DNS resolving problems for ch.pool.ntp.org


#1

Since a few weeks we often have troubles with resolving IP adresses for different pools in pool.ntp.org, for us important is ch.pool.ntp.org, but other pools also fale

The problems seem to stay at some servers on the level of the servers ns1.ntp.org aswell as ns2.ntp.org and ns2.everett.org.

This can be seen when checking ch.pool.ntp.org via http://dns.squish.net/

Anybody aware of this ? Encountering similar issues ?

Cheers
Patrik


#2

The problem with ntp.org is known. I don’t control the ntp.org domain, but I have been trying to make the relevant people aware since the summer. It’s improved a little lately that we got some better DNS servers added to the NS-set in the ntp.org zone, but the .org servers are still serving the broken NS-set.

Can you run ‘dig +trace ch.pool.ntp.org’ from your system? I’m surprised you see widespread problems and that it changed a few weeks ago, so I wonder if it’s something else than the ntp.org NS issue.

(Sorry your post got caught in the spam filtering; the mobile web UI wouldn’t let me approve it - thank you for posting. I’ll mark your account so it shouldn’t happen again).


#3

Ask,
thanks for answering.

It might be that the problem exists already longer as we had earlier instances where monitoring said: NTP problem. But I never tracked it down to the issue as it was very intermittent. Around Christmas time I had enough time to track it down finally when it happened again.
In my feeling the frequency of incidents increased, but this is only a feeling, could also be wrong and caused in the fact that I now know why it happens.

Regarding trace: lots of affected machines have DNS forwarding to provider DNS and there a trace doesn’t help too much, this is why I used the http://dns.squish.net/ site for checking the complete walkthrough/trace… but below the trace from one Swiss machine and one Bulgarian machine being hooked up directly to the root servers.

Dig trace from a machine in Switzerland:
; <<>> DiG 9.4.2-P2 <<>> +trace ch.pool.ntp.org
;; global options: printcmd
. 3600 IN NS a.root-servers.net.
. 3600 IN NS b.root-servers.net.
. 3600 IN NS c.root-servers.net.
. 3600 IN NS d.root-servers.net.
. 3600 IN NS e.root-servers.net.
. 3600 IN NS f.root-servers.net.
. 3600 IN NS g.root-servers.net.
. 3600 IN NS h.root-servers.net.
. 3600 IN NS i.root-servers.net.
. 3600 IN NS j.root-servers.net.
. 3600 IN NS k.root-servers.net.
. 3600 IN NS l.root-servers.net.
. 3600 IN NS m.root-servers.net.
;; Received 449 bytes from 192.168.1.11#53(192.168.1.11) in 7 ms
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
;; Received 435 bytes from 199.7.91.13#53(d.root-servers.net) in 13 ms
ntp.org. 86400 IN NS ns1.ntp.org.
ntp.org. 86400 IN NS ns1.everett.org.
ntp.org. 86400 IN NS ns2.ntp.org.
ntp.org. 86400 IN NS ns2.everett.org.
;; Received 177 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 184 ms
pool.ntp.org. 3600 IN NS b.ntpns.org.
pool.ntp.org. 3600 IN NS f.ntpns.org.
pool.ntp.org. 3600 IN NS i.ntpns.org.
pool.ntp.org. 3600 IN NS e.ntpns.org.
pool.ntp.org. 3600 IN NS h.ntpns.org.
pool.ntp.org. 3600 IN NS a.ntpns.org.
pool.ntp.org. 3600 IN NS d.ntpns.org.
pool.ntp.org. 3600 IN NS g.ntpns.org.
pool.ntp.org. 3600 IN NS c.ntpns.org.
;; Received 183 bytes from 66.220.13.229#53(ns1.everett.org) in 154 ms
ch.pool.ntp.org. 150 IN A 82.197.164.46
ch.pool.ntp.org. 150 IN A 195.186.1.101
ch.pool.ntp.org. 150 IN A 213.251.52.217
ch.pool.ntp.org. 150 IN A 5.148.175.134
;; Received 157 bytes from 37.123.115.71#53(g.ntpns.org) in 23 ms

Dig Trace from a Bulgarian machine (Sofia):
; <<>> DiG 9.4.2-P2 <<>> +trace ch.pool.ntp.org
;; global options: printcmd
. 3600 IN NS a.root-servers.net.
. 3600 IN NS b.root-servers.net.
. 3600 IN NS c.root-servers.net.
. 3600 IN NS d.root-servers.net.
. 3600 IN NS e.root-servers.net.
. 3600 IN NS f.root-servers.net.
. 3600 IN NS g.root-servers.net.
. 3600 IN NS h.root-servers.net.
. 3600 IN NS i.root-servers.net.
. 3600 IN NS j.root-servers.net.
. 3600 IN NS k.root-servers.net.
. 3600 IN NS l.root-servers.net.
. 3600 IN NS m.root-servers.net.
;; Received 449 bytes from 192.168.5.31#53(192.168.5.31) in 6 ms
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
;; Received 435 bytes from 198.41.0.4#53(a.root-servers.net) in 30 ms
ntp.org. 86400 IN NS ns1.ntp.org.
ntp.org. 86400 IN NS ns1.everett.org.
ntp.org. 86400 IN NS ns2.ntp.org.
ntp.org. 86400 IN NS ns2.everett.org.
;; Received 177 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 35 ms
pool.ntp.org. 3600 IN NS c.ntpns.org.
pool.ntp.org. 3600 IN NS b.ntpns.org.
pool.ntp.org. 3600 IN NS a.ntpns.org.
pool.ntp.org. 3600 IN NS f.ntpns.org.
pool.ntp.org. 3600 IN NS d.ntpns.org.
pool.ntp.org. 3600 IN NS i.ntpns.org.
pool.ntp.org. 3600 IN NS h.ntpns.org.
pool.ntp.org. 3600 IN NS g.ntpns.org.
pool.ntp.org. 3600 IN NS e.ntpns.org.
;; Received 183 bytes from 66.220.13.229#53(ns1.everett.org) in 172 ms
ch.pool.ntp.org. 150 IN A 81.94.123.17
ch.pool.ntp.org. 150 IN A 5.148.175.134
ch.pool.ntp.org. 150 IN A 195.186.1.101
ch.pool.ntp.org. 150 IN A 82.197.164.46
;; Received 157 bytes from 89.36.18.22#53(c.ntpns.org) in 10 ms

Regarding Spamfilter: thank and no problem…

Patrik


#4

Hi,

my servers started reporting issues resolving subdomains of pool.ntp.org. Looked into it, there are no DNS records for ntp.org, and the record for www.ntp.org has just disappeared.

I suspect you are doing something about the dns issues you have been suffering lately and I applaud you for that.

Would you please happen to know how long it is going to take? Do you have a twitter handle I could follow?


#5

One of my caches had 19 hours left on the old NS records:

;; ANSWER SECTION:
ntp.org.                69807   IN      NS      ns1.ntp.org.
ntp.org.                69807   IN      NS      ns1.everett.org.
ntp.org.                69807   IN      NS      ns2.ntp.org.
ntp.org.                69807   IN      NS      ns2.everett.org.

And 8.8.8.8 was responding with SERVFAIL:

$ dig @8.8.8.8 ntp.org ns
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7664
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

I flushed Google’s cache of the NS records, and now 8.8.8.8 has the updated ones:

$ dig @8.8.8.8 ntp.org ns
;; ANSWER SECTION:
ntp.org.		3259	IN	NS	ns1.p20.dynect.net.
ntp.org.		3259	IN	NS	ns1.everett.org.
ntp.org.		3259	IN	NS	ns3.p20.dynect.net.
ntp.org.		3259	IN	NS	ns4.p20.dynect.net.
ntp.org.		3259	IN	NS	ns2.p20.dynect.net.
ntp.org.		3259	IN	NS	anyns.pch.net.
ntp.org.		3259	IN	NS	dns2.udel.edu.
ntp.org.		3259	IN	NS	ns2.everett.org.
ntp.org.		3259	IN	NS	dns1.udel.edu.

Other DNS caches should catch up on their own within the next ~24 hours. If you run a DNS resolver (the non forwarding kind), you can flush its cache to pick it up sooner.


#6

Do you know more specifically what’s going wrong? The current setup looks pretty good to me, but the old NS records may be cached for hours yet, and they’re barely functional.

If your recursive server is still relying only on the old NS records (ns1 and ns2 of ntp.org and everett.org) it’s worth flushing the cache to get the new NS records immediately.


#7

Thank you,

we are catching up know. All is well again :smiley:


#8

Stéphane Bortzmeyer tracked it down. The delegation was updated today, but the last remaining server that worked in the old NS-set had a hiccup for a while, so if you had cached those servers for ntp.org you couldn’t reach the zone for a bit.


#9

Good news from my side also:
http://dns.squish.net shows again proper resolving too, without any problems.

I had one issue today with one of my boxes, but probably it was due to old cached stuff or something completely different, I had no chance to check today, busy with bigger problems… :wink:

Thanks for having a look at it and moving the thing forward, towards a solution.
Cheers
Patrik