Can anyone verify that MX records for va.gov are broken?

[Mail Man]

I'm getting different results from different servers while trying to do
an mx lookup for va.gov (veterans affairs / veterans administration).

OpenDNS - works - 208.67.222.222, 208.67.220.220
Nortron DNS - time outs - 198.153.192.1, 198.153.194.1
Google DNS - SERVFAIL - 8.8.8.8, 8.8.4.4.


Try resolving other records types besides MX and other name servers, I
see a problem even with Google's 8.8.8.8 and 8.8.4.4 as well as other
public DNS servers for va.gov.

The MX works but set q=any fails.

==================
[root@apps ~]# nslookup - 8.8.8.8
> set q=mx
> va.gov
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
va.gov mail exchanger = 10 mx20.va.gov.

Authoritative answers can be found from:
> set q=any
> va.gov
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find va.gov: SERVFAIL
=====================

See also:

http://www.intodns.com/va.gov

[VanguardLH]

From http://mxtoolbox.com/DNSLookup.aspx, and selecting "MX Lookup" from
the "DNS" drop-down list, I get for "va.gov":

mx20.va.gov 152.131.26.44

It doesn't query ALL record types from the nameserver, just the type you
specify. The "DNS Lookup" choice returns the A record. The above log
doesn't say on which record type the query failed. When I specified a
CNAME lookup at mxtoolbox, that lookup failed. Well, there may not be a
redirection in their nameserver. They don't have to use one if they
don't want to. Your own NNTP provider (aioe.org) doesn't have any CNAME
records, either.

http://en.wikipedia.org/wiki/CNAME_record

I don't get the SERVFAIL error that you do; however, I might not be
running the same nslookup program. I'm using Windows 7. You didn't say
what you use so you might be under some *NIX variant using its flavor of
nslookup. When I use "server 8.8.8.8" (or 8.8.4.4) I get timeouts on
the "set q=any" for the va.gov request; however, when I use my own ISP's
DNS server then I get:

server 8.8.8.8
> set q=any
> va.gov
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
va.gov nameserver = ns1x.va.gov
va.gov nameserver = ns4x.va.gov
va.gov nameserver = ns3x.va.gov
va.gov nameserver = ns2x.va.gov
va.gov ??? unknown type 46 ???

ns3x.va.gov internet address = 152.132.16.7

From http://en.wikipedia.org/wiki/List_of_DNS_record_types, record type
46 is RRSIG (DNSSEC signature). Here's something I happened to find on
my ISP's DNS site about .gov domains and DNSSEC:

http://dns.comcast.net/

With the US gov't in financial sequester mode, yeah, I can see this
still not getting addressed after 3 months. DNSSEC is an old spec but
not adopted until a couple years ago and still not yet overwhelmingly
implemented (maybe all of 4% to 7% of DNS servers employ DNSSEC; see
https://labs.ripe.net/Members/gih/counting-dnssec).

So it looks like Google's DNS doesn't like requests on ANY record type.
My ISP's DNS and OpenDNS (208.67.222.222) work okay. I'm assuming you
are just using OpenDNS without an account (which could change results
depending on filters you define in an account). I stopped using OpenDNS
because they are spammers. Instead of returning a 404 error for a typo
on a URL or for non-existent domains, they redirect you to their
"helper" search page so they can generate some revenue from there. Yes,
if you have an account (which means installing their DNS updater client
so they can associate your account with your current IP address) at
OpenDNS then you can disable this redirection except that also means
losing several other features which was why you created an account so
you would have them. They punish you for disabling their redirection.
Tis also why I don't use Norton DNS or Ultra DNS. My own ISP tried this
revenue-generating trick but gave their customers an option to disable
it (which I did). When Verisign tried this trick to redirect to the
revenue-generating search page on any .com lookup fails, they got so
heavily blasted that they ceased. Yet OpenDNS, Norton, some ISPs, and
other DNS providers still use this trick to "help" you find what they
think where you meant to go. I use my ISP's DNS server (with "helper"
redirection disabled) and Google's DNS because those are more properly
behaved servers.

Google DNS does not work (for now). You didn't say WHICH of the Norton
DNS servers you used. They all start with 198.153.[192/194] and end
with: .40 for Security, .50 for Security and Pornography, and .60 for
Security, Pornography, and Non-Family Friendly (I'm assuming
"Pornography" is really "Anti-Pornography"). Whichever I use (.40, .50,
or .60), they all result in timeouts for "set q=any" on va.gov, so
Norton DNS is behaving like Google DNS on "set q=any" in that respect.

So it looks like DNS servers are not created equal. In fact, the ones
that I use (ISP and Google) are both non-authoritative servers. When I
use Google DNS (8.8.8.8) on a dig, I get:

Dig va....@8.8.8.8 ...
Non-authoritative answer
Recursive queries supported by this server
Nameserver has a problem and can't talk right now

When I use my ISP's DNS server, I get:

Dig va....@75.75.76.76 ...
Non-authoritative answer
Recursive queries supported by this server
Query for va.gov type=255 class=1
va.gov NS (Nameserver) ns2x.va.gov
va.gov NS (Nameserver) ns3x.va.gov
va.gov NS (Nameserver) ns4x.va.gov
va.gov NS (Nameserver) ns1x.va.gov
va.gov Unrecognised resource record (46)

Although I tried to use the "set q=soa" directive to get at the
authoritative DNS server for my ISP (comcast.net) which is
69.252.250.103, trying to get the record returns "Query refused.
Nameserver won't talk to me for policy reasons". Oh well, I don't know
an authoritative DNS server for my use to see how the dig results might
vary. So results vary depending on the DNS server I use (and can use).

Oh, and back to your query "MX records for va.gov are broken", well,
they aren't. Your own "set q=mx" returned the MX record so it does
work.


*Oops, I see I'm responding to our volumous nymshifter changing his nym*
*in every newsgroup: (Spam|Virus|...) (Guy|Man). Should've checked*
*that first. Bye bye*

[Thor Kottelin]

"Mail Man" <Ma...@Man.com> wrote in message
news:5278FE32...@Man.com...

> I'm getting different results from different servers while trying to do
> an mx lookup for va.gov (veterans affairs / veterans administration).

$ dig va.gov mx +trace

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> va.gov mx +trace
;; global options: printcmd
. 83942 IN NS f.root-servers.net.
. 83942 IN NS m.root-servers.net.
. 83942 IN NS c.root-servers.net.
. 83942 IN NS a.root-servers.net.
. 83942 IN NS g.root-servers.net.
. 83942 IN NS k.root-servers.net.
. 83942 IN NS d.root-servers.net.
. 83942 IN NS j.root-servers.net.
. 83942 IN NS e.root-servers.net.
. 83942 IN NS h.root-servers.net.
. 83942 IN NS b.root-servers.net.
. 83942 IN NS l.root-servers.net.
. 83942 IN NS i.root-servers.net.
;; Received 449 bytes from 217.30.180.230#53(217.30.180.230) in 2 ms

gov. 172800 IN NS a.gov-servers.net.
gov. 172800 IN NS b.gov-servers.net.
;; Received 131 bytes from 192.5.5.241#53(f.root-servers.net) in 30 ms

va.gov. 86400 IN NS ns1x.va.gov.
va.gov. 86400 IN NS ns2x.va.gov.
va.gov. 86400 IN NS ns3x.va.gov.
va.gov. 86400 IN NS ns4x.va.gov.
;; Received 276 bytes from 69.36.157.30#53(a.gov-servers.net) in 117 ms

va.gov. 600 IN MX 10 mx20.va.gov.
va.gov. 1800 IN NS ns3x.va.gov.
va.gov. 1800 IN NS ns2x.va.gov.
va.gov. 1800 IN NS ns4x.va.gov.
va.gov. 1800 IN NS ns1x.va.gov.
;; Received 253 bytes from 152.130.16.7#53(ns1x.va.gov) in 114 ms

$ dig mx20.va.gov +trace

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> mx20.va.gov +trace
;; global options: printcmd
. 83712 IN NS j.root-servers.net.
. 83712 IN NS c.root-servers.net.
. 83712 IN NS i.root-servers.net.
. 83712 IN NS b.root-servers.net.
. 83712 IN NS g.root-servers.net.
. 83712 IN NS k.root-servers.net.
. 83712 IN NS f.root-servers.net.
. 83712 IN NS m.root-servers.net.
. 83712 IN NS h.root-servers.net.
. 83712 IN NS e.root-servers.net.
. 83712 IN NS l.root-servers.net.
. 83712 IN NS a.root-servers.net.
. 83712 IN NS d.root-servers.net.
;; Received 449 bytes from 217.30.180.230#53(217.30.180.230) in 1 ms

gov. 172800 IN NS b.gov-servers.net.
gov. 172800 IN NS a.gov-servers.net.
;; Received 136 bytes from 192.58.128.30#53(j.root-servers.net) in 191 ms

va.gov. 86400 IN NS ns1x.va.gov.
va.gov. 86400 IN NS ns2x.va.gov.
va.gov. 86400 IN NS ns3x.va.gov.
va.gov. 86400 IN NS ns4x.va.gov.
;; Received 281 bytes from 209.112.123.30#53(b.gov-servers.net) in 138 ms

mx20.va.gov. 30 IN A 152.131.26.44
;; Received 45 bytes from 152.130.16.7#53(ns1x.va.gov) in 117 ms


Follow-ups narrowed.

--
Thor Kottelin
http://www.anta.net/

[mungerjoe]

On Tue, 05 Nov 2013 09:18:26 -0500, Mail Man <Ma...@Man.com> wrote:

>I'm getting different results from different servers while trying to do
>an mx lookup for va.gov (veterans affairs / veterans administration).

The several DNS servers for the domain have different A records for
the MX record. If all the designated servers accept email for the
domain nothing is broken.

>OpenDNS - works - 208.67.222.222, 208.67.220.220
>Nortron DNS - time outs - 198.153.192.1, 198.153.194.1
>Google DNS - SERVFAIL - 8.8.8.8, 8.8.4.4.
>
>
>Try resolving other records types besides MX and other name servers, I
>see a problem even with Google's 8.8.8.8 and 8.8.4.4 as well as other
>public DNS servers for va.gov.
>
>The MX works but set q=any fails.

The "any" type means different things to different servers. The
authoritative servers for the domain don't respond to me when the
query type is "any". They might respond to Google with a bugger-offish
type of answer, though.

--
Joe