[dns-operations] sedoparking and bogus .AU delegations?

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Jun 9 21:29:59 UTC 2019 

[ It is unfortunate that domains in a large fraction of the .AU signed
  delegations are parked on nameservers that don't bother to keep the
  zone signed.  Does anyone know a contact at sedoparking.com, or a
  new of the other providers who might shed light on this?

  Would it make sense for long-term broken signed delegations to be
  removed from .{COM,NET,ORG,ID}.AU?  Some registries (notably .BR)
  monitor the correctness of their signed delegations, and purge (at
  least the DS RRs of) non-working domains. ]

After finding a batch of new .AU domains to include in the DNSSEC/DANE
survey, I now find nearly 16% of .AU secure delegations to be "bogus".
While a DS record is published in the parent zone, validated DNSKEY
lookups for the child zone fail, but with validation disabled I see
either DNSKEYs or NODATA.  Out of 1574 signed .AU delegations, 248
are now "bogus", with the below top 10 counts by DNS provider (based
on SOA MNAME):

     175 sedoparking.com
      16 domaincontrol.com
      15 nameserver.net.au
       5 ezyreg.com
       5 cloudflare.com
       3 zuver.net.au
       3 qnetau.com
       3 networkvoiceanddata.com.au
       3 cloudflare.com
       2 sbd.net.au

Alternatively, we see much the same results by looking at the parent
zones of the nameservers in the NS records of the bogus delegations:

     350 sedoparking.com
      45 nameserver.net.au
      32 domaincontrol.com
      18 cloudflare.com
      12 networkvoiceanddata.com.au
      10 ezyreg.com
       9 qnetau.com
       8 googledomains.com
       6 zuver.net.au
       6 niw.com.au

For example, the parked "cloudprivacy.com.au" is unsigned, despite the signed
delegation:

    cloudprivacy.com.au. IN DS 2834 8 4 9d4d...dffd
    cloudprivacy.com.au. IN RRSIG DS 8 3 900 20190630151718 20190609141718 14968 com.au. Kh/l...pdQ=

    @ns1.sedoparking.com.[91.195.241.8]
    @ns2.sedoparking.com.[91.195.240.8]
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17345
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    ;cloudprivacy.com.au.   IN DNSKEY
    cloudprivacy.com.au.    SOA     ns1.sedoparking.com. hostmaster.sedo.de. 2018051601 86400 10800 604800 86400

Since sedoparking is in the business of collecting ad revenue, would
it not make sense to make sure that the parked domains actually
resolve for more users?  Especially with many users of 1.1.1.1 and
8.8.8.8 etc. unable to resolve these domains...

-- 
	Viktor.

[ The 248 bogus delegations are attached as "bogus.txt". ]

More information about the dns-operations mailing list