixing whenever
namservers' NS or A records change -- because they aren't even aware of
those records in the parent zone, in the first place.

If you _do_ notice a glue problem (as I did), and cannot fix it the
direct way because of bailiwick issues, you have to do an end-run, by
defining new, in-bailiwick names for affected nameservers and using
those, instead.  And that's what we did.  For each of the three, we
invented names _within scruz.org_, pointed to the same IP as before.
Here's our current zonefile at the master nameserver:

$TTL 86400
$ORIGIN scruz.ORG.
@       IN      SOA     ns1.scruz.ORG.     rick.deirdre.NET. (
                        2005112304              ; serial
                        10800                   ; refresh 3 hours
                        3600                    ; retry 1 hour
                        2419200                 ; expire 672 hours
                        86400                   ; minimum 24 hours
		IN	TXT	"v=spf1 a mx ~all"
		IN      A
                IN      MX      10      linuxmafia.COM.
		IN	NS	ns1.scruz.org.
		IN	NS	ns2.scruz.org.
		IN	NS	ns3.scruz.org.
; ns1 is aka ns1.linuxmafia.com, Rick Moen's box
ns1             IN      A
; ns2 is aka ns1.phosphor.net, Eric Cain's box.
ns2		IN	A
; ns3 is aka ns.infiniteloopfilms.com, David A. Gatwood's box.
ns3		IN	A
www		IN	CNAME	smaug.got.net.
ftp             IN	CNAME	smaug.got.net.
cvs		IN	CNAME	cvs.sourceforge.net.

Notice the three replacement "NS" lines.  Notice that each one also has
a corresponding "A" (forward-lookup) record, to go with it.  (As an
additional detail, notice that the name of the master nameserver in the
SOA record also had to change.)

The last detail, the one that Crawford recently took care of for us, was 
changing the NS records for our domain at DomainDiscover (and thus
editing our records in the parent .ORG zonefile), to use the new names
and in doing so, finally, create the desired glue records.

Getting back to our example of the caching nameserver, it would send
this "Where are scruz.org's nameservers?" to .ORG's TLD6.ULTRADNS.CO.UK

[rick at linuxmafia]
~ $ dig -t ns scruz.org @TLD6.ULTRADNS.CO.UK

; <<>> DiG 9.3.1 <<>> -t ns scruz.org @TLD6.ULTRADNS.CO.UK
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46077
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;scruz.org.                     IN      NS

scruz.org.              86400   IN      NS      ns3.scruz.org.
scruz.org.              86400   IN      NS      ns2.scruz.org.
scruz.org.              86400   IN      NS      ns1.scruz.org.

ns3.scruz.org.          86400   IN      A
ns2.scruz.org.          86400   IN      A
ns1.scruz.org.          86400   IN      A

;; Query time: 62 msec
;; WHEN: Wed Nov 30 13:16:56 2005
;; MSG SIZE  rcvd: 129

[rick at linuxmafia]
~ $ 

This confirms the results of my and Crawford's fixes.  Notice the
"AUTHORITY SECTION" bit, which has the (authoritative) answer, _and_ the
"ADDITIONAL SECTION" bit, which consists of matching glue records -- the
answer to two questions for the price of one.

Armed with this information, the caching nameserver can now ask any of
scruz.org's authoritative nameservers (now that it knows how to reach
them) what IP address "www.scruz.org" is at.

My thanks again to Crawford Rainwater, for his help.

If people have any interest, I can point out how badly other local 
Linux groups' DNS / domain records are screwed up, in comparison.  ;->

[1] These were David A. Gatwood's NS.GATWOOD.NET and NS.SONGCUE.COM, and 
Graham Freeman's NS1.CALTEG.ORG.  I now notice that NS.SONGCUE.COM is 
back online, but the other two _still_ don't even respond to ping, any
more.  I'm just now sending notes to their owners, thanking them for
past nameservice from those hosts, advising them of the changes, etc.

[2] http://www.iana.org/root-whois/org.htm

Rick Moen                 "Anger makes dull men witty, but it keeps them poor."
rick at linuxmafia.com                                   -- Elizabeth Tudor

More information about the Smaug mailing list