% check-soa -i pool.ntp.org
a.ntpns.org.
2620:101:d007::42: OK: 1484769062 (3 ms)
207.171.17.42: OK: 1484769062 (2 ms)
b.ntpns.org.
2001:8e0:ffff:1::282: OK: 1484769062 (15 ms)
212.25.19.23: OK: 1484769062 (17 ms)
193.243.171.138: OK: 1484769062 (30 ms)
174.127.124.192: OK: 1484769062 (100 ms)
c.ntpns.org.
85.214.25.217: OK: 1484769062 (22 ms)
2a01:238:426b:900:4535:f84f:5043:4854: OK: 1484769062 (24 ms)
2a00:14b0:4200:32e0::1e5: OK: 1484769062 (31 ms)
89.36.18.22: OK: 1484769062 (48 ms)
d.ntpns.org.
2a01:4f8:121:43cd::3:1: OK: 1484769062 (14 ms)
178.63.120.205: OK: 1484769062 (15 ms)
199.188.48.59: OK: 1484769062 (100 ms)
199.249.223.53: OK: 1484769062 (210 ms)
e.ntpns.org.
94.242.223.210: OK: 1484769062 (0 ms)
2001:4b20:0:ca01:5054:ff:fe6f:c4fb: OK: 1484769062 (16 ms)
46.234.32.107: OK: 1484769062 (15 ms)
173.255.139.202: OK: 1484769062 (141 ms)
f.ntpns.org.
2a02:2290:2:48::73: OK: 1484769062 (2 ms)
46.29.176.73: OK: 1484769062 (2 ms)
31.3.105.98: OK: 1484769062 (13 ms)
2001:4b20:0:ca01:5054:ff:fe69:9149: OK: 1484769062 (15 ms)
46.234.32.105: OK: 1484769062 (15 ms)
2a03:7900:104:1::2: OK: 1484769062 (22 ms)
g.ntpns.org.
37.123.115.71: OK: 1484769062 (9 ms)
h.ntpns.org.
2a01:238:426b:900:4535:f84f:5043:4854: OK: 1484769062 (21 ms)
45.127.112.23: OK: 1484769062 (53 ms)
i.ntpns.org.
2a02:2290:2:48::73: OK: 1484769062 (9 ms)
45.127.113.23: OK: 1484769062 (10 ms)
-
-
Save bortzmeyer/8643239b33556257750a10a2cfd46600 to your computer and use it in GitHub Desktop.
Google Public DNS cannot resolve:
% dig @8.8.8.8 A pool.ntp.org
; <<>> DiG 9.11.0-P1 <<>> @8.8.8.8 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34557
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pool.ntp.org. IN A
;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 18 20:13:39 UTC 2017
;; MSG SIZE rcvd: 41
DNSviz sees errors but they do not seem too serious (at least, it is not a DNSSEC issue, the domain is not signed):
Works with Verisign Public DNS 👍
% dig @64.6.64.6 A pool.ntp.org
; <<>> DiG 9.11.0-P1 <<>> @64.6.64.6 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53894
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pool.ntp.org. IN A
;; ANSWER SECTION:
pool.ntp.org. 99 IN A 136.243.177.133
pool.ntp.org. 99 IN A 5.79.108.34
pool.ntp.org. 99 IN A 178.172.163.254
pool.ntp.org. 99 IN A 78.192.65.63
;; Query time: 25 msec
;; SERVER: 64.6.64.6#53(64.6.64.6)
;; WHEN: Wed Jan 18 20:21:52 UTC 2017
;; MSG SIZE rcvd: 105
Or with my local Unbound 👍
% dig A pool.ntp.org
; <<>> DiG 9.11.0-P1 <<>> A pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pool.ntp.org. IN A
;; ANSWER SECTION:
pool.ntp.org. 150 IN A 80.92.86.19
pool.ntp.org. 150 IN A 80.92.86.18
;; Query time: 15 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jan 18 20:24:03 UTC 2017
;; MSG SIZE rcvd: 73
Yandex DNS is also OK 👍
% dig @77.88.8.8 A pool.ntp.org
; <<>> DiG 9.11.0-P1 <<>> @77.88.8.8 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59835
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pool.ntp.org. IN A
;; ANSWER SECTION:
pool.ntp.org. 132 IN A 185.22.60.71
pool.ntp.org. 132 IN A 83.143.51.50
pool.ntp.org. 132 IN A 46.8.40.31
pool.ntp.org. 132 IN A 94.100.192.29
;; Query time: 38 msec
;; SERVER: 77.88.8.8#53(77.88.8.8)
;; WHEN: Wed Jan 18 20:25:51 UTC 2017
;; MSG SIZE rcvd: 94
Reason found by Gert Doering. The NS set changed recently (some resolvers still have the old set in the cache) and the old nameservers were decommissioned before the end of the TTL :-(
Old set :
ns2.everett.org.
ns2.ntp.org.
ns1.everett.org.
ns1.ntp.org.
New set :
ns1.everett.org.
dns1.udel.edu.
dns2.udel.edu.
anyns.pch.net.
ns3.p20.dynect.net.
ns1.p20.dynect.net.
ns2.p20.dynect.net.
ns4.p20.dynect.net.
So, it is just a botched changed in configuration.
The passive DNS service DNSDB supports Gert Doering's explanation:
;; bailiwick: org.
;; count: 2408845
;; first seen: 2016-07-04 00:33:28 -0000
;; last seen: 2017-01-18 18:05:47 -0000
ntp.org. IN NS ns1.ntp.org.
ntp.org. IN NS ns2.ntp.org.
ntp.org. IN NS ns1.everett.org.
ntp.org. IN NS ns2.everett.org.
;; bailiwick: org.
;; count: 1
;; first seen: 2017-01-18 18:59:35 -0000
;; last seen: 2017-01-18 18:59:35 -0000
ntp.org. IN NS dns1.udel.edu.
ntp.org. IN NS dns2.udel.edu.
ntp.org. IN NS anyns.pch.net.
ntp.org. IN NS ns1.everett.org.
ntp.org. IN NS ns1.p20.dynect.net.
ntp.org. IN NS ns2.p20.dynect.net.
ntp.org. IN NS ns3.p20.dynect.net.
ntp.org. IN NS ns4.p20.dynect.net.
Ours was botched for a few hours too. Flushed the ntp.org. entry to refresh the NS set and we're back now.
Used the Flush Cache function on the GPD site to flush NS records for ntp.org and pool.ntp.org.
My local Google instance is responding correctly after that:
sadiq@lasciel:~/dev/ > dig pool.ntp.org @8.8.8.8
; <<>> DiG 9.10.3-P4-Ubuntu <<>> pool.ntp.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57924
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pool.ntp.org. IN A
;; ANSWER SECTION:
pool.ntp.org. 137 IN A 206.108.0.132
pool.ntp.org. 137 IN A 192.95.25.79
pool.ntp.org. 137 IN A 167.114.204.238
pool.ntp.org. 137 IN A 199.19.167.36
;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 18 20:52:14 UTC 2017
;; MSG SIZE rcvd: 105
Or with my local Unbound
That's a mighty impressive response time. Any input on how I can make it that good? I resolve to root DNS zones, not ISP DNS/public DNS.
@bortzmeyer Three of the four old servers have been down for months; I've been nagging the folks in charge of the ntp.org domain to get it updated and we recently got the in-zone NS-set updated to include PCH and Dyn. The delegation was updated today, but as you saw it looks like the one working server of the old four had a hiccup. :-(
And the parent domain: