[dns-operations] Just another "sitefinder" ISP

Edward Lewis Ed.Lewis at neustar.biz
Wed May 21 18:26:32 UTC 2008

Solve in what way?

If you happen to be running a DNSSEC-enabled 
process and it is querying this server because 
the ISP forces all traffic (on port 53) to it, 
then you will get DNSSEC errors when you should 
be getting NXDOMAIN.  (What's the diff?)  In just 
about any other scenario, the DNSSEC-enabled 
process will either get the answer (positive 
answers aren't rewritten, are they?) or "route 
around" this server.

The trouble with DNSSEC is that is is 
error-detect only, not error-correct.  If you are 
funneled through a DNS element that rewrites 
NXDOMAIN, you will just never get the NXDOMAIN, 
just SERVFAIL no matter what you try (with 
DNSSEC).  If you can ask around the server, you 
need an iterator smart enough to retry the query 
using just authoritative servers if it gets a 
suspicious answer via the default-path cache. 
(Worked on that stuff in '98.  As a side note, in 
general DNSSEC code needs to me more aggressive 
in finding the answer, it shouldn't give up so 

At 15:39 +0000 5/21/08, Paul Vixie wrote:
>now this, on the other hand, is a problem dnssec could actually solve.
>>  X-MSA-Host: branwen.iks-jena.de
>>  To: dns-operations at lists.oarci.net
>>  From: Lutz Donnerhacke <lutz at iks-jena.de>
>>  Newsgroups: iks.lists.dns-operations
>>  Date: Wed, 21 May 2008 13:19:04 +0000 (UTC)
>>  Organization: IKS Jena, Thüringen Netz, Fitug
>>  User-Agent: slrn/pre0.9.9-77 (Linux)
>>  Subject: [dns-operations] Just another "sitefinder" ISP
>>  Sender: dns-operations-bounces at lists.oarci.net
>>  http://pastebin.com/m3d331654
>>  ; <<>> DiG 9.3.4 <<>> +dnssec web.pixaco.se  @
>>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>  web.pixaco.se.          0       IN      A
>>  ISP: Kabel Deutschland (TV-cable based broadband access)
>>  _______________________________________________
>>  dns-operations mailing list
>>  dns-operations at lists.oarci.net
>>  http://lists.oarci.net/mailman/listinfo/dns-operations
>dns-operations mailing list
>dns-operations at lists.oarci.net

Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list