[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?

Peter van Dijk peter.van.dijk at powerdns.com
Wed Apr 17 19:25:25 UTC 2019


On 17 Apr 2019, at 20:28, Dave Lawrence wrote:

> There's a subtle bit of terminology massaging that is probably
> required here.  It's not quite the case that the wildcard is being
> queried directly, but rather that the * label in the query is hitting
> the wildcard expansion and is then replaced by a * label and thus
> returning something that looks like the wildcard name but isn't
> really.  At least that's what's going on in the sense of the DNS
> standards; I've got no idea how that server might be handling things
> in its code.

Pretty much that.

> It's not really different than querying :.h4ha.net.  Oddly it is
> different from querying ,.h4ha.net, which I tried first but returned
> ServFail -- but then I just tried ,.h4ha.net again and got NoError so
> something odd is going on.  Digs were done just against my default
> DNSSEC-validating and caching resolver so maybe the first validation
> failed but subsequent ones somehow found what the validator needed.  I
> didn't look closely.

The auths return an empty SERVFAIL on the , query, presumably due to 
this line of code

              c =='-' || c == '_' || c=='*' || c=='.' || c=='/' || 
c=='@' || c==' ' || c=='\\' || c==':'))

(https://github.com/PowerDNS/pdns/blob/eb029b8efe0217b39c5cf34235b565b4c8d6e95e/pdns/packethandler.cc#L941)

which allows : but not ,

So, the surprising part is that your , worked the second time. Is your 
resolver synthesizing wildcard expansion from cached data?

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/




More information about the dns-operations mailing list