Wpbeginner.com

Hi list,

any idea why wpbeginner.com can't be resolved
using unbound 1.3.1?

Thanks for any input.

Best regards,

  Sven Juergensen

dig any wpbeginner.com @89.27.130.35

; <<>> DiG 9.4.3-P1 <<>> any wpbeginner.com @89.27.130.35
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20992
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wpbeginner.com. IN ANY

;; Query time: 2877 msec
;; SERVER: 89.27.130.35#53(89.27.130.35)
;; WHEN: Mon Jul 20 12:42:47 2009
;; MSG SIZE rcvd: 32

Mit freundlichen Gruessen,

  i. A. Sven Juergensen

- --
Fachbereich
Netze und Rechenzentren

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 2219-053
Mobil : 0170 403 5600
Telefax : 0431 2219-005
E-Mail : s.juergensen@kielnet.de
Internet: http://www.kielnet.de

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)

PGP details at
http://pgp.kielnet.de/sjuergensen/

Hi,

Neither in unbound unbound-1.3.2.

Sven Juergensen escribió:

$ dig IN ANY wpbeginner.com. @ns1.uzzz.net. @ns2.uzzz.net.

; <<>> DiG 9.6.1 <<>> IN ANY wpbeginner.com. @ns1.uzzz.net. @ns2.uzzz.net.
;; global options: +cmd
;; connection timed out; no servers could be reached

Sven Juergensen wrote:

any idea why wpbeginner.com can't be resolved
using unbound 1.3.1?

It appears no to be a problem with unbound. The IP addresses of the
authoritative nameservers for wpbeginners.com are inconsistent.

dig +trace wpbeginner.com
[...]
wpbeginner.com. 172800 IN NS ns1.uzzz.net.
wpbeginner.com. 172800 IN NS ns2.uzzz.net.
;; Received 108 bytes from 192.43.172.30#53(I.GTLD-SERVERS.NET) in 27 ms

;; connection timed out; no servers could be reached

The parent zone says:
ns1.uzzz.net. 172800 IN A 74.52.155.18

While 74.52.155.18 answers requests for wpbeginners.com, it resolves
ns1.uzzz.net to:

ns1.uzzz.net. 14400 IN A 72.249.16.25

72.249.16.25 doesn't answer DNS requests. Similar results for
ns2.uzzz.net. SNAFU.

Hauke.

Hi Sven,

Because it is misconfigured and unbounds security policy.

If you ask .com servers for wpbeginner.com
it gives a delegation to:
wpbeginner.com. 172800 IN NS ns1.uzzz.net.
wpbeginner.com. 172800 IN NS ns2.uzzz.net.
ns1.uzzz.net. 172800 IN A 74.52.155.18
ns2.uzzz.net. 172800 IN A 74.52.155.19

Unbound however, does not believe the ns1.uzzz.net addresses
from here because of security policy. (Otherwise cache
poisoning is going to happen). It decides to check up
on things.

It asks for ns1.uzzz.net to the .net servers that give
this delegation:
uzzz.net. 172800 IN NS ns1.uzzz.net.
uzzz.net. 172800 IN NS ns2.uzzz.net.
ns1.uzzz.net. 172800 IN A 74.52.155.18
ns2.uzzz.net. 172800 IN A 74.52.155.19

This time, having asked the .net servers, unbound believes
the addresses, but the security policy is to check even further.
Unbound asks uzzz.net nameservers for ns1.uzzz.net.

As you can see in the dig sample below, it gets a reply
with a different address for ns1.uzzz.net.

$ dig @74.52.155.18 ns1.uzzz.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28863
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;ns1.uzzz.net. IN A
;; ANSWER SECTION:
ns1.uzzz.net. 14400 IN A 72.249.16.25
;; AUTHORITY SECTION:
uzzz.net. 86400 IN NS ns712.websitewelcome.com.
uzzz.net. 86400 IN NS ns711.websitewelcome.com.
;; ADDITIONAL SECTION:
ns712.websitewelcome.com. 130930 IN A 74.52.155.19

So, it finds out that the real address of ns1.uzzz.net is 72.249.16.25!
Because the uzzz.net server says so and is authoritative for the data.

Unbound then asks 72.249.16.25 for wpbeginner.com.

$ dig @72.249.16.25 wpbeginner.com
;; connection timed out; no servers could be reached

The same story for ns2.uzzz.net, the server does not respond to queries.

So, I would like to be able to provide the correct answer to
users who want to connect to wpbeginner.com ; unbound
tries to fetch the most authoritative response for it, but that
address will not answer.

All that said, if you really want to resolve this, the
option harden-glue: no does that. (And allows cache
poisoning!).

The best solution is to have wpbeginner.com publish correct
information to the verisign servers, and/or run a nameserver
on the address 72.249.16.25.

Thank you for reporting the non-working address.

Best regards,
   Wouter

Hi Wouter,

many thanks for the insights of unbounds
inner workings. Lets see if the person res-
ponsible for the domain feels like fixing
things.

Best regards,

Mit freundlichen Gruessen,

  i. A. Sven Juergensen

- --
Fachbereich
Netze und Rechenzentren

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 2219-053
Mobil : 0170 403 5600
Telefax : 0431 2219-005
E-Mail : s.juergensen@kielnet.de
Internet: http://www.kielnet.de

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)

PGP details at
http://pgp.kielnet.de/sjuergensen/

* W. C. A. Wijngaards:

The best solution is to have wpbeginner.com publish correct
information to the verisign servers, and/or run a nameserver
on the address 72.249.16.25.

Note that resolution of wpbeginner.com will fail with most resolvers
if you resolve the following names, in this order: uzzz.net,
ns1.uzzz.net, ns2.uzzz.net, wpbeginner.com. So the zone is really
misconfigured.