[dns-operations] is www.qq.com a zone?

Edward Lewis edward.lewis at icann.org
Fri Jul 1 14:07:20 UTC 2016

Answering because once I was perplexed by this.  Then I learned to stop worrying...

www.qq.com resolves to an address.  I mean, my web browser pops up with a page and I can read some of it.

But, on the way there, the DNS resolver has to deal with some non-standard/unexpected behaviors.

Walking down the DNS tree, when the resolver is asking the qq.com name servers for www.qq.com for an A record, there's a referral given to www.qq.com name servers.  That "works".  If you ask the qq.com name servers for the www.qq.com name servers, it gives them back as an answer (not a referral) - but, why would you (thinks the operator)?  Unless someone is quickly switching configurations at their end, they servers for qq.com aren't following the documented DNS protocol - in a way, the answers you get are compliant with the protocol if you assume the operator is behaving in a certain way.  (So - this isn't about complying with the protocol, it's about...well you maintaining your sanity.)

When you query name servers for www.qq.com and ask for an SOA record (which indicates being a zone, not just a subdomain), you get one.  When you ask for anything else (almost anything else), you get a CNAME record.  When you ask for ANY, to help you restore your sanity, you get RCODE=NOTIMP.  One might point out that the protocol doesn't work when a name owns an SOA record and a CNAME record - but, recall the end of the last paragraph.  It's not about the operator following the protocol, it's about you maintaining sanity.  And, why are you asking for the SOA anyway?)

The lesson here is - whomever is running www.qq.com has built a system so minimal that it only will result in address records in normal queries.  Any hunting and poking will just frustrate you.

Why do they do this?  I wouldn't try to answer that without calling up the operator and asking.  Intent is not well conveyed in the DNS protocol.  I never cared enough to follow up.  But they have been doing this for years and they are still in business and paying the bills.  Well, someone is.

It "works" for the operator.  The URL gets hits, enough to rank.  They just aren't fully deploying the DNS protocol.  They don't need to .... unless they ever decide to roll out DNSSEC or other features that rely on a more solid protocol base.  Which may never happen.

More information about the dns-operations mailing list