Well, if you're an AOL mail server and you're trying to figure out if our mail server is legit or not, it can mean everything. You see, I broke something six days ago. Only, I didn't know that I broke it until almost three o'clock this afternoon.
Last Wednesday I was poking around in the records on our primary DNS server – setting up a new domain, adding some addresses to our reverse-lookup zone, and doing some general housekeeping. During the housekeeping part I spotted a couple of aliases in the hartfordschools.org domain records: routerguy and shadowrun. These were a pair of Mac boxes that
majikshop had setup back in '99 to do firewall/DNS work. We took them out of service in '02 and replaced them with a pair of much more mundane UNIX DNS servers (with much more mundane names: ns1.hartfordschools.org and ns2.hartfordschools.org). At the time we replaced them, I flipped their name entries in the DNS records from being "A" records (hosts) to being "CNAME" records – aliases that pointed to the new DNS servers. Wednesday night I nuked those aliases.
To understand why this was a bad thing, you have to understand a little bit about how DNS works. DNS is a hierarchy – at the top are the "root" servers. They know about the servers that handle the Top Level Domains (TLDs). The TLDs are .com, .org, .edu, and all of those ISO country codes – .uk, .ru and the like. The DNS servers responsible for each TLD know about the DNS servers for the domains within that TLD. EG, when you key in www.coke.com into your web browser, your PC asks your ISP's DNS server to resolve www.coke.com to a numeric IP address so that it can send an HTTP request. The DNS server seeks a root DNS server, which points it to a DNS server for the .com TLD, which in turn points it to a DNS server for coke.com, which at last, knows about www.coke.com and serves up the IP address.
DNS supports a feature called reverse lookup – you can ask a DNS server about an IP address, and if a record exists for it, the server will return the host name associated with that address. ISPs like AOL use reverse lookups to validate that mail servers sending email to AOL are who they say they are. Kind of a trust but verify thing to keep out the most unsophisticated of the riff-raff.
So what did I break? Back in '98 whenmajikshop set up those two boxes we registered their names with our ISP (AT&T), and they stuck those two names into their DNS database. Then they delegated responsibility for reverse DNS lookups for our block of AT&T-assigned IP address to shadowrun and routerguy. As long as the aliases were there, servers out on the 'net could trace the DNS breadcrumbs to AT&T and then to us. Once I took the aliases out, I broke the chain. *Shazam* no one on the 'net could find out what host belonged to any of our addresses. ISPs like AOL stopped accepting mail from us, and a couple of days later the help desk started getting calls.
It took a couple of hours of sleuthing this afternoon to dope this all out. AOL (perhaps unbelievably) gets kudos for having very responsive and knowledgeable support people. AT&T did pretty well too. For the short-term fix I put the aliases back in our DNS records. For a long-term fix I have a request in to AT&T's DNS group to change the records to the correct server names.
So,majikshop, how's that for a lasting legacy?
Last Wednesday I was poking around in the records on our primary DNS server – setting up a new domain, adding some addresses to our reverse-lookup zone, and doing some general housekeeping. During the housekeeping part I spotted a couple of aliases in the hartfordschools.org domain records: routerguy and shadowrun. These were a pair of Mac boxes that
majikshop had setup back in '99 to do firewall/DNS work. We took them out of service in '02 and replaced them with a pair of much more mundane UNIX DNS servers (with much more mundane names: ns1.hartfordschools.org and ns2.hartfordschools.org). At the time we replaced them, I flipped their name entries in the DNS records from being "A" records (hosts) to being "CNAME" records – aliases that pointed to the new DNS servers. Wednesday night I nuked those aliases. To understand why this was a bad thing, you have to understand a little bit about how DNS works. DNS is a hierarchy – at the top are the "root" servers. They know about the servers that handle the Top Level Domains (TLDs). The TLDs are .com, .org, .edu, and all of those ISO country codes – .uk, .ru and the like. The DNS servers responsible for each TLD know about the DNS servers for the domains within that TLD. EG, when you key in www.coke.com into your web browser, your PC asks your ISP's DNS server to resolve www.coke.com to a numeric IP address so that it can send an HTTP request. The DNS server seeks a root DNS server, which points it to a DNS server for the .com TLD, which in turn points it to a DNS server for coke.com, which at last, knows about www.coke.com and serves up the IP address.
DNS supports a feature called reverse lookup – you can ask a DNS server about an IP address, and if a record exists for it, the server will return the host name associated with that address. ISPs like AOL use reverse lookups to validate that mail servers sending email to AOL are who they say they are. Kind of a trust but verify thing to keep out the most unsophisticated of the riff-raff.
So what did I break? Back in '98 when
majikshop set up those two boxes we registered their names with our ISP (AT&T), and they stuck those two names into their DNS database. Then they delegated responsibility for reverse DNS lookups for our block of AT&T-assigned IP address to shadowrun and routerguy. As long as the aliases were there, servers out on the 'net could trace the DNS breadcrumbs to AT&T and then to us. Once I took the aliases out, I broke the chain. *Shazam* no one on the 'net could find out what host belonged to any of our addresses. ISPs like AOL stopped accepting mail from us, and a couple of days later the help desk started getting calls.It took a couple of hours of sleuthing this afternoon to dope this all out. AOL (perhaps unbelievably) gets kudos for having very responsive and knowledgeable support people. AT&T did pretty well too. For the short-term fix I put the aliases back in our DNS records. For a long-term fix I have a request in to AT&T's DNS group to change the records to the correct server names.
So,
majikshop, how's that for a lasting legacy?- Current Mood:
bemused
- Current Music:Jethro Tull - Rocks on the Road
Profile
- netcurmudgeon
- netcurmudgeon
- House of Hum
Comments
Not unbelievably. The chances are pretty good that you talked to someone I know, and it's not outside the realm of possibilities that you talked to someone I've slept with.
That aside, AOL has one of the smoothest mail operations going, these days.
Huey, that's teetering on the line of TMI. :-)
We cohort who talked with "the AOL dude" was really pleasantly surprised by his professionalism. I was also pleased with the go-the-extra-mile information in the SMTP error messages they were kicking back (the extended text included a URL to a DOC on how to un-screw your DNS).
Did you actually speak with someone whose first language WAS English? If so, I find that amazing. Sorry to sound too jaded, but when I had AOL, I always got someone in India. That is part of the reason I dropped 'em. Well, that, and the price. And the.....
;-)
, when those names came up in some notes of mine...
Sort of brings new meaning to "blast from the past"... more like crash from the past.