DNS configuration errors/issues with `pool.ntp.org`


Digging a bit deeper here on the DNS authoritative servers setup for pool.ntp.org.

It turns out that there are several issues with it ATM, ranging from unresponsive servers to reuse of the same IP address for different NSes.

You can get full reports from two great online DNS tools. I’m including here links to the experiments I ran already:

  1. Using DNSVIZ
  2. Using Zonemaster


ps: thanks @marco.davids for the help too

1 Like

Thanks @giovane & @marco.davids@gfk and I did talk recently about some of these. Not getting them removed from the NS records was an oversight.

1 Like

Indeed three delegation errors seem fixed now. Thank you!

For the record: these where there errors that now seem fixed:

IP in parent refers to multiple nameservers (d.ntpns.org; g.ntpns.org).
IP in child refers to multiple nameservers (d.ntpns.org; g.ntpns.org).
IP refers to multiple nameservers (d.ntpns.org; g.ntpns.org).

These are the remaining errors:

Follow up:

A quick review[1] seems to indicate that some IP-addresses in the NS-set for pool.ntp.org are still unresponsive:

2a05:91c0:1505:5::c924 (c.ntpns.org)
2620:7:6000::ffff:c759:df35 (d.ntpns.org (d.ntpns.org) (f.ntpns.org)

It is also confusing that the SOA record of pool.ntp.org has a rather variable content[2] in the MNAME field and I wonder why this is? Why not put a.ntpns.org in it everywhere?

[1] for a in $(dig +short ns pool.ntp.org | sort); do echo -e "\033[1mServer\033[0m $a ------"; for b in $(dig +short A $a); do echo " IP: $b ---"; dig +short SOA pool.ntp.org @$b; done; done

[2] dig +nssearch pool.ntp.org

Hello Marco and thanks for the analyses. Here’s what’s going on:

  • 2a05:91c0:1505:5::c924 is fixed (actually changed to 2a05:91c0:1505:5:: )
  • has been removed permanently from DNS
  • had crashed, operator has been notified, should be back in a few hours.

Confirmed! Thank you!


UPDATE 20210801:

That was two days ago. Apparently we have to be a little more patient? :wink: