[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Our domain not able to receive mails from gamil



You need to remove whatever is generating these bogus records from the mcit.gov.eg zone:

ns1.mcit.gov.eg.        0       IN      NS      jQfNYnMQfYRa.mcit.gov.eg.

$ dig +norec +nostats NS ns.mcit.gov.eg @81.21.99.150

; <<>> DiG 9.10.2 <<>> +norec +nostats NS ns.mcit.gov.eg @81.21.99.150
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32746
;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns.mcit.gov.eg.                        IN      NS

;; AUTHORITY SECTION:
ns.mcit.gov.eg.         0       IN      NS      ghNVgOkKkYZg.mcit.gov.eg.

It creates a delegation to a separate zone for any of the name server names listed in the delegation from gov.eg to mcit.gov.eg:

$ checkdelegation mcit.gov.eg
parent zone gov.eg:
mcit.gov.eg. 86400 NS ns1.mcit.gov.eg.
mcit.gov.eg. 86400 NS ns2.mcit.gov.eg.
mcit.gov.eg. 86400 NS ns.mcit.gov.eg.
ns.mcit.gov.eg. 86400 A 81.21.97.150
ns1.mcit.gov.eg. 86400 A 81.21.99.150
ns2.mcit.gov.eg. 86400 A 81.21.109.150

The glue record in the delegation is used, but when re-querying for the A record after the one-day TTL expires, the response from the name servers is a glueless delegation:

$ dig +norec +nostats NS ns1.mcit.gov.eg @81.219.150

; <<>> DiG 9.10.2 <<>> +norec +nostats NS ns1.mcit.gov.eg @81.21.99.150
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51736
;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.mcit.gov.eg.               IN      NS

;; AUTHORITY SECTION:
ns1.mcit.gov.eg.        0       IN      NS      OVLQgkMUmXOf.mcit.gov.eg.

The random prefix changes every time, and as a result, none of the name server addresses can be looked up once the one day TTL in the glue expires.

As a short-term fix you could make the glue TTL two weeks or something longer. At least for Google Public DNS, we would likely be updating the resolvers and restarting them before the TTL expired, although we might start expiring delegation glue TTLs more aggressively in the future, so that is only a short term fix.

$ dig +trace ns.mcit.gov.eg

; <<>> DiG 9.10.2 <<>> +trace ns.mcit.gov.eg
;; global options: +cmd
.                       194942  IN      NS      a.root-servers.net.
.                       194942  IN      NS      b.root-servers.net.
.                       194942  IN      NS      c.root-servers.net.
.                       194942  IN      NS      d.root-servers.net.
.                       194942  IN      NS      e.root-servers.net.
.                       194942  IN      NS      f.root-servers.net.
.                       194942  IN      NS      g.root-servers.net.
.                       194942  IN      NS      h.root-servers.net.
.                       194942  IN      NS      i.root-servers.net.
.                       194942  IN      NS      j.root-servers.net.
.                       194942  IN      NS      k.root-servers.net.
.                       194942  IN      NS      l.root-servers.net.
.                       194942  IN      NS      m.root-servers.net.
.                       194942  IN      RRSIG   NS 8 0 518400 20180305050000 20180220040000 41824 . LmVoL6aGnQ0e9abTWCIvA8UEwqGUT13SNRhiXq++IVB0WyqG7fDkvkDz Kcj0rhfIylcIkCrhlWenIKHR96CzmjAFviq50l/wqgB/gwDZXSuKTGCo irRrzejGu5LzHMVrQ9GHb9xzsBXmZ4VoYFCHuTQ9bmAkFoWs98ye7sXg JQ5nWVUlEerFDt1K+GZ2+Y803GM+8ebH0Y9nLpwCD+LiPU33P3SCrCbM YgIEY+QtLr+3lxvkR/5Pb0ls6oRKhebGLF+RKtN6rYq5lX6m1BLWGodv uyV1Fdrnaz5PhfvsC4hL27j1aQuPkU4nBE9aeDW7zQrjC1b+ZPycLExl v00ykA==
;; Received 525 bytes from 127.0.1.1#53(127.0.1.1) in 2 ms

eg.                     172800  IN      NS      rip.psg.com.
eg.                     172800  IN      NS      ns5.univie.ac.at.
eg.                     172800  IN      NS      frcu.eun.eg.
eg.                     86400   IN      NSEC    email. NS RRSIG NSEC
eg.                     86400   IN      RRSIG   NSEC 8 1 86400 20180306050000 20180221040000 41824 . MShzihg+wj/i3G9FHLLsCLdBKI9IRE3BUYpfU8umuM7t/VzjkdivGJRj LDu3gbhCMeDN812Np99WhouZEV0cyGXDKhZpV85gDsbbFU5ssMQa5/uB sVSbblHBeVXbXtKKl94bSu5Dhbz0IYHATIA9G2pcHiDQs14QGg9OrdL/ DxyFbGILNiriWRgVqOJmbc6bpD3tiu2eBqKubnimNT7cC8A07c3jS+6Y p8vcItyQuWgBDhNaM8qmWrtaR/ZwJRZVyIwTtTCm34PkwbYylr9Fp8YZ HjwsSzRSvVipMqcynCRi4UxwPgIwTfefmege6oTTVGZmof/aOncPfQds eHbxsg==
;; Received 539 bytes from 192.33.4.12#53(c.root-servers.net) in 16 ms

GOV.eg.                 86400   IN      NS      NS.IDSC.GOV.EG.
GOV.eg.                 86400   IN      NS      FRCU.EUN.EG.
GOV.eg.                 86400   IN      NS      RIP.PSG.COM.
;; Received 172 bytes from 193.171.255.77#53(ns5.univie.ac.at) in 116 ms

MCIT.gov.eg.            86400   IN      NS      NS2.MCIT.gov.eg.
MCIT.gov.eg.            86400   IN      NS      NS1.MCIT.gov.eg.
MCIT.gov.eg.            86400   IN      NS      NS.MCIT.gov.eg.
;; Received 149 bytes from 147.28.0.39#53(RIP.PSG.COM) in 57 ms

ns.mcit.gov.eg.         0       IN      NS      jWRKdkkRhTde.mcit.gov.eg.
couldn't get address for 'jWRKdkkRhTde.mcit.gov.eg': not found
dig: couldn't get address for 'jWRKdkkRhTde.mcit.gov.eg': no more

--
--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dns-discuss AT googlegroups.com
To unsubscribe from this group, send email to
public-dns-discuss+unsubscribe AT googlegroups.com
For more options, visit this group at
http://groups.google.com/group/public-dns-discuss
For more information on Google Public DNS, please visit
http://developers.google.com/speed/public-dns
========================================================
---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
For more options, visit https://groups.google.com/d/optout.