[dns-operations] a question about the nameservers

Lutz Donnerhacke lutz at iks-jena.de
Fri Oct 26 10:11:33 UTC 2012

* Feng He wrote:
> If the nameservers in parent is different from the ones in auth-servers,
> what will happen?

For the first query the glue data will be used (NS in the parent zone).
For later queries the resolver should requery the NS from the authorititve

> im.                     172800  IN      NS      hoppy.iom.com.
> im.                     172800  IN      NS      pebbles.iom.com.
> im.                     172800  IN      NS      ns4.ja.net.
> im.                     172800  IN      NS      barney.advsys.co.uk.
> ;; Received 222 bytes from in 240 ms

So we have
 hoppy.iom.com       has address
 pebbles.iom.com     has address
 ns4.ja.net          has address
 ns4.ja.net          has IPv6 address 2001:630:0:47::42
 barney.advsys.co.uk has address
five different IP addresses to ask for anthing beyond im.

All thise servers report:
 im.			3600	IN	NS	hoppy.iom.com.
 im.			3600	IN	NS	pebbles.iom.com.
 im.			3600	IN	NS	barney.advsys.co.uk.
 im.			3600	IN	NS	ns4.ja.net.
 ;; SERVER: for each other server)
 ;; WHEN: Fri Oct 26 12:06:50 2012
 ;; MSG SIZE  rcvd: 174

But you see:

> tel.im.                 259200  IN      NS      ans.amchina.net.
> tel.im.                 259200  IN      NS      bns.amchina.net.
> tel.im.                 259200  IN      NS      cns.amchina.net.
> tel.im.                 259200  IN      NS      dns.amchina.net.
> ;; Received 107 bytes from in 271 ms

That's forged. And those servers will update the NS again to:

> tel.im.                 3600    IN      A
> tel.im.                 3600    IN      NS      ns1.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns2.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns3.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns4.cloudwebdns.com.
> ;; Received 191 bytes from in 234 ms

Which keeps your resolver on the wrong NS for im.

So you are a vitim of an attacker.

OTOH, let's query correctly:
 im.	NS	ns4.ja.net.
 im.	NS	hoppy.iom.com.
 im.	NS	barney.advsys.co.uk.
 im.	NS	pebbles.iom.com.
 im.	RRSIG	NSEC 8 1 86400 20121101000000 20121024230000 24220 . k+LhRtqiGpILTphjgFyy0nQQupnx48rg/G8RFckfKBETtLZw8rrT5FKl bnUiV3R3eg7mOG9EFj65ST5YVmbxk4TPLO8CDs3BnYUFIex0W4mq3lyT gqm1va0ICul9jpYeMs9+JfJsnJuHWrXFJWX6vlwjHtHSXQn5QwgkxEtt z7I=
 ;; Received 412 bytes from 2001:500:3::42#53(L.ROOT-SERVERS.NET) in 45 ms

Bad luck, the IM registry is not up to date.

More information about the dns-operations mailing list