[dns-operations] Hall of DNS Shame (?)

Casey Deccio casey at deccio.net
Tue Jan 24 22:42:45 UTC 2017

> On Jan 24, 2017, at 10:52 AM, Robert Edmonds <edmonds at mycre.ws> wrote:
> Viktor Dukhovni wrote:
>> I can contribue a bunch of DNS operators that botch authenticated
>> denial of existence in a variety of ways, some instead mangle SOA
>> record signatures, and some others drop requests for TLSA records.
> I think these kinds of errors are in another category, and there are
> already some pretty good tools for dealing with them like DNSViz.
> Sending the wrong data correctly encoded is different from incorrectly
> encoding the data.

For what it's worth, the errors that DNSViz checks for (in correctly encoded messages) are categorized here:


But it currently relies on dnspython's Message.from_wire() to decode wire messages, so it only gets an Exception when the message is malformed.

> BTW, there is a tool written by James Raftery called dnsrend
> (http://romana.now.ie/dnsrend/) that disassembles DNS messages (even
> severely broken messages) with copious verbosity, and is very nice for
> debugging errors in the DNS message layer.

Very cool!


More information about the dns-operations mailing list