Question about this site web.da-us.citibank.com with ttl = 0
ling...@gmail.com
This may not be bind related but I am seeing some strange things with
this site:
web.da-us.citibank.com.
When going to http://www.citibankonline.com in the US, this is the URL
it forwards to.
The strange thing is, everytime I try to go to the site from work,
after a couple of minutes, the DNS servers at my work place stop
resolving the host web.da-us.citibank.com. And if immediately I logon
to my private isp machine offsite, and do a dig or nslookup, it won't
resolve either. I would get a SERVFAIL error from nslookup thereafter.
If I let it sits for 10 minutes or so, nslookup will start working
fine. I never have any problem getting to the site from home.
I find from running dig/nslookup that this host has a tll of 0 . Is
that a false result or if not, could be it causing problem like this?
I've talked to the network people briefly and they are not blocking
access to the site. But since it's really not a work related site, I
haven't really push them to debug their DNS server setup. But if I get
more understanding of pausible cause, then I can talk to them.
THanks!
Mark Andrews
They fail to respond to AAAA queries.
% dig www.citibank.com @wlbnj01.nsroot2.com +norec aaaa
; <<>> DiG 9.3.2 <<>> www.citibank.com @wlbnj01.nsroot2.com +norec aaaa
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
%
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
ling...@gmail.com
Thanks!
...
ling
Thomas Schulz
It is not necessary to have an AAAA record, but the server does need to
respond to such a query with a no such record response. Otherwise
you will have to wait until your machine times out and stops waiting
for a response.
--
Tom Schulz
sch...@adi.com
Mark Andrews
> Is AAAA record mandatory?
No. But consistantly responding to queries other than A queries
is. RFC 1034 / RFC 1035 describe how to respond to queries for
types you don't know about or don't have. RFC 1034 / RFC 1035
are the base DNS specifications. There is no justifiable reason
for any DNS server to get this wrong.
The nameserver for web.da-us.citibank.com is not RFC 1034 / RFC 1035
compliant.
> How does it cause problem like I described?
This will cause the server to be marked as lame.
dig aaaa web.da-us.citibank.com @3dns-c.citibankonline.com +norec
; <<>> DiG 9.3.2 <<>> aaaa web.da-us.citibank.com @3dns-c.citibankonline.com +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4624
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;web.da-us.citibank.com. IN AAAA
;; Query time: 245 msec
;; SERVER: 192.193.183.40#53(192.193.183.40)
;; WHEN: Wed Mar 29 10:24:29 2006
;; MSG SIZE rcvd: 40
As will this.
; <<>> DiG 9.3.2 <<>> txt web.da-us.citibank.com @3dns-c.citibankonline.com +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60858
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;web.da-us.citibank.com. IN TXT
;; Query time: 249 msec
;; SERVER: 192.193.183.40#53(192.193.183.40)
;; WHEN: Wed Mar 29 10:27:08 2006
;; MSG SIZE rcvd: 40
; <<>> DiG 9.3.2 <<>> a web.da-us.citibank.com @3dns-c.citibankonline.com +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49960
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;web.da-us.citibank.com. IN A
;; ANSWER SECTION:
web.da-us.citibank.com. 0 IN A 192.193.187.60
;; Query time: 241 msec
;; SERVER: 192.193.183.40#53(192.193.183.40)
;; WHEN: Wed Mar 29 10:36:01 2006
;; MSG SIZE rcvd: 56
Barry Finkel
> No. But consistantly responding to queries other than A queries
> is. RFC 1034 / RFC 1035 describe how to respond to queries for
> types you don't know about or don't have. RFC 1034 / RFC 1035
> are the base DNS specifications. There is no justifiable reason
> for any DNS server to get this wrong.
>
> The nameserver for web.da-us.citibank.com is not RFC 1034 / RFC 1035
> compliant.
>> How does it cause problem like I described?
> This will cause the server to be marked as lame.
>
>dig aaaa web.da-us.citibank.com @3dns-c.citibankonline.com +norec
<<I have omitted the rest of the reply.>>
When I query the nameserver
for a version, the answer is
VERSION.BIND. 0S CHAOS TXT "8.3.7-REL"
I cannot tell if that nameserver is authoritative for the zone
The domain in question is
citibank.com
not
citibankonline.com.
But the WHOIS record for
lists these nameservers:
NS1.NSROOT1.COM 192.193.214.1
NS2.NSROOT2.COM 199.67.172.1
and those servers respond:
NS1: version.bind. 0S CHAOS TXT "nusnj19-edns01.nsroot2.com"
NS2: version.bind. 0S CHAOS TXT "9.2.4"
Of course, I have no idea if those CHAOS TXT records reflect reality.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFi...@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
Mark Andrews
I heard back from citibank. It is a load balancer in front of
named. The load balancer handles the A queries the rest fall
through to named which is not correctly configured.
Mark