[dns-operations] does anybody know why yahoo+akamai are doing this?

Peter Dambier peter at peter-dambier.de
Sun Mar 19 12:03:53 UTC 2006 

Niall O'Reilly wrote:
> 
> On 19 Mar 2006, at 10:10, Peter Dambier wrote:
> 
>> ; <<>> DiG 9.1.3 <<>> -t any www.microsoft.com
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33270
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.microsoft.com.             IN      ANY
>>
>> ;; ANSWER SECTION:
>> www.microsoft.com.      3600    IN      CNAME    
>> toggle.www.ms.akadns.net.
>> toggle.www.ms.akadns.net. 300   IN      CNAME   g.www.ms.akadns.net.
>>
>> ;; Query time: 1250 msec
>> ;; SERVER: 192.168.208.228#53(192.168.208.228)
>> ;; WHEN: Sun Mar 19 10:49:27 2006
>> ;; MSG SIZE  rcvd: 89
> 
> 
> With respect, I really wonder what the point of this example is.
> 
> All it shows is that a caching resolver on a private network has
> somehow gotten junk in its cache, and is prepared to serve it out.
> It can be inferred, but not with certainty, that this cached data
> is derived from a non-conformant answer (or series of such answers)
> 
>> from one or more authoritative servers, officially advertised for
> 
> the relevant zone.
> 
> Showing the response from such a delinquent authoritative server
> would concretely demonstrate and localize the problem suggested by
> the example.
> 
> Why leave the real work as an exercise for the reader?
> 
> 

It is not my resolver:

; <<>> DiG 9.1.3 <<>> -t any www.microsoft.com @ns1.msft.net.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18691
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.microsoft.com.             IN      ANY

;; ANSWER SECTION:
www.microsoft.com.      3600    IN      CNAME   toggle.www.ms.akadns.net.

;; Query time: 244 msec
;; SERVER: 207.68.160.190#53(ns1.msft.net.)
;; WHEN: Sun Mar 19 12:55:09 2006
;; MSG SIZE  rcvd: 73

The chain of CNAMEs is for real:

; <<>> DiG 9.1.3 <<>> -t any toggle.www.ms.akadns.net. @eur8.akadns.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31120
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;toggle.www.ms.akadns.net.      IN      ANY

;; ANSWER SECTION:
toggle.www.ms.akadns.net. 300   IN      CNAME   g.www.ms.akadns.net.

;; Query time: 66 msec
;; SERVER: 62.4.69.96#53(eur8.akadns.net)
;; WHEN: Sun Mar 19 12:57:56 2006
;; MSG SIZE  rcvd: 58


Who ever envented this was not the inventor of Bind.
I dont know how to make Bind 9 return such a nonse
as the original example returning CNAME and the root-servers.

I guess it was a bug in the MS dns-servers.


-- 
Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

More information about the dns-operations mailing list