[dns-operations] check if a domain has been registered via DNS

Mark Andrews marka at isc.org
Thu Apr 27 22:09:17 UTC 2017


In message <C8CB9845-A0A5-45F9-A4DC-BE832A5F2629 at dukhovni.org>, Viktor Dukhovni writes:
> 
> > On Apr 27, 2017, at 3:10 PM, John Levine <johnl at taugh.com> wrote:
> > 
> > Um, other than the the very peculiar .NAME TLD, I'm reasonably sure
> > you're mistaken.
> > 
> >> ;; QUESTION SECTION:
> >> ;vwtelecom.eu.                  IN      NS
> 
> Indeed you're right.  I did not expect the CNAME to be implemented
> at the zone apex, because AFAIK that's illegal.  The zone apex ends
> up with both CNAME and SOA records (and more):
> 
>   vwtelecom.eu. IN NSEC localhost.vwtelecom.eu. NS CNAME SOA MX RRSIG NSEC DNSKEY
> 
> Is that "kosher"?  Or are domains such as this misconfigured?

No, it is not "kosher".

It creates situations like this where there are records that you
can't reliably retrieve using recursive servers.

[rock:~/git/bind9] marka% dig vwtelecom.eu soa @ns1.openprovider.nl +norec

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> vwtelecom.eu soa @ns1.openprovider.nl +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5261
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;vwtelecom.eu.			IN	SOA

;; ANSWER SECTION:
vwtelecom.eu.		86400	IN	SOA	ns1.openprovider.nl. dns.openprovider.eu. 2012050800 10800 3600 604800 3600

;; Query time: 476 msec
;; SERVER: 2a00:f10:11f::5#53(2a00:f10:11f::5)
;; WHEN: Fri Apr 28 07:46:40 AEST 2017
;; MSG SIZE  rcvd: 113

[rock:~/git/bind9] marka% dig soa vwtelecom.eu
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> soa vwtelecom.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18806
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 13bdc5f3586a6205588f208d590266d07071a6390efdc926 (good)
;; QUESTION SECTION:
;vwtelecom.eu.			IN	SOA

;; ANSWER SECTION:
vwtelecom.eu.		85843	IN	CNAME	www.vwtelecom.com.
www.vwtelecom.com.	85843	IN	CNAME	vwtelecom.com.
vwtelecom.com.		85894	IN	SOA	ns1.openprovider.nl. dns.openprovider.eu. 2017041800 10800 3600 604800 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 28 07:46:56 AEST 2017
;; MSG SIZE  rcvd: 186

[rock:~/git/bind9] marka% 

This also breaks nsupdate's containing zone searching algorithm
which depends on CNAME and other data not existing.  nsupdate will
determine that the containing zone is 'eu'.

The parent zone can't automatically check the delegating NS records
against the zone's.  Not answering NS records like this could break
the solution to DNSSEC's grandfather problem.

[rock:~/git/bind9] marka% dig ns vwtelecom.eu @ns1.openprovider.nl +norec

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> ns vwtelecom.eu @ns1.openprovider.nl +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55914
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;vwtelecom.eu.			IN	NS

;; ANSWER SECTION:
vwtelecom.eu.		86400	IN	CNAME	www.vwtelecom.com.
www.vwtelecom.com.	86400	IN	CNAME	vwtelecom.com.
vwtelecom.com.		86400	IN	NS	ns1.openprovider.nl.
vwtelecom.com.		86400	IN	NS	ns2.openprovider.be.
vwtelecom.com.		86400	IN	NS	ns3.openprovider.eu.

;; ADDITIONAL SECTION:
ns3.openprovider.eu.	900	IN	AAAA	2a02:348:8e:609b::155
ns3.openprovider.eu.	3600	IN	A	37.230.96.155
ns1.openprovider.nl.	3600	IN	AAAA	2a00:f10:11f::5
ns2.openprovider.be.	3600	IN	A	144.76.197.172
ns2.openprovider.be.	86400	IN	AAAA	2a01:4f8:200:73ab::172
ns1.openprovider.nl.	3600	IN	A	93.180.69.5

;; Query time: 466 msec
;; SERVER: 2a00:f10:11f::5#53(2a00:f10:11f::5)
;; WHEN: Fri Apr 28 07:57:26 AEST 2017
;; MSG SIZE  rcvd: 315

[rock:~/git/bind9] marka% 

Mark

> -- 
> 	Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list