[volunteers] Nameserver

Rick Moen rick at linuxmafia.com
Wed May 18 17:12:54 PDT 2016


Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> I wasn't referring to svlug.net in this instance, but svlug.ORG, because
> that's the domain for which there might be no glue records after a
> protracted outage since there are no out-of-band nameservers in the same
> TLD.

This is incorrect.

You still don't understand how glue records work.  Illustration:

Litte-Datamaskin:~ rick$ dig -t ns org.

; <<>> DiG 9.8.3-P1 <<>> -t ns org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4660
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;org.				IN	NS

;; ANSWER SECTION:
org.			15817	IN	NS	b2.org.afilias-nst.org.
org.			15817	IN	NS	d0.org.afilias-nst.org.
org.			15817	IN	NS	a2.org.afilias-nst.info.
org.			15817	IN	NS	c0.org.afilias-nst.info.
org.			15817	IN	NS	b0.org.afilias-nst.org.
org.			15817	IN	NS	a0.org.afilias-nst.info.

;; Query time: 100 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 18 16:57:16 2016
;; MSG SIZE  rcvd: 159

Litte-Datamaskin:~ rick$ dig -t ns svlug.org. @b2.org.afilias-nst.org.

; <<>> DiG 9.8.3-P1 <<>> -t ns svlug.org. @b2.org.afilias-nst.org.
;; global options: +cmd
;; connection timed out; no servers could be reached
Litte-Datamaskin:~ rick$ dig -t ns svlug.org. @d0.org.afilias-nst.org.

; <<>> DiG 9.8.3-P1 <<>> -t ns svlug.org. @d0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36600
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;svlug.org.			IN	NS

;; AUTHORITY SECTION:
svlug.org.		86400	IN	NS	ns3.svlug.org.
svlug.org.		86400	IN	NS	ns1.svlug.org.
svlug.org.		86400	IN	NS	ns2.svlug.org.

;; ADDITIONAL SECTION:
ns1.svlug.org.		86400	IN	A	64.62.190.98
ns2.svlug.org.		86400	IN	A	198.144.194.12
ns3.svlug.org.		86400	IN	A	198.144.195.186

;; Query time: 65 msec
;; SERVER: 199.19.57.1#53(199.19.57.1)
;; WHEN: Wed May 18 16:58:30 2016
;; MSG SIZE  rcvd: 129

Litte-Datamaskin:~ rick$ 


See the 'Additional Section' IP data?  This is served up automatically
by the parent org. zone's nameservers on any request for NS information 
about svlug.org., _irrespective_ of whether any of the three authoritative
nameservers for svlug.org. are online.  That is what I meant when I said
that you were making incorrect claims because you didn't know who glue
records work.

_Please_ do not continue to make claims about DNS nameservice until you
actually understand glue records. 

You owe me the last five minutes back.

I'm not kidding, Daniel.  You have been wasting your time and mine, and
I really do not like that.

I do not have time to teach you DNS.  (But on reflection I'm going to
piss away a few more minutes anyway in a brief tutorial below about how
to add an additional nameserver.  Please do not make it necessary for me
to go on a broader teaching regimen or clean up after you.)

Please do not screw around with DNS without understanding what you are
doing.

Briefly, this is the order of operations for bringing online an
additional slave nameserver.

1.  On master, add AXFR/IXFR ACL to the nameserver in question.  (You say 
you've done this.)

2.  Get admin of slave nameserver to agree to do nameservice, and get 
his/her confirmation of successful AXFR.

3.  Use 'dig' to query both master and slave for the SOA record, and
ensure that the S/Ns match.

4.  Add 'NS' line for the new slave nameserver to the zone.  Use 'dig'
to query both master and slave for the SOA record, and ensure that the 
S/Ns match and reflect the incremented S/N.

5.  Use domain login credentials to add the new slave namserver to the
authoritative list within the parent zone.

6.  Use dig (optionally and whois) to verify that both the zone's
authoritative namservers and the parent zone's authoritative nameservers
still show a matching set of authoritative nameservers for the domain, 
now with one additional entry.


Please do not proceed with this operation if you are unsure of any part
of it.

The removal of an authoritative nameserver is approximately an inverse
of that operation, first removing authority at the parent zone, then 
removing NS line served up in-zone, then using dig against both the
zone's authoritative nameservers and against the parent zone's
nameservers to verify that the sets once again match.




 After I posted to the list, I went ahead and asked for
> ns1.balug.org being secondary. The answer was, in part:
> 
> On Wed, 2016-05-18 at 13:08 -0700, Michael Paoli wrote:
> > If you want, sure, but be advised it's not exactly high-availability,
> > high bandwidth, nor low latency host ... though I certainly do keep
> > it up to the extent reasonably feasible, and most of the time the
> > latency isn't too bad.
> 
> I preliminarily added the ACL allowing AXFR/IXFR to it, but it won't be
> live unless he gets word to go ahead despite the above concerns.
> 
> 
> 
> _______________________________________________
> volunteers mailing list
> volunteers at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/volunteers



More information about the volunteers mailing list