[dns-operations] Ultra DNS responding with NXDOMAIN for "www.uber.com"
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Aug 7 19:02:41 UTC 2021
On Sat, Aug 07, 2021 at 11:13:36AM +0530, Shreyas Zare wrote:
> However, querying for "cn-ecg.cfe.uber.com" to the same server responds
> with an answer:
>
> Query Link:
> https://dnsclient.net/#edns126.ultradns.com/cn-ecg.cfe.uber.com/A/UDP
See: https://dnsviz.net/d/cn-ecg.cfe.uber.com/dnssec/
There's a zone cut at cfe.uber.com with the same nameservers on both
sides of the cut. Asking for child-side records (including NS) returns
the records from the child-side of the cut, but asking for parent side
records returns NXDOMAIN, since there is likely no data at all for "cfe"
in the parent zone:
$ dig +norecur +noall +nocl +nottl +comment +ans +auth +nosplit @edns126.ultradns.com. -t ds cfe.uber.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54012
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; AUTHORITY SECTION:
uber.com. SOA edns126.ultradns.com. serviceproviders.uber.com. 2019057840 3600 180 604800 900
Likely the CNAME recursion uses parent-zone data to conclude that the
target name does not exist:
$ dig +norecur +noall +nocl +nottl +comment +ans +auth +nosplit @edns126.ultradns.com. -t a frontends-cloud.uber.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37512
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
frontends-cloud.uber.com. CNAME cn-ecg.cfe.uber.com.
;; AUTHORITY SECTION:
uber.com. SOA edns126.ultradns.com. serviceproviders.uber.com. 2019057840 3600 180 604800 900
The parent zone needs to be updated to add delegation NS records for
"cfe.uber.com".
--
Viktor.
More information about the dns-operations
mailing list