Following on from “On DNS and IPv6” I happened to check up on cisco.com's setup again.

$ dig @$( dig +short ns com. | head -n1 ) aaaa cisco.com.
; <<>> DiG 9.8.3-P1 <<>> @k.gtld-servers.net. aaaa cisco.com.
;; AUTHORITY SECTION:
cisco.com. 172800 IN NS ns1.cisco.com.
cisco.com. 172800 IN NS ns2.cisco.com.
cisco.com. 172800 IN NS ns3.cisco.com.

;; ADDITIONAL SECTION:
ns1.cisco.com. 172800 IN A 72.163.5.201
ns2.cisco.com. 172800 IN A 64.102.255.44
ns3.cisco.com. 172800 IN A 173.37.146.41
ns3.cisco.com. 172800 IN AAAA 2001:420:1101:6::a
ns3.cisco.com. 172800 IN AAAA 2001:420:1201:7::a
ns3.cisco.com. 172800 IN AAAA 2001:420:2041:5000::a

Since last time, Cisco have added a third nameserver, “ns3.cisco.com”, and this server has three IPv6 addresses (and an IPv4 address). So cisco.com is now resolvable to IPv6-only clients, via this nameserver. Hooray!

But hang on. Those IPv6 addresses look familiar. Two of them are the same addresses as we saw back in January, in the earlier article.

Identity ambiguity

For the IPv4 setup, everything matches as you'd expect: the glue records name the three nameservers, and each nameserver has an IPv4 address, and if you do a reverse lookup on those addresses (PTR), you get the names again:

$ dig +short -x 72.163.5.201
ns1.cisco.com.
$ dig +short -x 64.102.255.44
ns2.cisco.com.
$ dig +short -x 173.37.146.41
ns3.cisco.com.

However for the IPv6 setup, ns1 and ns2 don't have an IPv6 address (according to the glue records), but according to the nameservers they do, and six nameservers (three IPv4, three IPv6) all agree that ns1 is 2001:420:1101:6::a, ns2 is 2001:420:2041:5000::a, and ns3 is 2001:420:1201:7::a.

Reverse lookups of the three IPv6 addresses show that the three IPv6 addresses are ns1, ns2, and ns3 also:

$ for a in $( dig @$( dig +short ns com. | head -n1 ) ns cisco.com. | egrep -w 'A|AAAA' | awk ‘{print $5}' ) ; do echo $( dig +short -x $a ) $a ; done
ns1.cisco.com. 72.163.5.201
ns2.cisco.com. 64.102.255.44
ns3.cisco.com. 173.37.146.41
ns1.cisco.com. 2001:420:1101:6::a
ns3.cisco.com. 2001:420:1201:7::a
ns2.cisco.com. 2001:420:2041:5000::a

So, basically Cisco have accidentally named all three nameservers in the glue records as ns3.

So what?

Is that a problem? Well, a tiny one. It does mean there are differing opinions out there on the net as to what the addresses of the three servers are, which could cause confusion, especially when debugging problems. In theory, ns1 and ns2 could appear to have an IPv6 address one moment, and not the next; and ns3 could sometimes have three addresses, and sometimes only one.

The worst case is that Cisco might find that most DNS lookups (over IPv6) for cisco.com end up going to 2001:420:1201:7::a (ns3).

(A resolver might find that the only nameserver is “ns3”, find “all three” IPv6 addresses of the of ns3, then ask the cisco nameservers the same question (“what is the IPv6 address of ns3?”) and then get only one result; thus, there's only one nameserver, and it has only one IPv6 address).

It'll probably work. It might compromise resiliency.

Of course, the fix is easy: just fix the glue records to read “ns1, ns2, ns3” instead of “ns3” three times.

Lesson: remember to take care when changing DNS setting, everyone :-)