[dns-operations] The strange case of fox.com

Florian Weimer fw at deneb.enyo.de
Sun Feb 28 18:54:57 UTC 2016

* Stephane Bortzmeyer:

> Sometimes, there are domains where you wonder how they work. fox.com
> has a NS RRset in the zone which is larger than 512 bytes (legal,
> that's not the biggest problem) where _not one_ of the name servers
> reply (half REFUSED, half timeout).
> How can people browse <http://fox.com/>?

They use a resolver where no client has queried FOX.COM/IN/NS, and the
servers listed in the COM zone send minimal replies.  As a result,
resolvers never learn the bogus NS RRset.

Both BIND and Unbound do not seem to copy very well with this (in the
sense that future queries fail after the NS query for some time).  The
Nominum recursor seems to be impacted as well (if my ISP still uses
one, but it's behind a load balancer, so I get some strange effects).

The PowerDNS recursor does not perform a fresh upstream query for the
NS query.  Intead, it returns authority section from the COM answer as
the answer section in the NS response (which is a clear violation of
the trust rules in RFC 2181, but a valid implementation option, in my

As far as I know, this phenomenon of cache-altering queries which do
not occur during regular operation (but have nasty consquences if they
happen) is largely unexplored, but I haven't been following DNS
matters in a while.

I'll send a note to Akamai about FOX.COM.

More information about the dns-operations mailing list