[dns-operations] Iran's IDNA TLD fun...

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Oct 17 04:11:20 UTC 2016 

[ As part of my DANE scans I've compiled a small dataset of
  the DNSSEC status, DNAME records and "liveness" (absence
  of ICANN's sentinel 127.0.53.53 canned A RRset) for all
  1502 extant TLDs.  The .sx anomaly just reported and this
  note are a by-product of collecting that data. ]

Iran's IDNA domain has a DNAME record:

	xn--mgba3a4f16a IN DNAME xn--mgba3a4f16a.ir.

Trying to resolve names under the target domain from the US works
rather poorly, at least for me, and seemingly also DNSVIZ:

   http://dnsviz.net/d/foobar.xn--mgba3a4f16a.ir/dnssec/

but an SSH into DE shows some origin filtering may be going on:

   $ IDN_DISABLE=1 dig +ad -t a foobar.xn--mgba3a4f16a.ir.

   ; <<>> DiG 9.10.3-P4 <<>> +ad -t a foobar.xn--mgba3a4f16a.ir.
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 4096
   ;; QUESTION SECTION:
   ;foobar.xn--mgba3a4f16a.ir.     IN      A

   ;; AUTHORITY SECTION:
   xn--mgba3a4f16a.ir.     1272    IN      SOA     ns1.nic.ir. info.nic.ir. 2016101700 14400 1800 604800 1440

   ;; Query time: 99 msec
   ;; SERVER: 127.0.0.1#53(127.0.0.1)
   ;; WHEN: Mon Oct 17 05:59:01 CEST 2016
   ;; MSG SIZE  rcvd: 103

I might note that not disabling IDN support in dig yields sadly comic results
for right to left scripts, when viewed in my terminal emulator, with the arabic
script misplaced on the far right, but when I copy and paste into a GUI mail
client, everything is magically normal.  Others may run into similar confusion...

   $ dig +ad -t a foobar.xn--mgba3a4f16a.ir.

   ; <<>> DiG 9.10.3-P4 <<>> +ad -t a foobar.xn--mgba3a4f16a.ir.
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41493
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 4096
   ;; QUESTION SECTION:
   ;foobar.ایران.ir.               IN      A

   ;; AUTHORITY SECTION:
   ایران.ir.               1104    IN      SOA     ns1.nic.ir. info.nic.ir. 2016101700 14400 1800 604800 1440

   ;; Query time: 0 msec
   ;; SERVER: 127.0.0.1#53(127.0.0.1)
   ;; WHEN: Mon Oct 17 06:01:49 CEST 2016
   ;; MSG SIZE  rcvd: 103

-- 
	Viktor.

More information about the dns-operations mailing list