Orphan Records

Instructional Document on Removal of Orphan A Records

The current zone generation process publishes A (address) records (also called "glue" records) regardless of whether or not the name server is referenced by any NS (name server) records. In other words, an A record is published even if no zone delegations reference it. These A records are called orphans, and their presence in the .edu zone is undesirable for a number of reasons, both administrative and technical.

The presence of these orphan A records can cause problems for administrators of lower-level name servers. Even if the lower-level servers are configured properly, orphan A records in the .edu zone can interfere with normal resolution of lower-level zones and make maintenance (especially changes) difficult and confusing. If the lower-level name servers are configured improperly, the presence of orphan A records may be the only reason that resolution is currently working correctly. Therefore, it is important that all administrators of .edu domain have the correct information in their zones prior to the removal of orphan A records from the .edu zone.

Steps to ensure orphan A record removal will not affect resolution

Ideally, an orphan A record merely occludes the same information in an .edu subzone. That is, the same A record should be present in the zone served by the delegated name servers for a second-level .edu zone. However, this is not always the case. There are 4 other possibilities:

Case 1: No delegation exists, and thus the orphan A record does not exist in the subzone.
Case 2: Delegation exists, but the orphan A record does not exist in the subzone.
Case 3: Delegation exists, and the orphan A record exists in the subzone but specifies a different IP address or alias.
Case 4: Delegation exists but all of the delegated name servers are misconfigured and not authoritative for the delegated zone. The status (existence, match/mismatch) of the orphan A record in the subzone cannot be determined.

Below are examples showing determination of each of these status possibilities. 

The general procedure for determining status is:

  1. Ask one of the .edu name servers (e.g., a.root-servers.net) for the orphan A record and remember the IP address returned.

  2. Determine the name servers for the delegated zone where the orphan A record should exist.

  3. Query these name servers to see if an A record exists with the same IP address as the orphan A record, or if an alias (CNAME) is present for the same domain name as the orphan A record.

  4. If the domain is not delegated, or if the delegated zone does not have an A record with the same address as the orphan, or if the status of the orphan A record in the delegated zone cannot be determined, take action.

Case 1: No delegation exists, and thus the orphan A record does not exist in the subzone.

For this example, we'll use the orphan A record ns2.myspecialagent.net.

  1. Resolve the orphan A record and remember the IP address.

$ dig +norecurse @g.gtld-servers.net "ns2.myspecialagent.net"

 

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7884

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

 

; QUESTION SECTION:

;ns2.myspecialagent.net.               IN      A

 

;; ANSWER SECTION:

ns2.myspecialagent.net. 172800  IN      A      38.168.228.21
  1. Determine the name servers for the delegated zone where the orphan A record should exist.

$ dig +norecurse @g.gtld-servers.net NS myspecialagent.net

  

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29956

;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 

;; QUESTION SECTION:

;myspecialagent.net.           IN      NS

 

;; AUTHORITY SECTION:

net.                   86400   IN      SOA    A.GTLD-SERVERS.net. nstld.verisign-

grs.com. 2002021300 1800 900 604800 86400

 

;; Query time: 91 msec

;; SERVER: 192.42.93.30#53(g.gtld-servers.net)
Result: The response code is NOERROR, the flags section contains "aa" (Authoritative Answer), and there are no records in the Answer section. The domain is not delegated.
Solution: The customer needs to register the second-level domain name and add the A record to corresponding zone to continue using the name listed in the orphan A record.
Case 2: Delegation exists, but the orphan A record does not exist in the subzone.

For this example, we'll use the orphan A record "dns1.industrialwhoswho.com".

  1. Resolve the orphan A record and remember the IP address.

$ dig +norecurse @g.gtld-servers.net dns1.industrialwhoswho.com

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42312

;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

 

;; QUESTION SECTION:

;dns1.industrialwhoswho.com.    IN      A

 

;; ANSWER SECTION:

dns1.industrialwhoswho.com. 172800 IN   A      206.47.138.245
  1. Determine the name servers for the delegated zone where the orphan A record should exist.

$ dig +norecurse @g.gtld-servers.net NS industrialwhoswho.com



;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59899

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

 

;; QUESTION SECTION:

;dns1.industrialwhoswho.com.    IN      NS

 

;; AUTHORITY SECTION:

industrialwhoswho.com.  172800  IN     NS      NS1.INTERNET-DNS.NET.

industrialwhoswho.com.  172800  IN     NS      NS2.INTERNET-DNS.NET.

 

;; ADDITIONAL SECTION:

NS1.INTERNET-DNS.NET.   172800  IN      A       208.238.102.2

NS2.INTERNET-DNS.NET.   172800  IN      A       216.87.0.197
  1. Query these name servers to see if an A record exists with the same IP address as the orphan A record, or if an alias (CNAME) is present for the same domain name as the orphan A record.

$ dig +norecurse @208.238.102.2 dns1.industrialwhoswho.com

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55813

;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 

;; QUESTION SECTION:

;dns1.industrialwhoswho.com.    IN     A

 

;; AUTHORITY SECTION:

industrialwhoswho.com. 86400 IN SOA  ns1.internet-dns.net. hostmaster.internet-

dns.net.  20011130 28800 7200 1209600 86400

Result: The flags section contains "aa", and the response code is either NXDOMAIN or NOERROR with nothing in the ANSWER section. Then the orphan A record does not exist in the subzone.
Solution: Add the A record to the subzone.
Case 3: Delegation exists, and the orphan A record exists in the subzone but specifies a different IP address or alias.

For this example, we'll use the orphan A record "www.angry.org".

  1. Resolve the orphan A record and remember the IP address.

$ dig +norecurse @g.gtld-servers.net www.angry.org



;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45079

;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

 

;; QUESTION SECTION:

;www.angry.org.                IN      A

 

;; ANSWER SECTION:

www.angry.org.         172800  IN      A        204.182.40.66

  1. Determine the name servers for the delegated zone where the orphan A record should exist.

$ dig +norecurse @g.gtld-servers.net NS angry.org



;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2667

;; flags: qr; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

 

;; QUESTION SECTION:

;angry.org.                    IN      NS

 

;; ANSWER SECTION:

angry.org.               172800  IN      NS       NS3.HE.NET.

angry.org.               172800  IN      NS       NS1.HE.NET.

angry.org.               172800  IN      NS       NS2.HE.NET.

 

;; ADDITIONAL SECTION:

NS3.HE.NET.              172800  IN      A        216.218.132.2

NS1.HE.NET.              172800  IN      A        216.218.130.2

NS2.HE.NET.              172800  IN      A        216.218.131.2

  1. Query these name servers to see if an A record exists with the same IP address as the orphan A record, or if an alias (CNAME) is present for the same domain name as the orphan A record.

$ dig +norecurse @216.218.132.2 www.angry.org



;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32558

;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3,  ADDITIONAL: 3

 

;; QUESTION SECTION:

;www.angry.org.                  IN       A

 

;; ANSWER SECTION:

www.angry.org.         86400   IN     CNAME      angry.org.

angry.org.             86400   IN     A          216.218.240.18
Result: There is a mismatch. The flags section contains "aa", and we get an answer, but the IP address does not match. (If a bare CNAME is returned, look up the name on the right-hand side to find the final IP address. If it cannot be resolved, then this is really Case 2 with a dangling CNAME.)
Solution: The customer needs to confirm the correct IP address and, if needed, update the A (or CNAME) record in their zone.
Case 4: Delegation exists but all of the delegated name servers are misconfigured and not authoritative for the delegated zone. The status (existence, match/mismatch) of the orphan A record in the subzone cannot be determined.

For this example, we'll use "www.rsa.net".

  1. Resolve the orphan A record and remember the IP address.

$ dig +norecurse @g.gtld-servers.net www.rsa.net

 

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60898

;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

 

;; QUESTION SECTION:

;www.rsa.net.                    IN      A

 

;; ANSWER SECTION:

www.rsa.net.             172800  IN      A        216.37.27.62

  1. Determine the name servers for the delegated zone where the orphan A record should exist.

$ dig +norecurse @g.gtld-servers.net NS rsa.net

 

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 701

;; flags: qr; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

 

;; QUESTION SECTION:

;rsa.net.                      IN     NS

 

;; ANSWER SECTION:

rsa.net.               172800 IN     NS     DNSAUTH1.SYS.GTEI.net.

rsa.net.               172800 IN     NS     DNSAUTH3.SYS.GTEI.net.

 

;; ADDITIONAL SECTION:

DNSAUTH1.SYS.GTEI.net.  172800  IN     A       4.2.49.2

DNSAUTH3.SYS.GTEI.net.  172800  IN     A       4.2.49.4

  1. Query these name servers to see if an A record exists with the same IP address as the orphan A record, or if an alias (CNAME) is present for the same domain name as the orphan A record.

$ dig +norecurse @4.2.49.2 www.rsa.net

 

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1621

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

 

;; QUESTION SECTION:

;www.rsa.net.                  IN      A

 

;; AUTHORITY SECTION:

net.                   150704 IN     NS     A.GTLD-SERVERS.net.

net.                   150704 IN     NS     G.GTLD-SERVERS.net.

net.                   150704 IN     NS     H.GTLD-SERVERS.net.

net.                   150704 IN     NS     C.GTLD-SERVERS.net.

net.                   150704 IN     NS     I.GTLD-SERVERS.net.

net.                   150704 IN     NS     B.GTLD-SERVERS.net.

net.                   150704 IN     NS     D.GTLD-SERVERS.net.

net.                   150704 IN     NS     L.GTLD-SERVERS.net.

net.                   150704 IN     NS     F.GTLD-SERVERS.net.

net.                   150704 IN     NS     J.GTLD-SERVERS.net.

net.                   150704 IN     NS     K.GTLD-SERVERS.net.

net.                   150704 IN     NS     E.GTLD-SERVERS.net.

net.                   150704 IN     NS     M.GTLD-SERVERS.net. 

 

;; ADDITIONAL SECTION:

A.GTLD-SERVERS.net.    486951 IN     A      192.5.6.30

G.GTLD-SERVERS.net.    83776  IN     A      192.42.93.30

H.GTLD-SERVERS.net.    83276  IN     A      192.54.112.30

C.GTLD-SERVERS.net.    83776  IN     A      192.26.92.30

I.GTLD-SERVERS.net.    83776  IN     A      192.43.172.30

B.GTLD-SERVERS.net.    83776  IN     A      192.33.14.30

D.GTLD-SERVERS.net.    83092  IN     A      192.31.80.30

L.GTLD-SERVERS.net.    83776  IN     A      192.41.162.30

F.GTLD-SERVERS.net.    83776  IN     A      192.35.51.30

J.GTLD-SERVERS.net.    83092  IN     A      210.132.100.101

K.GTLD-SERVERS.net.    83092  IN     A      213.177.194.5

E.GTLD-SERVERS.net.    260072 IN     A      192.12.94.30

M.GTLD-SERVERS.net.    83092  IN     A      202.153.114.101

There is no "aa" flag. This first name server chosen is not authoritative for rsa.net. This server is "lame" and cannot be used to reliably determine the existence/match of the orphan A record. Try the another server.

$ dig +norecurse @4.2.49.4 www.rsa.net

 

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59139

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

 

;; QUESTION SECTION:

;www.rsa.net.                  IN     A

 

;; AUTHORITY SECTION:

net.                   3166   IN     NS     A.GTLD-SERVERS.net.

net.                   3166   IN     NS     G.GTLD-SERVERS.net.

net.                   3166   IN     NS     H.GTLD-SERVERS.net.

net.                   3166   IN     NS     C.GTLD-SERVERS.net.

net.                   3166   IN     NS     I.GTLD-SERVERS.net.

net.                   3166   IN     NS     B.GTLD-SERVERS.net.

net.                   3166   IN     NS     D.GTLD-SERVERS.net.

net.                   3166   IN     NS     L.GTLD-SERVERS.net.

net.                   3166   IN     NS     F.GTLD-SERVERS.net.

net.                   3166   IN     NS     J.GTLD-SERVERS.net.

net.                   3166   IN     NS     K.GTLD-SERVERS.net.

net.                   3166   IN     NS     E.GTLD-SERVERS.net.

net.                   3166   IN     NS     M.GTLD-SERVERS.net.

 

;; ADDITIONAL SECTION:

A.GTLD-SERVERS.net.    237826 IN     A      192.5.6.30

G.GTLD-SERVERS.net.    237826 IN     A      192.42.93.30

H.GTLD-SERVERS.net.    237826 IN     A      192.54.112.30

C.GTLD-SERVERS.net.    237826 IN     A      192.26.92.30

I.GTLD-SERVERS.net.    450217 IN     A      192.43.172.30

B.GTLD-SERVERS.net.    237826 IN     A      192.33.14.30

D.GTLD-SERVERS.net.    237826 IN     A      192.31.80.30

L.GTLD-SERVERS.net.    237826 IN     A      192.41.162.30

F.GTLD-SERVERS.net.    237826 IN     A      192.35.51.30

J.GTLD-SERVERS.net.    237826 IN     A      210.132.100.101

K.GTLD-SERVERS.net.    237826 IN     A      213.177.194.5

E.GTLD-SERVERS.net.    237826 IN     A      192.12.94.30

M.GTLD-SERVERS.net.    237826 IN     A      202.153.114.101

This server also does not have the "aa" flag set in its response. This name server is also not authoritative for the rsa.net zone and thus is also "lame" (i.e., cannot be used to reliably determine status). Try another.

Unfortunately, this is the last server available.

Result: NONE of the name servers return an answer with the "aa" flag set. Status cannot be reliably determined.
Solution: Correct the domain registration by updating the name servers for the domain, or reconfigure the existing name servers to be authoritative for the zone, then try this procedure again.

 

Please send further questions to edu@educause.edu