Wednesday, August 5, 2009

When the internet doesn't see an update to your zonefile

SkyHi @ Wednesday, August 05, 2009

Every once in awhile we see a situation where somebody changes the IP address one of their hostname (A records) points at and the rest of the world still sees the old address.

Common causes of this include:

  • You forgot to increment the zone's serial in the SOA record (*thwap*). Increment the serial and reload the zone again.
  • The nameserver you are using to check your hostname is a resolver / recursor that already has this record in its DNS cache and is answering with its cached data.If this is the case either query a different nameserver or wait for the record's time-to-live (which is set by the "minimum" attribute of the SOA record) to elapse so the nameserver you are querying refreshes it's data.
  • There is an error in the new zonedata. If this is the case the primary nameserver will not even load the new data. If you have local access to the primary nameserver you can tell if this is the case when the serial in the SOA record in your zonefile isn't reflected in what the nameserver answers back for SOA queries.
    Grep your nameserver logs and you'll probably see what the problem is.

Which is all fine for common oversights when making DNS edits. Sometimes however, you've incremented the serial, there are no errors in the zonefile, in fact all the authoritative nameservers have the new IP address but nobody else can see it. What then?

This is far more obscure, but it still happens. What has probably happened is that at some point the host record being changed was used as a nameserver record, that is, it was used in a nameserver delegation for a domain name.

When that happens for generic top level domains (like .com and .net) is that the internet root servers keep an extra glue record for the nameserver hostname in the root nameservers itself, this is done so the root servers can hand out nameserver information for queries about domain names without having to make the extra lookups to the nameservers of the parent domains of each nameserver record.

What all this means if you once used "" as a nameserver record (never a good idea, use a distinct hostname like, and then you go and change the IP address for "" in your zonefile, the rest of the internet will not see the new IP address until you go and also update the extra glue record in the root nameservers with the same info.

You could see if this is the case using dig:

$ dig +short

If you get an IP address back, then there's your problem, you need to contact the registrar for the domain name in question and get this nameserver record edited or if no domains are actually delegated to this hostname, deleted.