Ian Smith smithi at
Fri Nov 5 07:28:32 UTC 2010

In freebsd-questions Digest, Vol 335, Issue 8, Message: 29
On Fri, 05 Nov 2010 01:32:11 -0400 Jon Radel <jon at> wrote:
 > On 11/5/10 12:22 AM, kline wrote:
 > > It is time to  get this stuff arrow-straight, so hoping that someone
 > > on-list can clue me in.
 > >

 > If your parents, the nameservers authoritative for .org, tell the world 
 > that one of the nameservers for is, they 
 > also have to tell the world what the IP address for is 
 > using an A record.  That A record is glue.  Otherwise you get a machine 
 > conversation something like:
 > Resolving nameserver trying to find a record in the zone 
 > (RN):  Please Mr. root server, I'd like to know about
 > Root:  See the .org folks over there....
 > RN:  Please Mr. top-level dude, about that
 > Org: Well, see
 > RN:  Ahem, I'm trying to find out basic stuff about and I 
 > don't know the address for in order to ask it
 > Org:  Well, ask what the address for is...
 > RN:  But, but, but....followed by petulant stomping off
 > Glue A records fix that problem.

Lovely description Jon :)  But you don't always have any control of what 
parent nameservers do; eg we do DNS for a .com but both NS are in .au so 
DNS reports always whinge about lack of glue .. nonetheless it works, 
though only after a hunt down through the .au servers, until cached.

 > BTW, the fact that a glue record isn't returned for in 
 > response to a query about NS records for really isn't a 
 > problem; note the "info" rather than "fail" from DNSCog.
 > Biggest problem I still see is that refuses to respond 
 > to queries about  You sure your account there is still 
 > active and functional and that you're allowing zone transfers to them?  

Confirmed here, no response at all after a good long wait; worse than 
reyrning 'we don't do'

% dig
; <<>> DiG 9.3.4-P1 <<>>
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

where they really should be quickly issuing a REFUSED response. 'dig' works fine, so I'm reaching it ok.

 > I note that you don't allow transfers from arbitrary addresses, and 
 > does warn 
 > that the source address for transfer requests was/will/did change.
 > Some of the problems reported by DNSCog appear to be bogus.  They've got 
 > some bugs related to cases where a nameserver has a name in the domain 
 > in question.  (And also some bugs related to nameservers which are 
 > reachable by both ipv4 and ipv6, but that doesn't apply to you.)

Bogus indeed.  Tested one local domain there and got whinging about not 
accepting <> and postmaster@ mail; odd, thought I, but maillog shows:

Nov  4 22:43:43 xxxx sm-mta[81227]: ruleset=check_relay, 
  arg1=[], arg2=, relay=[], 
  reject=550 5.7.1 Fix reverse DNS for

% dig -x
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18278
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;   IN      PTR

;; AUTHORITY SECTION: 1800   IN      SOA 2008082768 10800 1800 604800 1800

Seems a bit amateurish to me, running a service like that on a dynamic 
address without reverse resolution, then expecting mail to work ..

cheers, Ian

More information about the freebsd-questions mailing list