|
|
In June 2008, Chris Yeardley and I set up a new web server with RootBSD. Things went surprisingly smoothly—at least at the moment, I can recommend them. The only problem we had was with Chris' DNS, which is hosted by Ausweb. DNS registrars are bad at the best of times; this was not the best of times.
Ausweb technical support must be the worst I have ever come across. They are ignorant, arrogant and rude. In the next section I include more details from my online diary; here the relevant parts.
Saturday, 28 June 2008 | Today's diary | Today's images | top | next | last |
The real issue, though, is the DNS hosting. Chris is with Ausweb, who live up to the normal standard of DNS registrars. After logging in, she found a link to “Modify DNS”, which looked promising—until we discovered that Ausweb thinks that “DNS” stands for “Domain Name Server” and not “Domain Name Service”. And that's all they offer: how to add or remove a name server. No option to maintain the zone, which is currently served only by Ausweb.
It seems that DNS has been renamed to “Domain Name System”, a renaming with which I'm not the only one to disagree, as the Wikipedia talk page shows.
So we tried to add w3.lemis.com as a name server. That failed with a message I haven't seen before:
com.primus.tld.nameserver.NSChangeException: completed: NO { com.primus.tld.registry.RTYException: completed: NO: 2201 Authorization error }
What's that? It happened for all lemis.com addresses, but not for others, so possibly it's something to do with GANDI. Possibly the intention is to require my authorization before declaring one of my systems as a name server for another domain, but I can't find anything relevant on GANDI's broken web site, and as long as I can add any A record I want, it doesn't help much anyway.
In the end gave up and declared ozlabs.org as a name server and went home and entered a ticket with Ausweb. By the time I had entered that, the new name server was visible, so set up DNS to make it a slave to the Ausweb name servers. That didn't work either:
Jun 28 17:44:38 ozlabs named[2373]: zone narrawin.com/IN: Transfer started. Jun 28 17:44:38 ozlabs named[2373]: transfer of 'narrawin.com/IN' from 122.252.5.25#53: co nnected using 203.10.76.45#58742 Jun 28 17:44:38 ozlabs named[2373]: transfer of 'narrawin.com/IN' from 122.252.5.25#53: fa iled while receiving responses: REFUSED Jun 28 17:44:38 ozlabs named[2373]: transfer of 'narrawin.com/IN' from 122.252.5.25#53: en d of transfer Jun 28 17:44:38 ozlabs named[2373]: zone narrawin.com/IN: Transfer started. Jun 28 17:44:39 ozlabs named[2373]: transfer of 'narrawin.com/IN' from 122.252.5.26#53: co nnected using 203.10.76.45#37431 Jun 28 17:44:39 ozlabs named[2373]: transfer of 'narrawin.com/IN' from 122.252.5.26#53: fa iled while receiving responses: REFUSED Jun 28 17:44:39 ozlabs named[2373]: transfer of 'narrawin.com/IN' from 122.252.5.26#53: en d of transfer
Entered a ticket for that one, too, and got mail confirmation with some suggestions to use the “knowledgebase”:
|
Following those links brought a surprisingly empty suggestion:
|
This is the only relevant part of the complete display. As I suspected, the message was sent as multipart/alternative, and presuambly intended to be read as HTML, so took a look at that. To my surprise, that was even worse. The links had no text:
|
Looking at the (marvellously indented) HTML shows that that's what they specified:
<tr> <td><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><a h ref="http://ausweb.com.au/helpdesk/index.php?_a=knowledgebase&_j=questiondetails&_i=&ticke tid2=UWO-20351&ticketkey2=a0 d57a2c&doclose=1">.</a> <a href="http://ausweb.com.au/helpdes k/index.php?_a=knowledgebase&_j=questiondetails&_i=&ticketid2=UWO-20351&ticketkey2=a0 d57a 2c&doclose=1"></a></font></td> </tr> <tr> <td><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><a h ref="http://ausweb.com.au/helpdesk/index.php?_a=knowledgebase&_j=questiondetails&_i=&ticke tid2=UWO-20351&ticketkey2=a0 d57a2c&doclose=1">.</a> <a href="http://ausweb.com.au/helpdes k/index.php?_a=knowledgebase&_j=questiondetails&_i=&ticketid2=UWO-20351&ticketkey2=a0 d57a 2c&doclose=1"></a></font></td> </tr>
I suppose the messing around with font sizes (making them smaller) is par for the course. But there was only a single dot to represent the link, so it didn't make much difference. And, of course, I got the same empty document. No wonder it was rated 0.
Sunday, 29 June 2008 | Today's diary | top | previous | next | last |
Mail from Stephen Rothwell today, reporting the zone transfer errors for narrawin.com. Nothing from Ausweb, of course. Seems they sleep at weekends.
By the evening we still didn't have a reply from Ausweb, so did a bit of guessing what the zone might look like. Chris told me that she also had ftp access (apparently that's how they expect their customers to upload their web pages!), so I went and tried ftp.narrawin.com. It timed out. On further investigation, it proved that ftp.narrawin.com is really their primary name server:
=== grog@dereel (/dev/ttypi) ~ 101 -> nslookup -q=any ftp.narrawin.com ns1.ausweb.net.au
Server: ns1.ausweb.net.au Address: 122.252.5.25#53 Name: ftp.narrawin.com Address: 202.155.174.209=== grog@dereel (/dev/ttypi) ~ 102 -> nslookup 202.155.174.209
Server: 192.109.197.135 Address: 192.109.197.135#53 Non-authoritative answer: 209.174.155.202.in-addr.arpa name = ns1.ausweb.net.au.
As her signup letter told her, the real ftp server is at a different name. Given the insecure nature of the matter, I'm not going to reveal it in public. But what are Ausweb thinking by specifying their primary name server as ftp.narrawin.com, especially since (correctly, for once), they don't have the FTP port open?
Monday, 30 June 2008 | Today's diary | top | previous | next | last |
Mail from Ausweb this morning, answering one of my tickets. Here the statement and the reply:
We've been trying to add name servers to the zone narrawin.com, which you host. For some reason, all attempts to add *.lemis.com fail with the message;Reply:com.primus.tld.nameserver.NSChangeException: completed: NO { com.primus.tld.registry.RTYException: completed: NO: 2201 Authorization error }I don't see anything at our end which is causing this. Please resolve ASAP.
Your nameservers are set correctly to point to the server you are on however there is also a rogue entry pointing www.ozlabs.org. Can you please clarify why exactly you are wanting to change/add name servers to your existing domain.
So I replied and pointed to the other ticket, but it never got there because their web interface stripped off the information. Checked the ticket and found it had been closed, apparently because I looked at the empty “knowledgebase” article on Saturday. Left a comment in the ticket and received a call from Matt, who acknowledged that their knowledgebase was being updated. He also didn't understand why we wanted to add name servers; how would hosts know which one to access?
He then told me that we can't access the zone files, because this was a shared (web) server. I was unable to make it clear to him that web servers and DNS have nothing to do with each other He told me that it was too dangerous to let users update their DNS, because they could mess it up, and that I should get a DNS manager. On my asking, he explained that this is somebody else who can manage the DNS for us. I asked about ftp.narrawin.com and pointed out the obvious issues (you don't put ftp on a name server, but that's where it was pointing, and ftp service was available on a different server which isn't called ftp, but he insisted that this was correct.
When I continued asking, he put me on hold and then passed me to Peter, who didn't announce his name. This was clearly the same Peter who had also sent me a couple of messages:
Please do not double post for the same issue.
www.ozlabs.org is not a name server and as such is corrupting the zone file, please delete your incorrect input!
I don't know how he decided that these were both the same issues, since it's clear that he hadn't read the messages. And of course ozlabs.org isn't a name server—it's a host. But my subsequent discussion with Peter showed that he doesn't really understand DNS. When I told him that the name of the host was unimportant, he got up on his high horse and told me I shouldn't argue with people who had been doing this for years. When I pointed out that I had written a book chapter on this over 10 years ago, he said “OK, then read your book if you don't believe me” and hung up. Somehow it's typical that he didn't even understand what I said.
Just to be 100% sure, but also because it's the right thing to do, we changed the name of the server from www.ozlabs.org to ns.ozlabs.org (same machine), and of course we had the same problem. So, at the end of all of that: I still can't add a lemis.com name server, and we still can't transfer the zone from Ausweb. But since we don't have access to update the zone files anyway, the second issue doesn't seem to make much difference: we have to use our own zone files anyway.
About the only thing that I can get out of this is that there are even more stupid people out there than I thought. To make matters worse, Peter (the arrogant know-it-all) is the manager. As Stephen wrote yesterday:
It's amazing how many hosting services/ISPs are so ignorant about something so basic to the success of their business.
That's enough to warrant this page. It's just a pity that Chris has paid them for another year of disservice.
Wednesday, 2 July 2008 | Today's diary | top | previous | next | last |
Got a reply to my last ticket with Ausweb. The text (not included in the reply, to help you lose track) was:
We're trying to add name servers to narrawin.com to have access to the zone files, which you have confirmed you cannot make available for update. When trying to add ns1.lemis.com, we got the following error message:
com.primus.tld.nameserver.NSChangeException: completed: NO { com.primus.tld.registry.RTYException: completed: NO: 2201 Authorization error }This doesn't make any sense to me. Please tell me how to resolve this problem.
The response was:
The system only accepts proper name servers, please make sure the name servers you are adding are correct and alive and have a reverse DNS!
And he closed the ticket again. I wonder what he means by “proper name servers” this time—ones with a name starting with ns, like he claimed last time? I've done some changes since the last attempt, so I need to confirm with Chris that this problem really still exists. Maybe Peter means that the reverse DNS must show the name sever name, which isn't typical.
Tuesday, 8 July 2008 | Today's diary | Today's images | top | previous | next | last |
Got a reply to my latest ticket with Ausweb:
Please see below regarding your DNS issues, which realy has nothing to do with us! Please contact your host regarding your DNS
http://www.intodns.com/narrawin.com
I have difficulty understanding the terminology these people use. How do I contact my host? There are tools to get DNS services from my host, but clearly that's not what they mean.
On the other hand, indirectly this was the most useful reply yet, pointing to the DNS report service at intoDNS, which is very useful. It showed the problem I have been reporting, of course—only one name server, and not the ones I had been trying to add—but also a couple of other minor problems that I'll attend to when I get the main problem fixed.
So what was Peter on about? I can't make up my mind whether they're just trying to annoy me, or whether they don't know what they're doing. I suspect both, with a tendency to the latter.
Wednesday, 9 July 2008 | Today's diary | top | previous | next | last |
Ausweb are amazing. My latest ticket was closed with the comment (punctuation is original):
It does not look like that you even tried to register the IPs for your name servers!
Log into your domain admin , go to child name servers and add the IPs for the name servers (ns1 + ns2.ns1.narrawin.com) .
And then , only then can you actually start using those name servers!
Never mind that you register IP addresses with an A record, that A records for the name servers have been there all the time, nor that I can add any other name server, even if it's not authoritative. But what does “log into your domain admin” mean? Did a bit of investigation and discovered:
=== grog@dereel (/dev/ttypt) ~ 81 -> host ns1.narrawin.com
ns1.narrawin.com has address 203.10.76.45=== grog@dereel (/dev/ttypt) ~ 82 -> host ns2.narrawin.com
ns2.narrawin.com has address 208.86.224.149=== grog@dereel (/dev/ttypt) ~ 84 -> host ns1.narrawin.com ozlabs.org
Using domain server: Name: ozlabs.org Address: 203.10.76.45#53 Aliases: ns1.narrawin.com has address 203.10.76.45=== grog@dereel (/dev/ttypt) ~ 85 -> host ns1.narrawin.com ns1.ausweb.net.au
Using domain server: Name: ns1.ausweb.net.au Address: 122.252.5.25#53 Aliases: Host ns1.narrawin.com not found: 3(NXDOMAIN)=== grog@dereel (/dev/ttypt) ~ 88 -> nslookup -q=soa narrawin.com ns1.ausweb.net.au
Server: ns1.ausweb.net.au Address: 122.252.5.25#53 narrawin.com origin = ns1.ausweb.net.au mail addr = system.ausweb.net.au serial = 2008012302 refresh = 14400 retry = 7200 expire = 3600000 minimum = 86400
In other words, the Ausweb name servers are still pretending to be authoritative with an out-of-date zone file, which doesn't include A records for ns1 and ns2. This is probably the reason that the web interface can't find them. Replied accordingly and got another reply, completely ignoring the issue, and stating:
Again, as mentioned previously, log into your domain administration area and register the ip addresses for your nameservers in the "Domain Child NameServer Details" section.
So that's what he meant by “log into your domain admin”: “access the web interface to our DNS admin”. The only problem is that we haven't been able to find any such link; it's clearly not at the URL he gave us. That would work, I suppose, if we could find it.
Thursday, 10 July 2008 | Today's diary | top | previous | next | last |
Ausweb must really be some of the most incompetent, arrogant and annoying people I have ever had the misfortune to come into contact with. They closed the latest problem report (“Please drop zone narrawin.com from your name servers”) without any action, along with a second one, where I was still trying to find the “Domain Child NameServer Details” section on their web site. Reason specified? None. Just the text:
As you seem to think you know everything and always would like to blame us for your short comings , it will be a much better idea to move your domain to another registrar!
At no point did they even acknowledge that they had understood the report; on the contrary, they thought it was the same as the other one. It's certainly a good idea to change registrar, but how well will that work?
Reopened the report with an explanation that even the most stupid should understand, but they just shut it again. Repeated a couple of times, and then they blocked access to their site—including name servers—from my IP. I'm sure that they're not allowed to do that.
Called up the TIO, where I was told that auDA handles complaints about domain registrars. Was amused that the person had difficulty finding the phone number. It sounds like a typical case of the dichotomy between the Web and the Real World, but in this case the number was relatively easy to find. Reading it was another matter:
|
Why are web sites so often such a mess? Strangely, Ausweb's are relatively well laid-out, but that's a notable exception.
Ausweb are a reseller for Planetdomain, so called them up and was told that there would be no problem to update the details from their web site—with the appropriate user name and password, which I didn't have. Over to Chris to discover that their web site just redirected us to Ausweb, so got them to do it for me.
They also spoke about this term “Child Name Server”, and that they needed the IP addresses. OK, it's clear that you need a glue record for ns1.narrawin.com when looking up the domain narrawin.com, but the addresses are available from the existing name servers, which are known to the web application. They went back and entered the addresses manually, presumably in the “Domain Child NameServer Details” section that was mentioned (along with incorrect URL) in a partial answer to one of the problem reports. But where was it? They didn't answer my question about that.
Chris put in another entry to the “Please drop zone narrawin.com from your name servers” ticket, and I went home to put in a complaint with auDA.
Contacting auDA was fun in itself. At 16:30, their phone line was not occupied, so I had to go to the web form. Clearly auDA doesn't want to hear details: the complaint form has a “details” field with a total of 72 characters long, in three lines:
|
Filled that in anyway. I wonder if anything will come of it. I find my belief confirmed that domain registrars are latter-day cowboys.
So what's a child name server, anyway? I had never heard of that before this confrontation (thus doubtless proving Peter's claim “Unfortunately your tech person does not seem to understand the basics of DNS .”, at least to him). There's no mention of such a concept in any of the relevant RFCs.
A bit of googling shows few results and a surprising amount of confusion, none of it coming from authoritative sources. There is a PDF document from ARIN, but it's a false positive: it's using the term in a different context.
It seems that the term is used to refer to a name server whose name is in the zone which it represents, thus requiring a glue record. That makes sense under the circumstances, and I suppose indirectly it suggests that dropping the zone from the Ausweb name servers might not have solved the problem: maybe the software that Ausweb uses is not capable of looking up the A records. But why not? It's exactly the same lookup as for other name servers, and I can't imagine that the software deliberately makes things more difficult by refusing to look up A records for addresses within the zone. I think that it's more likely that the web jockeys don't understand the issue, that they've found that this one works, and that the real problem is that they're still maintaining the old zone on their name servers.
Friday, 11 July 2008 | Today's diary | Today's images | top | previous | next | last |
This damn Ausweb thing should be over and done with now, but we still have issues: it occurs to me that, by maintaining an incorrect zone which claims to be authoritative for narrawin.com, Ausweb are guilty of something akin to forgery. Anybody using their name servers will be taken to the wrong address for www.narrawin.com:
=== grog@www (/dev/ttyp0) ~ 2 -> hostname
www.auug.org.au=== grog@www (/dev/ttyp0) ~ 3 -> host www.narrawin.com
www.narrawin.com has address 208.86.224.149=== grog@www (/dev/ttyp0) ~ 4 -> host www.narrawin.com ns1.ausweb.net.au
Using domain server: Name: ns1.ausweb.net.au Addresses: 122.252.5.25 www.narrawin.com is a nickname for narrawin.com narrawin.com has address 122.252.5.20
I deliberately did this example from a system which has no connection with the issue, since I think Peter is of the mistaken impression that his name servers are only serving this zone because of mistakes in our name server configuration. That's not the case, as IntoDNS shows. On the contrary, they're still claiming to be authoritative:
=== grog@www (/dev/ttyp0) ~ 5 -> dig @ns1.ausweb.net.au narrawin.com
; <<>> DiG 8.3 <<>> @ns1.ausweb.net.au narrawin.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; narrawin.com, type = A, class = IN
;; ANSWER SECTION:
narrawin.com. 4H IN A 122.252.5.20
;; AUTHORITY SECTION:
narrawin.com. 1D IN NS ns2.ausweb.net.au.
narrawin.com. 1D IN NS ns1.ausweb.net.au.
;; ADDITIONAL SECTION:
ns1.ausweb.net.au. 4H IN A 122.252.5.25
ns2.ausweb.net.au. 4H IN A 122.252.5.26
;; Total query time: 30 msec
;; FROM: www.auug.org.au to SERVER: ns1.ausweb.net.au 122.252.5.25
;; WHEN: Sat Jul 12 11:58:51 2008
;; MSG SIZE sent: 30 rcvd: 127
The Authority Section makes it clear: this name server thinks that it is authoritative. By contrast, www.auug.org.au returns:
;; AUTHORITY SECTION: narrawin.com. 6h15m59s IN NS ns1.narrawin.com. narrawin.com. 6h15m59s IN NS ns2.narrawin.com.
So should every other name server in the Internet.
I'm not a lawyer (I don't even use the acronym), but this looks to me like it should be a criminal act. They're certainly in breach of contract towards Chris, since they're denying access to her information on two levels, this one and the fact that I can't access the site at all from my address. Hopefully auDA will do something about the complaint soon.
Monday, 14 July 2008 | Today's diary | top | previous | next | last |
My hope of help from auDA was in vain. Got a message today stating that they're only responsible for .au names. Our issue is with narrawin.com.
Thursday, 17 July 2008 | Today's diary | top | previous | next | last |
One thing that Ausweb was right about—after the event—was that I was not the technical contact for narrawin.com, so they should not have dealt with me in the first place without first getting authorization from Chris. We've changed that now, but they're still blocking me. Chris entered a ticket and got the reply:
Department: AUSWEB Domain Names Created On: 17 Jul 2008 10:57 AM Last Update: 17 Jul 2008 10:57 AM Tracking URL: (long but valid link) Tech Contact for narrawin.com - pls reinstate accessHi ChristianeWe have thousands of clients who have no issues with the instructions we give in relation to setting nameservers in our domain management area. However your tech seemed unable to understand these same instructions and took a very arrogant stance with our attempts to clarify them. This arrogance and refusal to listen to what we were trying to instruct him to do concluded in him being banned.
As you are the account holder you must submit all support tickets as our standard policy is one contact per account. We were very lenient with these rules when first contacted by your tech, however they must now stand.
Also, the DNS report below shows that your website is not actually hosted on our servers any longer.
http://www.intodns.com/narrawin.comIf you would like to cancel your hosting with us please let us know and we will show you the steps.
Probably everybody except me can follow the link), along with the original ticket (copy here); it shows that they have at no time given any relevant advice.
Other issues are:
They're a domain registrar (well, reseller). They need to stick to the rules, and they state that there are three contacts. I'm sure they have no such published policy. They certainly have no reason to ban people, and certainly without pointing to a specific incident.
They show a DNS report, suggesting that they don't understand that this isn't the issue—I mentioned this in the ticket. I genuinely believe that they don't understand the difference. Their name servers are still showing the old information. Here an excerpt:
=== root@w3 (/dev/ttyp1) /etc/namedb 8 -> dig @ns1.ausweb.net.au narrawin.com soa
It would, of course, be an option to change the registrar, and we'll certainly do this when the time expires. But it annoys me greatly to see people getting away with this kind of treatment. I'm sure they really to manage to confuse most of their customers to a point where their own ignorance doesn't show. Unfortunately, auDA is not responsible for this issue, since it's a com domain, and icann.org only handles registrar stuff (i.e. whois). What we have here is really a hosting issue. Their hostmaster is Karim Bauer, so I sent him a message asking him to take down the zone. I'll wait a day before taking further steps.
Friday, 18 July 2008 | Today's diary | Today's images | top | previous | next | last |
No reply from Karim Bauer of Ausweb, of course. I'm really beginning to think that they're all as stupid as each other, though possibly they're just blocking mail from me.
Greg's home page | Greg's diary | Greg's photos | Copyright |