[dns-operations] why does that domain resolve?

Mats Dufberg mats.dufberg at internetstiftelsen.se
Sat Jun 5 12:56:42 UTC 2021

If the servers of the daughter zone returns minimal answer, which is legal, then the resolver will not even see the NS records of the zone.

1. The resolver get a request for "www.house.xa. A" and has the NS incl. IP addresses for xa.
2. The resolver sends a request for "www.house.xa. A" to an .xa NS.
3. The .xa NS returns a referral to the NS of house.xa.
4. The resolver send a request for "www.house.xa. A" to an house.xa NS.
5. The house.xa NS returns a minimal answer with "www.house.xa. A" in the answer section and no other DNS recorcs.

To force the use of NS from the zone the DNS protocal has to be rewritten, and if that is done, why not remove the NS from the zone and make them authoritative records of the parent?



Mats Dufberg
mats.dufberg at internetstiftelsen.se
Technical Expert
Internetstiftelsen (The Swedish Internet Foundation)
Mobile: +46 73 065 3899

On 05/06/2021, 13:44, "dns-operations on behalf of A. Schulze" <dns-operations-bounces at dns-oarc.net on behalf of sca at andreasschulze.de> wrote:

    Am 04.06.21 um 17:52 schrieb A. Schulze:

    > So I wonder, why do so many resolver [1] obviously do only follow a delegation and ignore authoritative data?

    Is "being client centric" a candidate for a "dns-flag-day-2022"?
    Consider .com like to intercept gmail.com. Changing the delegation in .com would be enough. Really?


    dns-operations mailing list
    dns-operations at lists.dns-oarc.net

More information about the dns-operations mailing list