Skip to content

Instantly share code, notes, and snippets.

@bortzmeyer
Created January 18, 2017 19:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bortzmeyer/8643239b33556257750a10a2cfd46600 to your computer and use it in GitHub Desktop.
Save bortzmeyer/8643239b33556257750a10a2cfd46600 to your computer and use it in GitHub Desktop.
Long list of name servers for pool.ntp.org
% check-soa -i pool.ntp.org
a.ntpns.org.
	2620:101:d007::42: OK: 1484769062 (3 ms)
	207.171.17.42: OK: 1484769062 (2 ms)
b.ntpns.org.
	2001:8e0:ffff:1::282: OK: 1484769062 (15 ms)
	212.25.19.23: OK: 1484769062 (17 ms)
	193.243.171.138: OK: 1484769062 (30 ms)
	174.127.124.192: OK: 1484769062 (100 ms)
c.ntpns.org.
	85.214.25.217: OK: 1484769062 (22 ms)
	2a01:238:426b:900:4535:f84f:5043:4854: OK: 1484769062 (24 ms)
	2a00:14b0:4200:32e0::1e5: OK: 1484769062 (31 ms)
	89.36.18.22: OK: 1484769062 (48 ms)
d.ntpns.org.
	2a01:4f8:121:43cd::3:1: OK: 1484769062 (14 ms)
	178.63.120.205: OK: 1484769062 (15 ms)
	199.188.48.59: OK: 1484769062 (100 ms)
	199.249.223.53: OK: 1484769062 (210 ms)
e.ntpns.org.
	94.242.223.210: OK: 1484769062 (0 ms)
	2001:4b20:0:ca01:5054:ff:fe6f:c4fb: OK: 1484769062 (16 ms)
	46.234.32.107: OK: 1484769062 (15 ms)
	173.255.139.202: OK: 1484769062 (141 ms)
f.ntpns.org.
	2a02:2290:2:48::73: OK: 1484769062 (2 ms)
	46.29.176.73: OK: 1484769062 (2 ms)
	31.3.105.98: OK: 1484769062 (13 ms)
	2001:4b20:0:ca01:5054:ff:fe69:9149: OK: 1484769062 (15 ms)
	46.234.32.105: OK: 1484769062 (15 ms)
	2a03:7900:104:1::2: OK: 1484769062 (22 ms)
g.ntpns.org.
	37.123.115.71: OK: 1484769062 (9 ms)
h.ntpns.org.
	2a01:238:426b:900:4535:f84f:5043:4854: OK: 1484769062 (21 ms)
	45.127.112.23: OK: 1484769062 (53 ms)
i.ntpns.org.
	2a02:2290:2:48::73: OK: 1484769062 (9 ms)
	45.127.113.23: OK: 1484769062 (10 ms)
@bortzmeyer
Copy link
Author

And the parent domain:

% check-soa -i ntp.org
anyns.pch.net.
	204.61.216.4: OK: 2017011701 (9 ms)
	2001:500:14:6004:ad::1: OK: 2017011701 (9 ms)
dns1.udel.edu.
	128.175.13.16: OK: 2017011701 (87 ms)
dns2.udel.edu.
	128.175.13.17: OK: 2017011701 (89 ms)
ns1.everett.org.
	Cannot get the IPv6 address: read udp [::1]:50471->[::1]:53: i/o timeout
ns1.p20.dynect.net.
	208.78.70.20: OK: 2017011701 (7 ms)
	2001:500:90:1::20: OK: 2017011701 (10 ms)
ns2.everett.org.
	66.220.13.230: ERROR: read udp 185.26.126.156:49918->66.220.13.230:53: i/o timeout
	2001:470:1:205::230: ERROR: read udp [2001:4b98:dc2:43:216:3eff:fea9:41a]:35373->[2001:470:1:205::230]:53: i/o timeout
ns2.p20.dynect.net.
	204.13.250.20: OK: 2017011701 (12 ms)
ns3.p20.dynect.net.
	208.78.71.20: OK: 2017011701 (5 ms)
	2001:500:94:1::20: OK: 2017011701 (6 ms)
ns4.p20.dynect.net.
	204.13.251.20: OK: 2017011701 (5 ms)

@bortzmeyer
Copy link
Author

Google Public DNS cannot resolve:

% dig @8.8.8.8 A pool.ntp.org



; <<>> DiG 9.11.0-P1 <<>> @8.8.8.8 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34557
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 18 20:13:39 UTC 2017
;; MSG SIZE  rcvd: 41

@bortzmeyer
Copy link
Author

DNSviz sees errors but they do not seem too serious (at least, it is not a DNSSEC issue, the domain is not signed):

http://dnsviz.net/d/pool.ntp.org/WH_KRQ/dnssec/

@bortzmeyer
Copy link
Author

Works with Verisign Public DNS 👍

% dig @64.6.64.6 A pool.ntp.org

; <<>> DiG 9.11.0-P1 <<>> @64.6.64.6 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53894
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; ANSWER SECTION:
pool.ntp.org.		99 IN A	136.243.177.133
pool.ntp.org.		99 IN A	5.79.108.34
pool.ntp.org.		99 IN A	178.172.163.254
pool.ntp.org.		99 IN A	78.192.65.63

;; Query time: 25 msec
;; SERVER: 64.6.64.6#53(64.6.64.6)
;; WHEN: Wed Jan 18 20:21:52 UTC 2017
;; MSG SIZE  rcvd: 105

@bortzmeyer
Copy link
Author

Or with my local Unbound 👍

 % dig A pool.ntp.org

; <<>> DiG 9.11.0-P1 <<>> A pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; ANSWER SECTION:
pool.ntp.org.		150 IN A 80.92.86.19
pool.ntp.org.		150 IN A 80.92.86.18

;; Query time: 15 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jan 18 20:24:03 UTC 2017
;; MSG SIZE  rcvd: 73

@bortzmeyer
Copy link
Author

Yandex DNS is also OK 👍

 % dig @77.88.8.8 A pool.ntp.org

; <<>> DiG 9.11.0-P1 <<>> @77.88.8.8 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59835
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; ANSWER SECTION:
pool.ntp.org.		132 IN A 185.22.60.71
pool.ntp.org.		132 IN A 83.143.51.50
pool.ntp.org.		132 IN A 46.8.40.31
pool.ntp.org.		132 IN A 94.100.192.29

;; Query time: 38 msec
;; SERVER: 77.88.8.8#53(77.88.8.8)
;; WHEN: Wed Jan 18 20:25:51 UTC 2017
;; MSG SIZE  rcvd: 94

@bortzmeyer
Copy link
Author

Reason found by Gert Doering. The NS set changed recently (some resolvers still have the old set in the cache) and the old nameservers were decommissioned before the end of the TTL :-(

Old set :

ns2.everett.org.
ns2.ntp.org.
ns1.everett.org.
ns1.ntp.org.

New set :
ns1.everett.org.
dns1.udel.edu.
dns2.udel.edu.
anyns.pch.net.
ns3.p20.dynect.net.
ns1.p20.dynect.net.
ns2.p20.dynect.net.
ns4.p20.dynect.net.

So, it is just a botched changed in configuration.

@bortzmeyer
Copy link
Author

The passive DNS service DNSDB supports Gert Doering's explanation:

;;  bailiwick: org.
;;      count: 2408845
;; first seen: 2016-07-04 00:33:28 -0000
;;  last seen: 2017-01-18 18:05:47 -0000
ntp.org. IN NS ns1.ntp.org.
ntp.org. IN NS ns2.ntp.org.
ntp.org. IN NS ns1.everett.org.
ntp.org. IN NS ns2.everett.org.


;;  bailiwick: org.
;;      count: 1
;; first seen: 2017-01-18 18:59:35 -0000
;;  last seen: 2017-01-18 18:59:35 -0000
ntp.org. IN NS dns1.udel.edu.
ntp.org. IN NS dns2.udel.edu.
ntp.org. IN NS anyns.pch.net.
ntp.org. IN NS ns1.everett.org.
ntp.org. IN NS ns1.p20.dynect.net.
ntp.org. IN NS ns2.p20.dynect.net.
ntp.org. IN NS ns3.p20.dynect.net.
ntp.org. IN NS ns4.p20.dynect.net.

@phonedph1
Copy link

Ours was botched for a few hours too. Flushed the ntp.org. entry to refresh the NS set and we're back now.

@packetbiral
Copy link

Used the Flush Cache function on the GPD site to flush NS records for ntp.org and pool.ntp.org.

My local Google instance is responding correctly after that:

sadiq@lasciel:~/dev/ > dig pool.ntp.org @8.8.8.8

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pool.ntp.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57924
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pool.ntp.org. IN A

;; ANSWER SECTION:
pool.ntp.org. 137 IN A 206.108.0.132
pool.ntp.org. 137 IN A 192.95.25.79
pool.ntp.org. 137 IN A 167.114.204.238
pool.ntp.org. 137 IN A 199.19.167.36

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 18 20:52:14 UTC 2017
;; MSG SIZE rcvd: 105

@jungle-boogie
Copy link

Or with my local Unbound

That's a mighty impressive response time. Any input on how I can make it that good? I resolve to root DNS zones, not ISP DNS/public DNS.

@abh
Copy link

abh commented Jan 18, 2017

@bortzmeyer Three of the four old servers have been down for months; I've been nagging the folks in charge of the ntp.org domain to get it updated and we recently got the in-zone NS-set updated to include PCH and Dyn. The delegation was updated today, but as you saw it looks like the one working server of the old four had a hiccup. :-(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment