In my test yesterday I found that you have just made some big configuration changes to your DNS. Here is what I got yesterday.
1) SOA as of yesterday:
What's listed in roots?
# whois getnby.com
NS1.GETNBY.COM 199.104.118.66
NS2.GETNBY.COM 199.104.118.67
let's check your getnby.com by querying ns1.getnby.com
# dnsq soa getnby.com ns1.getnby.com
6 getnby.com:
133 bytes, 1+1+2+2 records, response, authoritative, weird ra, noerror
query: 6 getnby.com
answer: getnby.com 172800 SOA getnby.com root.getnby.com 2002011101 86400 30 604800 172800
authority: getnby.com 172800 NS getnby.com
authority: getnby.com 172800 NS ns1.getnby.com
additional: getnby.com 172800 A 192.168.0.1
additional: ns1.getnby.com 172800 A 199.104.118.66
At your SOA, you have set its MNAME to getnby.com but root servers don't know anything about it because it has been delegated to ns1.getnby.com. So you need to change it to ns1.getnby.com so it can be traced to roots and chain of delegation is followed properly.
Don't use root.getby.com as your RNAME, setup an alias of hostmaster instead.
Your Retry (30 seconds) which wastes a lot of bandwidth if your ns2.getnby.com is ever down. A proper Retry should be around 30 minutes (1800) to 1H (3600).
You need to change your TTL from 172800 (2 days) to 86400 (1 day). Note, TTL is the minimum, not the actual.
SOA as of today:
# dnsq soa getnby.com ns1.getnby.com
6 getnby.com:
142 bytes, 1+1+2+2 records, response, weird ra, noerror
query: 6 getnby.com
answer: getnby.com 167164 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns1.getnby.com 80585 A 199.104.118.66
additional: ns2.getnby.com 86400 A 199.104.118.67
- Your MNAME has been fixed.
- However, your ns1.getnby.com is no longer giving authoritative answer for getnby.com, this is so-called lame server.
Now let's try to ask ns2.getnby.com:
# dnsq soa getnby.com ns2.getnby.com
6 getnby.com:
142 bytes, 1+1+2+2 records, response, authoritative, weird ra, noerror
query: 6 getnby.com
answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns1.getnby.com 86400 A 199.104.118.66
additional: ns2.getnby.com 86400 A 199.104.118.67
2) NS as of today has been fixed.
3) A record as of yesterday:
Why used 192.168.0.1? You need to add another A record for ns2.getnby.com so it's glued.
What is glueness?
When you delegate your getnby.com to ns1.getnby.com and ns2.getnby.com with the NS record, you MUST add the associated A record of ns1.getnby.com and ns2.getnby.com within the same zone. It's required.
I've heard of gluelessness, what is it?
When you delegate your getnby.com to ns1.anotherdomain.com, you CAN'T add:
ns1.anotherdomain.com. IN A 12.34.56.78
Then further DNS lookup is required since you can't get the Address of getnby.com within the same zone. BIND will ignore such A record by default.
How about delegating subdomain.getnby.com to ns.subdomain.getnby.com?
It's the same parent zone, same parent domain, therefore glue is needed.
subdomain.getnby.com. IN NS ns.subdomain.getnby.com.
ns.subdomain.getnby.com. IN A 11.22.33.44
NS + A makes it glue. In this example, you don't need to define an A record for subdomain.getnby.com because it's delegated to ns.subdomain.getnby.com. BTW, gluelessness is bad, according to djb (qmail author). It's fine to be glueless at one level, that usually happens when you host someone's domain.
4) MX:
What's your MX?
Normally you can do:
# dnsmx getnby.com
But I trust no one, I want to see what you have set so I will ask ns1.getnby.com for the answer (yesterday):
# dnsq mx getnby.com ns1.getnby.com
15 getnby.com:
129 bytes, 1+1+2+3 records, response, authoritative, weird ra, noerror
query: 15 getnby.com
answer: getnby.com 172800 MX 10 mail.getnby.com
authority: getnby.com 172800 NS getnby.com
authority: getnby.com 172800 NS ns1.getnby.com
additional: mail.getnby.com 172800 A 199.104.118.67
additional: getnby.com 172800 A 192.168.0.1
additional: ns1.getnby.com 172800 A 199.104.118.66
Because currently your ns1.getnby.com is a lame server, so I am going to ask ns2.getnby.com for the answer (today):
# dnsq mx getnby.com ns2.getnby.com
15 getnby.com:
78 bytes, 1+0+1+0 records, response, authoritative, weird ra, noerror
query: 15 getnby.com
authority: getnby.com 172800 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
It's not even giving answer. Why?
Let's try this:
# dnsmx getnby.com
10 mail.getnby.com
So mail.getnby.com appears to be your MX. But wait, it doesn't have A record as of today, that's why ns2 is not answering.
Your MX has got a serious problem.
# dnsip ns2.getnby.com
199.104.118.67
Oh no, as of yesterday it's the same IP as mail.getnby.com. Remember the whois lookup and ns1.getnby.com and ns2.getnby.com are listed at root servers?
If you want more reliability, you MUST set your MX to be ns2.getnby.com to avoid unnecessary DNS traffic. It makes 30% difference.
Here is what you need to do on ns1 now:
1) Fix all your Retry, Refresh, Expire and Minimum
2) Change your MX to ns2.getnby.com
>>
mail.getnby.com. IN MX 10 ns2.getnby.com.
That's absolutely incorrect.
- mail.getnby.com has no A record.
- your DNS servers have never delegated anything to mail.getnby.com
- specifying mail.getnby.com is out-of-zone.
The fix is:
getnby.com. IN MX 0 ns2.getnby.com.
3) At your named.conf add the following:
directory "/var/named";
version "";
auth-nxdomain no;
fetch-glue no;
recursion no;
};
4) Remove the following:
zone "199.104.118.67"{
type master;
file "master/199.104.118.67";
notify yes;
};
Why?
Because your authoritative DNS servers will NEVER be authoritative for your reverse.
5) Increment the Serial on NS1 then shutdown completely and restart it.
6) Fix (1) and (2) then I will look it up again.