[dns-operations] blocking recursers
Rodney Joffe
rjoffe at centergate.com
Mon Mar 27 07:52:07 UTC 2006
On Mar 27, 2006, at 12:34 AM, Stephane Bortzmeyer wrote:
> On Sun, Mar 26, 2006 at 02:37:38AM +0000,
> Paul Vixie <paul at vix.com> wrote
> a message of 9 lines which said:
>
>> ask an RD=1 question about a nonexistent name in the root zone. if
>> you get back NXDOMAIN it answered you recursively.
>
> As usual in the wild Internet, things are never so simple. I just ran
> a program which tests the RA bit against many nameservers (it is for
> statistical purposes, not for blacklisting, so a few mistakes are not
> important) and I noticed several nameservers which are *not* recursive
> but show it by answering NXDOMAIN for domains which do exist but are
> outside of their authority...
I don't think this conflicts with Paul's statement above. Note that
he directs the query to be for a non-existent name in the *root*
zone. So:
dig @$omeDNSserver stephane. a
There is no "stephane" name in the root zone currently - it is not
one of the 264 currently valid ICANN TLDs.
What do you see when you query thus against those apparently odd
nameservers?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3286 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060327/3d21aba4/attachment.bin>
More information about the dns-operations
mailing list