[dns-operations] Nameserver responses from different IP than destination of request

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Aug 31 21:47:54 UTC 2020

On Mon, Aug 31, 2020 at 02:19:08PM -0400, Warren Kumari wrote:

> The bit that I'm failing to understand is why these continue to exist
> -- if everyone (or, everyone other than Google) are ignoring /
> dropping these, how / why are they still on the Internet? Is it just
> the $whatever are sending these are always deployed next to something
> that ain't broke and the operator just hasn't noticed?
> Or are perhaps more things accepting these than we expect?

Quite likely the domains that are completely broken (none of the
nameservers respond from the right IP) are simply parked, and nobody
cares whether they they actually work or not.

The only reason you're seeing queries for them may be that folks doing
DNS measurements, query all the domains we can find including the parked
ones that nobody actually cares to have working.

Make these break, please!  Nobody has any just cause to complain, and
reducing the security of all other lookups to accommodate a tiny
minority of domains that have broken via most other resolvers for a
couple of decades is not a sound tradeoff.


P.S. I rather disagree with Paul that this is a operational practice
question.  The treatment of such response has an a priori *right*
answer, and not following the specifications is an operational error
that does not admit of an interpretation as an operational work-around.

If some such domains need to work, they know what they need to do,
or can be pointed in the right direction.

More information about the dns-operations mailing list