[dns-operations] is it worth trying to get people to stop declaring authority for '.' ?

David Dagon dagon at cc.gatech.edu
Tue Dec 2 16:05:40 UTC 2008

On Tue, Dec 02, 2008 at 02:51:52PM +0000, Paul Vixie wrote:
> i was watching the ISC SIE fast flux channel out of the corner of my eye
> and noticed the following, which isn't really fast flux but triggers on
> the same conditions.  the misconfiguration shown in the authority section
> is usually due to someone putting a lot of data into a "zone file" without
> real apex NS RRs, just one apex NS RRset at the top, for '.'.  so, domain
> parking of some kind.  ever since kashpureff, no caching or stub resolver
> will import this crud.  so while my first impulse was to do some whois work
> and fire off some e-mail about it, my second impulse was, who cares?

I recall Duane had investigated similar misconfigurations (perhaps a
NANOG talk), since the host would appear to claim authority for a TLD
or the root.

The likely culprit was a single zone file with a high level origin,
used in a server that hosted many zones.  Combined with the failure to
use fqdn in the zone, the nameserver then claimed authority for a
parent.  Perhaps this is a similar instance.

But here's what's interesting.  I have anecdotally noticed that many
such authorities for .cn domains originally claimed authority for a
TLD (usually .com) ... but then later they all seemed to switch to '.'

For example, the query:

   dig @ns5.namerich.cn. any zksw.com.

used to provide an authority line similar to this (circa 2006):

   com. 86400 IN NS ns5.namerich.cn.

But these days they answer similarly with '.' instead.  I've not done
a survey, but anecdotally it seems they all changed to '.'.  Have
others noticed such a migration?

> does anybody still care?

Old Windows 2000 resolvers are perhaps affected.  I know win2k8/win2k3
has Kashpureff protection "on by default", but curiously lets one
disable it in a menu option.

Besides any potential innocent victim resolvers, is this related to
content management for .cn-related zones?  The other speculations I've
heard involve traffic redirection for cn mainland startups.  I think
these are just theories, and find misconfiguration most likely.

David Dagon              /"\                          "When cryptography
dagon at cc.gatech.edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."

More information about the dns-operations mailing list