[tz] Blocked USNO sites was: Updated Public Domain leapseconds.list

Chris Woodbury tzocd at yahoo.com
Mon Jul 8 22:56:39 UTC 2019


>On Mon Jul 8 11:16:42 UTC 2019,Tony Finch dot at dotat.at wrote:
>
>The main problem that I can see is 3 out of the 7 navy.mil DNS servers say
>that usno.navy.mil does not exist, so it's a matter of luck whether you'll
>be able to contact it or not.
>
>Tony.

Great detective work, Tony!

After a little "digging" of my own, I discovered it's even worse than that.  There
are no public facing "authoritative" DNS servers for Navy.MIL (or USNO.Navy.MIL
as  all of them are unreachable).   The Navy.MIL DNS servers have *no authoritative
data* for USNO; they all appear to be caching secondary servers. The give away 
 is that the TTLs decrements between "dig" runs.  (Possibly "slit horizon" DNS
servers that internally referencing their other half.  There's no way to tell from this
side.)  This also means that the primary server listed in the SOA is not the real
primary.  There must be hidden primary and secondary DNS server somewhere
as the servers we can actually see have cached RR (resource records).
Someone hasn't thought out all of the implications of what they're doing.

When I was looking, only two of seven Navy.MIL DNS servers returning
NXDOMAIN for USNO.Navy.MIL.  These were ns1.csd.disa.mil, the 
purported Navy.MIL primary DNS server (with no authoritative SOA RR) and
updciftr01.csd.disa.mil.  I could not reach *any* of the USNO.Navy.MIL DNS
 servers, period   (The Naval Oceanographic Portal. (NoP) is up as I was able 
to FTP to Tycho and MAIA.  I'm going to have to add Psyche.USNO.Navy.MIL
to  my /etc/hosts it seems (when I can figure out its IP address)).

I must agree that a guaranteed 28% failure rate for USNO.Navy.MIL DNS
lookups is unacceptable.  The USNO SOA points to hostmaster at usno.navy.mil
and none of the hosts in that MX RR are reachable.  Does anyone have the
'phone number of a responsible person at USNO proper?  The Petty Officer
who answered the 'phone at the main number was less than helpful... (I hesitate
to call Jeff Prillaman about this issue.)


More information about the tz mailing list