[dns-operations] Broken delegation

Paul Vixie paul at redbarn.org
Sat Mar 8 22:08:59 UTC 2014 

in general, delegations have to meet only two conditions. first, every
name server that's designated by an NS RR above or below a delegation
point has to be authoritative. second, the set of NS RR's below a
delegation point (so, at the zone apex) has to be equal to or a superset
of the set of NS RR's above that delegation point (so, the parent's
zone-leaf).

note that scraping the TLD's isn't a reliable way to find all the
invocations of your NS RR name, partly because not all TLD's have ZFA,
and partly because not all delegations are in TLD's. passive DNS is your
better answer here. i looked at the NS RRset for your "hireahit.com"
domain, chose one at random, and asked the Farsight DNSDB about it. my
second example below turns off DNS output conversion and shows the raw
JSON, in case that inspires you to consider ways to automate this kind
of auditing.

---

vixie at linux1:~/work/dnsdb_c$ ./dnsdb_query -n anyns1.hireahit.com/ns
;; record times: 2014-03-06 09:15:40 .. 2014-03-08 19:09:04
;; count: 26
coaxial.ca.  NS  anyns1.hireahit.com.

;; record times: 2014-03-06 15:44:49 .. 2014-03-08 18:53:29
;; count: 26
roidology.ca.  NS  anyns1.hireahit.com.

;; record times: 2014-03-06 21:23:19 .. 2014-03-08 05:11:04
;; count: 10
djw.biz.  NS  anyns1.hireahit.com.

;; record times: 2014-03-06 06:44:07 .. 2014-03-08 19:53:15
;; count: 2689
hireahit.com.  NS  anyns1.hireahit.com.

;; record times: 2014-03-07 03:43:59 .. 2014-03-08 03:34:22
;; count: 4
djwhosting.com.  NS  anyns1.hireahit.com.

;; record times: 2014-03-06 07:21:24 .. 2014-03-08 20:43:57
;; count: 3791
neverhost.net.  NS  anyns1.hireahit.com.

;; record times: 2014-03-06 07:43:12 .. 2014-03-08 19:26:12
;; count: 259
devilsplayground.net.  NS  anyns1.hireahit.com.

---

vixie at linux1:~/work/dnsdb_c$ ./dnsdb_query -n anyns1.hireahit.com/ns -j
{"count": 26, "time_first": 1394097340, "rrtype": "NS", "rrname":
"coaxial.ca.", "rdata": "anyns1.hireahit.com.", "time_last": 1394305744}
{"count": 26, "time_first": 1394120689, "rrtype": "NS", "rrname":
"roidology.ca.", "rdata": "anyns1.hireahit.com.", "time_last": 1394304809}
{"count": 10, "time_first": 1394140999, "rrtype": "NS", "rrname":
"djw.biz.", "rdata": "anyns1.hireahit.com.", "time_last": 1394255464}
{"count": 2689, "time_first": 1394088247, "rrtype": "NS", "rrname":
"hireahit.com.", "rdata": "anyns1.hireahit.com.", "time_last": 1394308395}
{"count": 4, "time_first": 1394163839, "rrtype": "NS", "rrname":
"djwhosting.com.", "rdata": "anyns1.hireahit.com.", "time_last": 1394249662}
{"count": 3791, "time_first": 1394090484, "rrtype": "NS", "rrname":
"neverhost.net.", "rdata": "anyns1.hireahit.com.", "time_last": 1394311437}
{"count": 259, "time_first": 1394091792, "rrtype": "NS", "rrname":
"devilsplayground.net.", "rdata": "anyns1.hireahit.com.", "time_last":
1394306772}

===

vixie

More information about the dns-operations mailing list