Originally Posted by Tom
This should be fixed now, there may be a requirement for this to propagate through the internet (24 hrs)
Problem will still exist because of this new behavior from Verisign. The glue records for blackberryserver.com are busted. Actually, now that I look closer, the problem is about to get much much worse from the way it was fixed.
The authoritative servers for blackberryforums.com:
# whois blackberryforums.com | grep -A2 'Name Servers:'
The NS records for blackberryforums.com, querying their authoritative servers directly so there are no ttl issues:
# dig NS blackberryforums.com @ns1.blackberrycenter.com
; <<>> DiG 9.5.0-P2 <<>> NS blackberryforums.com @ns1.blackberrycenter.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6758
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;blackberryforums.com. IN NS
;; ANSWER SECTION:
blackberryforums.com. 86400 IN NS dns1.blackberryserver.com.
blackberryforums.com. 86400 IN NS dns2.blackberryserver.com.
;; ADDITIONAL SECTION:
dns1.blackberryserver.com. 14400 IN A 184.108.40.206
dns2.blackberryserver.com. 14400 IN A 220.127.116.11
;; Query time: 55 msec
;; SERVER: 18.104.22.168#53(22.214.171.124)
;; WHEN: Mon Mar 8 10:49:35 2010
;; MSG SIZE rcvd: 125
The record looks good on the surface. They kept the dns.blackberryserver.com NS records and ditched the rest. But dig a little deeper.
Find the authoritative servers for blackberryserver
.com because the names dns.blackberryserver.com need to be resolved to complete the original query of looking up names for blackberryforums
# whois blackberryserver.com | grep -A2 'Name Servers:'
So, ns.blackberryserver.com are authoritative for blackberryserver.com Query the NS records for blackberryserver.com, again, directly from the authoritative server so there are no ttl issues:
# dig NS blackberryserver.com @ns1.blackberryserver.com
dig: couldn't get address for 'ns1.blackberryserver.com': not found
(insert sound of screeching halt here)
This is the new behavior described by the verisign change doc. While the name servers dns.blackberrycenter
.com are configured to provide A records for dns.blackberryserver
.com, they are now irrelevant because the blackberrycenter.com servers are not authoritative for blackberryserver.com. So, where Verisign's root name servers for all of the .com namespace used to be helpful and just grab those glue records, it will not now promote those records to be authoritative.
Because the records for blackberryforums.com on dns.blackberrycenter.com now only contain NS records pointing to dns.blackberryserver.com, this problem is about to get much worse as soon as the TTL for all the glue records expire for blackberryforums.com.
So, the glue records for blackberryserver.com need to get fixed very soon, or the blackberryserver.com name servers need to be taken completely out of the mix.