excuse posting to such an august north american list from humble nigeria,
but we think you have a problem over there and it's not very easy to deal
from here.
roam.psg.com:/usr/home/randy> doc -p -w www.cnn.com.
Doc-2.2.3: doc -p -w www.cnn.com.
Doc-2.2.3: Starting test of www.cnn.com. parent is cnn.com.
Doc-2.2.3: Test date - Thu Apr 26 09:04:52 GMT 2007
DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.com. failed
DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.com. failed
SYSerr: No servers for www.cnn.com. returned SOAs ...
Summary:
YIKES: doc aborted while testing www.cnn.com. parent cnn.com.
Incomplete test for www.cnn.com. (3)
Done testing www.cnn.com. Thu Apr 26 09:05:13 GMT 2007
randy
I think your debugging tool is faulty, as a dig ns cnn.com
@a.gtld-servers.net gives:
cnn.com. 172800 IN NS twdns-01.ns.aol.com.
cnn.com. 172800 IN NS twdns-02.ns.aol.com.
cnn.com. 172800 IN NS twdns-03.ns.aol.com.
cnn.com. 172800 IN NS twdns-04.ns.aol.com.
twdns-01.ns.aol.com. 172800 IN A 149.174.213.151
twdns-02.ns.aol.com. 172800 IN A 152.163.239.216
twdns-03.ns.aol.com. 172800 IN A 207.200.73.85
twdns-04.ns.aol.com. 172800 IN A 64.12.147.120
All of the above answer to me and have the same serial for cnn.com.
I guess your tool probably asks a faulty caching nameserver for the NS
records of cnn.com - there are several misguided implementations that
cache for a longer period than the TTL of the record states.
Having said that and beeing a hostmaster for a large german broadband
ISP i am indeed quite thankful for Microsoft ignoring low TTLs in most
Windows XP installations especially as todays drones do no seem to care
about asking proper IN MX questions. 
Stefan
well, close but i think not
randy
cnn.com is not www.cnn.com
dig @twdns-03.ns.aol.com www.cnn.com ns
Although "doc" is very long in the tooth, at least the last version I was
using in anger.
As to what CNN are doing with their DNS, I've no idea, but I don't think it
concerns Nanog, unless these nameservers host a lot of important domains
Stefan Schmidt wrote:
roam.psg.com:/usr/home/randy> doc -p -w www.cnn.com.
Doc-2.2.3: doc -p -w www.cnn.com.
Doc-2.2.3: Starting test of www.cnn.com. parent is cnn.com.
Doc-2.2.3: Test date - Thu Apr 26 09:04:52 GMT 2007
DIGERR (NOT_AUTHORIZED): dig @dmtns01.turner.com. for SOA of www.cnn.com. failed
DIGERR (NOT_AUTHORIZED): dig @dmtns02.turner.com. for SOA of www.cnn.com. failed
I think your debugging tool is faulty, as a dig ns cnn.com
[..]
All of the above answer to me and have the same serial for cnn.com.
Randy is looking at www.cnn.com (note the www portion) and if you would
do a 'dig +trace www.cnn.com' you would see:
www.cnn.com. 3600 IN NS dmtns01.turner.com.
www.cnn.com. 3600 IN NS dmtns02.turner.com.
;; Received 112 bytes from 207.200.73.85#53(twdns-03.ns.aol.com) in 176 ms
www.cnn.com. 600 IN A 64.236.16.20
[..9 ip's..]
;; Received 157 bytes from 64.236.22.150#53(dmtns02.turner.com) in 100 ms
And dmtns0{1|2}.turner.com. don't have a SOA for www.cnn.com although
they are authoritive. They only respond to queries for "A". Fortunatily
they do respond for "AAAA" queries, 0 records result, but it doesn't
break. They do simply drop queries asking for SOA,MX,TXT and prolly others.
Aka just another peeped up "DNS loadbalancer" for which the implementers
didn't read the RFCs or where the configurators decided that they can
ignore other stuff for "anti-ddos" or other reasons.
Greets,
Jeroen
Aka just another peeped up "DNS loadbalancer" for which the implementers
didn't read the RFCs or where the configurators decided that they can
ignore other stuff for "anti-ddos" or other reasons.
any clues as to the vendor so we know what to avoid?
randy