[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?
Peter van Dijk
peter.van.dijk at powerdns.com
Wed Apr 17 19:25:25 UTC 2019
On 17 Apr 2019, at 20:28, Dave Lawrence wrote:
> There's a subtle bit of terminology massaging that is probably
> required here. It's not quite the case that the wildcard is being
> queried directly, but rather that the * label in the query is hitting
> the wildcard expansion and is then replaced by a * label and thus
> returning something that looks like the wildcard name but isn't
> really. At least that's what's going on in the sense of the DNS
> standards; I've got no idea how that server might be handling things
> in its code.
Pretty much that.
> It's not really different than querying :.h4ha.net. Oddly it is
> different from querying ,.h4ha.net, which I tried first but returned
> ServFail -- but then I just tried ,.h4ha.net again and got NoError so
> something odd is going on. Digs were done just against my default
> DNSSEC-validating and caching resolver so maybe the first validation
> failed but subsequent ones somehow found what the validator needed. I
> didn't look closely.
The auths return an empty SERVFAIL on the , query, presumably due to
this line of code
c =='-' || c == '_' || c=='*' || c=='.' || c=='/' ||
c=='@' || c==' ' || c=='\\' || c==':'))
(https://github.com/PowerDNS/pdns/blob/eb029b8efe0217b39c5cf34235b565b4c8d6e95e/pdns/packethandler.cc#L941)
which allows : but not ,
So, the surprising part is that your , worked the second time. Is your
resolver synthesizing wildcard expansion from cached data?
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list