[dns-operations] is it worth trying to get people to stop declaring authority for '.' ?
dagon at cc.gatech.edu
Tue Dec 2 16:05:40 UTC 2008
On Tue, Dec 02, 2008 at 02:51:52PM +0000, Paul Vixie wrote:
> i was watching the ISC SIE fast flux channel out of the corner of my eye
> and noticed the following, which isn't really fast flux but triggers on
> the same conditions. the misconfiguration shown in the authority section
> is usually due to someone putting a lot of data into a "zone file" without
> real apex NS RRs, just one apex NS RRset at the top, for '.'. so, domain
> parking of some kind. ever since kashpureff, no caching or stub resolver
> will import this crud. so while my first impulse was to do some whois work
> and fire off some e-mail about it, my second impulse was, who cares?
I recall Duane had investigated similar misconfigurations (perhaps a
NANOG talk), since the host would appear to claim authority for a TLD
or the root.
The likely culprit was a single zone file with a high level origin,
used in a server that hosted many zones. Combined with the failure to
use fqdn in the zone, the nameserver then claimed authority for a
parent. Perhaps this is a similar instance.
But here's what's interesting. I have anecdotally noticed that many
such authorities for .cn domains originally claimed authority for a
TLD (usually .com) ... but then later they all seemed to switch to '.'
For example, the query:
dig @ns5.namerich.cn. any zksw.com.
used to provide an authority line similar to this (circa 2006):
com. 86400 IN NS ns5.namerich.cn.
But these days they answer similarly with '.' instead. I've not done
a survey, but anecdotally it seems they all changed to '.'. Have
others noticed such a migration?
> does anybody still care?
Old Windows 2000 resolvers are perhaps affected. I know win2k8/win2k3
has Kashpureff protection "on by default", but curiously lets one
disable it in a menu option.
Besides any potential innocent victim resolvers, is this related to
content management for .cn-related zones? The other speculations I've
heard involve traffic redirection for cn mainland startups. I think
these are just theories, and find misconfiguration most likely.
David Dagon /"\ "When cryptography
dagon at cc.gatech.edu \ / ASCII RIBBON CAMPAIGN is outlawed, bayl
Ph.D. Student X AGAINST HTML MAIL bhgynjf jvyy unir
Georgia Inst. of Tech. / \ cevinpl."
More information about the dns-operations