Hi, 2018-10-30 there seem to be some issues resolving north-america.pool.ntp.org: local DNS server: # nslookup -type=any 3.north-america.pool.ntp.org. Server: 192.168.99.70 Address: 192.168.99.70#53 Non-authoritative answer: Name: 3.north-america.pool.ntp.org Address: 22.214.171.124 Name: 3.north-america.pool.ntp.org Address: 126.96.36.199 Name: 3.north-america.pool.ntp.org Address: 188.8.131.52 Name: 3.north-america.pool.ntp.org Address: 184.108.40.206 Authoritative answers can be found from: org nameserver = a0.org.afilias-nst.info. org nameserver = b2.org.afilias-nst.org. org nameserver = a2.org.afilias-nst.info. org nameserver = b0.org.afilias-nst.org. org nameserver = d0.org.afilias-nst.org. org nameserver = c0.org.afilias-nst.info. a0.org.afilias-nst.info internet address = 220.127.116.11 a0.org.afilias-nst.info has AAAA address 2001:500:e::1 a2.org.afilias-nst.info internet address = 18.104.22.168 a2.org.afilias-nst.info has AAAA address 2001:500:40::1 b0.org.afilias-nst.org internet address = 22.214.171.124 b0.org.afilias-nst.org has AAAA address 2001:500:c::1 b2.org.afilias-nst.org internet address = 126.96.36.199 b2.org.afilias-nst.org has AAAA address 2001:500:48::1 c0.org.afilias-nst.info internet address = 188.8.131.52 c0.org.afilias-nst.info has AAAA address 2001:500:b::1 d0.org.afilias-nst.org internet address = 184.108.40.206 d0.org.afilias-nst.org has AAAA address 2001:500:f::1 OK, but ntpd apparently doesn't use non-authoritative results, so I'll try the first IP address which is supposed to be authoritative: # nslookup -type=any 3.north-america.pool.ntp.org. 220.127.116.11 Server: 18.104.22.168 Address: 22.214.171.124#53 Non-authoritative answer: *** Can't find 3.north-america.pool.ntp.org.: No answer Authoritative answers can be found from: ntp.org nameserver = ns2.p20.dynect.net. ntp.org nameserver = anyns.pch.net. ntp.org nameserver = ns3.p20.dynect.net. ntp.org nameserver = dns2.udel.edu. ntp.org nameserver = ns1.p20.dynect.net. ntp.org nameserver = ns4.p20.dynect.net. ntp.org nameserver = ns1.everett.org. ntp.org nameserver = dns1.udel.edu. ns1.everett.org internet address = 126.96.36.199 That's odd: the authoritative server isn't authoritative! I think ntpd gives up at this point. Continuing to the newly specified IP address: # nslookup -type=any 3.north-america.pool.ntp.org. 188.8.131.52 Server: 184.108.40.206 Address: 220.127.116.11#53 Non-authoritative answer: *** Can't find 3.north-america.pool.ntp.org.: No answer Authoritative answers can be found from: pool.ntp.org nameserver = c.ntpns.org. pool.ntp.org nameserver = f.ntpns.org. pool.ntp.org nameserver = d.ntpns.org. pool.ntp.org nameserver = e.ntpns.org. pool.ntp.org nameserver = i.ntpns.org. pool.ntp.org nameserver = a.ntpns.org. pool.ntp.org nameserver = b.ntpns.org. pool.ntp.org nameserver = h.ntpns.org. pool.ntp.org nameserver = g.ntpns.org. Still no joy. Finally trying one of the ntpns.org nameservers: # nslookup -type=any 3.north-america.pool.ntp.org. g.ntpns.org. Server: g.ntpns.org. Address: 18.104.22.168#53 Name: 3.north-america.pool.ntp.org Address: 22.214.171.124 Name: 3.north-america.pool.ntp.org Address: 126.96.36.199 Name: 3.north-america.pool.ntp.org Address: 188.8.131.52 Name: 3.north-america.pool.ntp.org Address: 184.108.40.206 Finally, some authoritative responses. But ntpd (4.2.8p11) apparently isn't that persistent.
Those DNS responses look fine.
The response was “non-authoritative” because the query was sent to a resolver. It answered the question, and marked the response as non-authoritative because it’s a resolver and not one of the zone’s authoritative servers. That’s normal and correct behavior.
ntpd should have no problem with it.
What’s actually going wrong? What’s
ntpd doing? What do its logs say? Is it failing to resolve NTP Pool addresses? Is it successfully resolving other servers? What is its configuration?
If you are running a semi-recent version of NTP you can also use the ‘pool’ directive instead of ‘server’.
That might help if you are having DNS issues or servers that keep dropping out.
I’m using pool directives; ntpd running on a Linux host gives log lines:
1 Nov 02:02:28 ntpd: error resolving pool 3.north-america.pool.ntp.org: No address associated with hostname (-5)
If I put a server line in the configuration for frigg.fancube.com (one of the pool servers)
and restart ntpd, I get:
1 Nov 02:10:33 ntpd: DNS frigg.fancube.com (A) -> 220.127.116.11
So normal server domain names are resolved correctly.
The problem with the DNS responses are that the initial (non-authoritative) response indicates
servers which are supposed to be authoritative (a0.org.afilias-nst.info etc.), but those servers
claim not to have authoritative information, referring to yet another set of servers, etc. until finally
the ntpns.org servers return useful responses.
A side-effect of adding the server line to the configuration is that now the pool addresses are
resolving. This may be a problem related to the deferred lookups in the chroot ntpd code (which
has had a number of issues).
nslookup output doesn’t show anything wrong. There might be something wrong, but everything
nslookup showed was things operating normally and correctly.
What happens if you put “
pool frigg.fancube.com” or “
server 3.north-america.pool.ntp.org” or “
server 2.north-america.pool.ntp.org” or “
pool 2.north-america.pool.ntp.org” in the configuration?
Does DNS resolution always malfunction? Was it at boot, when the clock might be wildly wrong, and networking might not be working right yet? Could you have been using a different DNS resolver at the time?
Normally, I'd expect that a query to a server which is supposed to be authoritative should return a proper answer; that's what has traditionally happened and still happens for many queries, e.g.: # nslookup -type=any c.mewe.com Server: 192.168.99.70 Address: 192.168.99.70#53 Non-authoritative answer: Name: c.mewe.com Address: 18.104.22.168 Name: c.mewe.com Address: 22.214.171.124 Name: c.mewe.com Address: 126.96.36.199 Authoritative answers can be found from: mewe.com nameserver = ns-2046.awsdns-63.co.uk. mewe.com nameserver = ns-1093.awsdns-08.org. mewe.com nameserver = ns-196.awsdns-24.com. mewe.com nameserver = ns-879.awsdns-45.net. ns-196.awsdns-24.com internet address = 188.8.131.52 ns-879.awsdns-45.net has AAAA address 2600:9000:5303:6f00::1 ns-1093.awsdns-08.org internet address = 184.108.40.206 ns-1093.awsdns-08.org has AAAA address 2600:9000:5304:4500::1 ns-2046.awsdns-63.co.uk internet address = 220.127.116.11 ns-2046.awsdns-63.co.uk has AAAA address 2600:9000:5307:fe00::1 # nslookup -type=any c.mewe.com ns-1093.awsdns-08.org Server: ns-1093.awsdns-08.org Address: 18.104.22.168#53 Name: c.mewe.com Address: 22.214.171.124 Name: c.mewe.com Address: 126.96.36.199 Name: c.mewe.com Address: 188.8.131.52 I'd call that normal; a server initially reported as being authoritative returns an authoritative result rather than no result. I'm not sure that a pool directive for a regular server name makes sense, but with that as the only server/pool directive I get failure: 1 Nov 08:45:48 ntpd: error resolving pool frigg.fancube.com: No address associated with hostname (-5) server 3.north-america.pool.ntp.org resolves to a single IP address: 1 Nov 08:43:37 ntpd: DNS 3.north-america.pool.ntp.org (A) -> 184.108.40.206 This happens consistently. The local DNS resolver handles LAN host names plus a few exceptional names and forwards everything else to 220.127.116.11. Other machines running ntpd under NetBSD don't show any problems; this is beginning to look like a chroot/Linux-specific issue with ntpd [rebuilding with the undocumented options mentioned in ntp bug 2680 comment 26 fixes that]. But the DNS response auxiliary information pointing to supposedly authoritative servers that aren't in fact authoritative looks odd to me. Anyway, thanks for your help.
Your DNS server sometimes returns a misleading authority section showing information from a parent zone.
(I think this is a ‘feature’ of BIND when it doesn’t have complete authority information cached. Newer versions don’t include unnecessary authority sections by default, so you won’t see it anymore.)
(I don’t know if any other recursive DNS servers do the same thing. None of the ones I use do.)
A client like ntpd ignores the authority section entirely, so it doesn’t matter what it says or how bizarre it is. The answer section was correct.
It’s not a typical setup – though it’s useful if a server’s IP address changes – but it’s a good test.
As @mnordhoff said, it all looks normal (and the important part would be if your DNS server reports errors or the client / stub-resolver can’t get answers).
ISC have recommended using
dig (or more recently
drill) for DNS debugging for almost 20 years (or more?). nslookup isn’t a good tool for diagnosing DNS (or really for anything).
I’m in love with ‘kdig’ it’s from the folks that develop the knot-resolver.