[dns-operations] .COM and root authority claims seen in ISC SIE just now

Paul Vixie paul at vix.com
Sun Nov 18 15:15:16 UTC 2007

thanks to the fine folks who run ISC SIE sensors, i'm finally getting a
fairly clear picture of just how much mud there is.  (more sensors welcome!)

first, i see that the set of people who claim authority for .COM is about
the same as shown in various historical CAIDA papers on this topic:

1195394884 ns com IN NS 86400,a.gtld-servers.net 86400,b.gtld-servers.net \
  86400,c.gtld-servers.net 86400,d.gtld-servers.net 86400,e.gtld-servers.net \
  86400,f.gtld-servers.net 86400,g.gtld-servers.net 86400,h.gtld-servers.net \
  86400,i.gtld-servers.net 86400,j.gtld-servers.net 86400,k.gtld-servers.net \
  86400,l.gtld-servers.net 86400,m.gtld-servers.net
1195394889 ns com IN NS 3600,a.ns.com
1195394948 ns com IN NS 1800,ns2.cnspeed.com
1195394957 ns com IN NS 86400,ns1.ezydomain.com 86400,ns2.ezydomain.com \
1195395011 ns com IN NS 7200,ns1.hi2000.net 7200,ns2.hi2000.net
1195395119 ns com IN NS 86400,ns5.namerich.cn 86400,ns6.namerich.cn \
1195395179 ns com IN NS 1800,dns.cachenet.cn
1195395179 ns com IN NS 1800,dns1.netcache.cn
1195395191 ns com IN NS 1800,ns1.cnspeed.com
1195395480 ns com IN NS 86400,dns3.uusee.com
1195395484 ns com IN NS 1800,dns.netcache.cn
1195395709 ns com IN NS 3600,ns1.publinord.com 3600,ns2.publinord.com \
1195395948 ns com IN NS 1800,mfns1.myfamily.net 1800,mfns2.myfamily.net \
1195396091 ns com IN NS 1800,dns1.cachenet.cn

but the root changes are the interesting part of this, from my point of view.

1195394884 ns . IN NS 3600000,A.ROOT-SERVERS.net 3600000,B.ROOT-SERVERS.net \
  3600000,C.ROOT-SERVERS.net 3600000,D.ROOT-SERVERS.net \
  3600000,E.ROOT-SERVERS.net 3600000,F.ROOT-SERVERS.net \
  3600000,G.ROOT-SERVERS.net 3600000,H.ROOT-SERVERS.net \
  3600000,I.ROOT-SERVERS.net 3600000,J.ROOT-SERVERS.net \
  3600000,K.ROOT-SERVERS.net 3600000,L.ROOT-SERVERS.net \

that's good data but it's from dns1.weather.com.  note that my filter is only
looking at NOERROR responses for which ANCOUNT>0 or NSCOUNT>0, and QDCOUNT=1.
one could charitably believe that ns1.weather.com is issuing a root delegation
in response to having been asked a question for which it is not authoritative. (no PTR, but whois says telefonica peru) also does this.

1195394884 ns . IN NS 1000,B.ROOT-SERVERS.net 1000,D.ROOT-SERVERS.net \
  1000,F.ROOT-SERVERS.net 1000,G.ROOT-SERVERS.net 1000,H.ROOT-SERVERS.net \
  1000,I.ROOT-SERVERS.net 1000,J.ROOT-SERVERS.net 1000,K.ROOT-SERVERS.net \

that's bad data of a particular form: TTL=1000, only 8 servers.  this source
(which has no PTR but it's inside GBLX) sent a total of 9 similar responses
in this couple-of-minutes trace, round-robin'ing through servers A..M.  63
other "servers" did the same thing with varying frequency:

 189 a204-2-178-132.deploy.akamaitechnologies.com.
  26 unknown.Level3.net.
  19 unknown.Level3.net.
  18 217-212-245-68.customer.teliacarrier.com.
  12 208-44-108-136.dia.static.qwest.net.
   4 a212-187-244-39.deploy.akamaitechnologies.com.
   3 a193-45-1-103.deploy.akamaitechnologies.com.

i see a similar round robin / truncated set of root name servers coming back
from and, but with TTL=518400.,
which also uses this TTL, is naming 13 servers, but they're ORSN servers.

an unclear on the concept award goes out to these top level or root nsnames:

1195394889 ns . IN NS 60,ns1
1195394919 ns . IN NS 259200,ns
1195394954 ns . IN NS 0,.
1195394959 ns . IN NS 86400,localhost

and another to this all-numeric nsname:

1195394926 ns . IN NS 86400,

special mention to the TTL=1 crowd:

1195394959 ns . IN NS 1,ns1.lamedelegation.net 1,ns2.lamedelegation.net \
1195395008 ns . IN NS 1,ns1.4d.co.uk
1195395087 ns . IN NS 1,ns1.liquidnames.com 1,ns2.liquidnames.com

then there's a bunch of stuff that i just don't know what it means (yet).  you
can run it but you can no longer hide it (nyeck nyeck):

1195394884 ns . IN NS 259200,ns4.dnsauthority.com 259200,ns5.dnsauthority.com
1195394885 ns . IN NS 3600,cpns01.secureserver.net 3600,cpns02.secureserver.net
1195394885 ns . IN NS 3600,ns1.domainsarefree.com 3600,ns2.domainsarefree.com
1195394892 ns . IN NS 3600,dns1.365.com
1195394893 ns . IN NS 3600,dpns1.dnsnameserver.org 3600,dpns2.dnsnameserver.org 3600,dpns3.dnsnameserver.org 3600,dpns4.dnsnameserver.org
1195394895 ns . IN NS 86400,ns0.directnic.com 86400,ns1.directnic.com
1195394899 ns . IN NS 86400,ns0.expireddomainservices.com 86400,ns1.expireddomainservices.com
1195394906 ns . IN NS 3600,ns1.trafficz.com 3600,ns2.trafficz.com
1195394924 ns . IN NS 86400,ns2.catcher.co.uk 86400,ns2.i-business.co.uk 86400,ns4.catcher.co.uk
1195394924 ns . IN NS 86400,ns.catcher.co.uk 86400,ns.i-business.co.uk 86400,ns1.catcher.co.uk 86400,ns1.i-business.co.uk 86400,ns3.catcher.co.uk
1195394927 ns . IN NS 14400,ns1.a1group.com 14400,ns2.a1group.com
1195394928 ns . IN NS 300,redir-01.premiumtraffic.com 300,redir-02.premiumtraffic.com
1195394940 ns . IN NS 3600,ns1.eedns.com 3600,ns2.eedns.com
1195394942 ns . IN NS 3600,ns1.netwisenetworks.co.uk 3600,ns2.netwisenetworks.co.uk
1195394943 ns . IN NS 86400,expired1.dnsbakler.com 86400,expired2.dnsbakler.com
1195394955 ns . IN NS 3600,dnsp1.powerhosting.com 3600,dnsp2.powerhosting.com
1195394968 ns . IN NS 3600,ns0.dnsmadeeasy.com 3600,ns1.dnsmadeeasy.com 3600,ns2.dnsmadeeasy.com 3600,ns3.dnsmadeeasy.com 3600,ns4.dnsmadeeasy.com
1195395058 ns . IN NS 86400,ns1.muumuu-domain.com 86400,ns2.muumuu-domain.com
1195395058 ns . IN NS 14400,NS1.IDITE-NA-HUI.COM 14400,NS2.IDITE-NA-HUI.COM 14400,NS3.IDITE-NA-HUI.COM
1195395060 ns . IN NS 300,ns3.weddingsetup.com 300,ns4.weddingsetup.com
1195395061 ns . IN NS 3600,ns1.pairNIC.com 3600,ns2.pairNIC.com
1195395063 ns . IN NS 43200,ns3.eachnic.com
1195395073 ns . IN NS 300,dns1.vpop.net 300,dns2.vpop.net
1195395090 ns . IN NS 38400,dns1.baihei.com
1195395112 ns . IN NS 1440,ns1.canaldominios.com 1440,ns2.canaldominios.com
1195395119 ns . IN NS 86400,ns5.namerich.cn 86400,ns6.namerich.cn
1195395284 ns . IN NS 259200,dns1.sendori.com 259200,dns2.sendori.com 259200,dns3.sendori.com 259200,dns4.sendori.com 259200,dns5.sendori.com
1195395447 ns . IN NS 86400,dns1.name-hosting.net 86400,dns2.name-hosting.net
1195395674 ns . IN NS 86400,parked1.dnsbakler.com 86400,parked2.dnsbakler.com
1195395882 ns . IN NS 3600,ns4.getitonline.com 3600,ns5.getitonline.com
1195395969 ns . IN NS 14400,ns1.1plus.net 14400,ns2.1plus.net
1195396073 ns . IN NS 3600,p00.psi.jp 3600,p01.psi.jp
1195396289 ns . IN NS 43200,ns5.eachnic.com

did i mention that more sensors are welcome, and also, that any bona fide DNS
researcher is welcome to look at the same raw data i'm seeing?

More information about the dns-operations mailing list