Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Long list of name servers for pool.ntp.org
% check-soa -i pool.ntp.org
a.ntpns.org.
	2620:101:d007::42: OK: 1484769062 (3 ms)
	207.171.17.42: OK: 1484769062 (2 ms)
b.ntpns.org.
	2001:8e0:ffff:1::282: OK: 1484769062 (15 ms)
	212.25.19.23: OK: 1484769062 (17 ms)
	193.243.171.138: OK: 1484769062 (30 ms)
	174.127.124.192: OK: 1484769062 (100 ms)
c.ntpns.org.
	85.214.25.217: OK: 1484769062 (22 ms)
	2a01:238:426b:900:4535:f84f:5043:4854: OK: 1484769062 (24 ms)
	2a00:14b0:4200:32e0::1e5: OK: 1484769062 (31 ms)
	89.36.18.22: OK: 1484769062 (48 ms)
d.ntpns.org.
	2a01:4f8:121:43cd::3:1: OK: 1484769062 (14 ms)
	178.63.120.205: OK: 1484769062 (15 ms)
	199.188.48.59: OK: 1484769062 (100 ms)
	199.249.223.53: OK: 1484769062 (210 ms)
e.ntpns.org.
	94.242.223.210: OK: 1484769062 (0 ms)
	2001:4b20:0:ca01:5054:ff:fe6f:c4fb: OK: 1484769062 (16 ms)
	46.234.32.107: OK: 1484769062 (15 ms)
	173.255.139.202: OK: 1484769062 (141 ms)
f.ntpns.org.
	2a02:2290:2:48::73: OK: 1484769062 (2 ms)
	46.29.176.73: OK: 1484769062 (2 ms)
	31.3.105.98: OK: 1484769062 (13 ms)
	2001:4b20:0:ca01:5054:ff:fe69:9149: OK: 1484769062 (15 ms)
	46.234.32.105: OK: 1484769062 (15 ms)
	2a03:7900:104:1::2: OK: 1484769062 (22 ms)
g.ntpns.org.
	37.123.115.71: OK: 1484769062 (9 ms)
h.ntpns.org.
	2a01:238:426b:900:4535:f84f:5043:4854: OK: 1484769062 (21 ms)
	45.127.112.23: OK: 1484769062 (53 ms)
i.ntpns.org.
	2a02:2290:2:48::73: OK: 1484769062 (9 ms)
	45.127.113.23: OK: 1484769062 (10 ms)
@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

And the parent domain:

% check-soa -i ntp.org
anyns.pch.net.
	204.61.216.4: OK: 2017011701 (9 ms)
	2001:500:14:6004:ad::1: OK: 2017011701 (9 ms)
dns1.udel.edu.
	128.175.13.16: OK: 2017011701 (87 ms)
dns2.udel.edu.
	128.175.13.17: OK: 2017011701 (89 ms)
ns1.everett.org.
	Cannot get the IPv6 address: read udp [::1]:50471->[::1]:53: i/o timeout
ns1.p20.dynect.net.
	208.78.70.20: OK: 2017011701 (7 ms)
	2001:500:90:1::20: OK: 2017011701 (10 ms)
ns2.everett.org.
	66.220.13.230: ERROR: read udp 185.26.126.156:49918->66.220.13.230:53: i/o timeout
	2001:470:1:205::230: ERROR: read udp [2001:4b98:dc2:43:216:3eff:fea9:41a]:35373->[2001:470:1:205::230]:53: i/o timeout
ns2.p20.dynect.net.
	204.13.250.20: OK: 2017011701 (12 ms)
ns3.p20.dynect.net.
	208.78.71.20: OK: 2017011701 (5 ms)
	2001:500:94:1::20: OK: 2017011701 (6 ms)
ns4.p20.dynect.net.
	204.13.251.20: OK: 2017011701 (5 ms)
@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

Google Public DNS cannot resolve:

% dig @8.8.8.8 A pool.ntp.org



; <<>> DiG 9.11.0-P1 <<>> @8.8.8.8 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34557
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 18 20:13:39 UTC 2017
;; MSG SIZE  rcvd: 41

@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

DNSviz sees errors but they do not seem too serious (at least, it is not a DNSSEC issue, the domain is not signed):

http://dnsviz.net/d/pool.ntp.org/WH_KRQ/dnssec/

@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

Works with Verisign Public DNS 👍

% dig @64.6.64.6 A pool.ntp.org

; <<>> DiG 9.11.0-P1 <<>> @64.6.64.6 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53894
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; ANSWER SECTION:
pool.ntp.org.		99 IN A	136.243.177.133
pool.ntp.org.		99 IN A	5.79.108.34
pool.ntp.org.		99 IN A	178.172.163.254
pool.ntp.org.		99 IN A	78.192.65.63

;; Query time: 25 msec
;; SERVER: 64.6.64.6#53(64.6.64.6)
;; WHEN: Wed Jan 18 20:21:52 UTC 2017
;; MSG SIZE  rcvd: 105
@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

Or with my local Unbound 👍

 % dig A pool.ntp.org

; <<>> DiG 9.11.0-P1 <<>> A pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; ANSWER SECTION:
pool.ntp.org.		150 IN A 80.92.86.19
pool.ntp.org.		150 IN A 80.92.86.18

;; Query time: 15 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jan 18 20:24:03 UTC 2017
;; MSG SIZE  rcvd: 73

@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

Yandex DNS is also OK 👍

 % dig @77.88.8.8 A pool.ntp.org

; <<>> DiG 9.11.0-P1 <<>> @77.88.8.8 A pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59835
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pool.ntp.org.		IN A

;; ANSWER SECTION:
pool.ntp.org.		132 IN A 185.22.60.71
pool.ntp.org.		132 IN A 83.143.51.50
pool.ntp.org.		132 IN A 46.8.40.31
pool.ntp.org.		132 IN A 94.100.192.29

;; Query time: 38 msec
;; SERVER: 77.88.8.8#53(77.88.8.8)
;; WHEN: Wed Jan 18 20:25:51 UTC 2017
;; MSG SIZE  rcvd: 94

@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

Reason found by Gert Doering. The NS set changed recently (some resolvers still have the old set in the cache) and the old nameservers were decommissioned before the end of the TTL :-(

Old set :

ns2.everett.org.
ns2.ntp.org.
ns1.everett.org.
ns1.ntp.org.

New set :
ns1.everett.org.
dns1.udel.edu.
dns2.udel.edu.
anyns.pch.net.
ns3.p20.dynect.net.
ns1.p20.dynect.net.
ns2.p20.dynect.net.
ns4.p20.dynect.net.

So, it is just a botched changed in configuration.

@bortzmeyer

This comment has been minimized.

Copy link
Owner Author

bortzmeyer commented Jan 18, 2017

The passive DNS service DNSDB supports Gert Doering's explanation:

;;  bailiwick: org.
;;      count: 2408845
;; first seen: 2016-07-04 00:33:28 -0000
;;  last seen: 2017-01-18 18:05:47 -0000
ntp.org. IN NS ns1.ntp.org.
ntp.org. IN NS ns2.ntp.org.
ntp.org. IN NS ns1.everett.org.
ntp.org. IN NS ns2.everett.org.


;;  bailiwick: org.
;;      count: 1
;; first seen: 2017-01-18 18:59:35 -0000
;;  last seen: 2017-01-18 18:59:35 -0000
ntp.org. IN NS dns1.udel.edu.
ntp.org. IN NS dns2.udel.edu.
ntp.org. IN NS anyns.pch.net.
ntp.org. IN NS ns1.everett.org.
ntp.org. IN NS ns1.p20.dynect.net.
ntp.org. IN NS ns2.p20.dynect.net.
ntp.org. IN NS ns3.p20.dynect.net.
ntp.org. IN NS ns4.p20.dynect.net.

@phonedph1

This comment has been minimized.

Copy link

phonedph1 commented Jan 18, 2017

Ours was botched for a few hours too. Flushed the ntp.org. entry to refresh the NS set and we're back now.

@staticsafe

This comment has been minimized.

Copy link

staticsafe commented Jan 18, 2017

Used the Flush Cache function on the GPD site to flush NS records for ntp.org and pool.ntp.org.

My local Google instance is responding correctly after that:

sadiq@lasciel:~/dev/ > dig pool.ntp.org @8.8.8.8

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pool.ntp.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57924
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pool.ntp.org. IN A

;; ANSWER SECTION:
pool.ntp.org. 137 IN A 206.108.0.132
pool.ntp.org. 137 IN A 192.95.25.79
pool.ntp.org. 137 IN A 167.114.204.238
pool.ntp.org. 137 IN A 199.19.167.36

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 18 20:52:14 UTC 2017
;; MSG SIZE rcvd: 105

@jungle-boogie

This comment has been minimized.

Copy link

jungle-boogie commented Jan 18, 2017

Or with my local Unbound

That's a mighty impressive response time. Any input on how I can make it that good? I resolve to root DNS zones, not ISP DNS/public DNS.

@abh

This comment has been minimized.

Copy link

abh commented Jan 18, 2017

@bortzmeyer Three of the four old servers have been down for months; I've been nagging the folks in charge of the ntp.org domain to get it updated and we recently got the in-zone NS-set updated to include PCH and Dyn. The delegation was updated today, but as you saw it looks like the one working server of the old four had a hiccup. :-(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.