[dns-operations] why does that domain resolve?

John Levine johnl at taugh.com
Sat Jun 5 15:09:52 UTC 2021

According to A. Schulze <sca at andreasschulze.de>:
>we found the domain "xn--80atcidr8i.xn--p1ai." in one of our logs.
>the TLD "xn--p1ai." delegate "xn--80atcidr8i.xn--p1ai." to two working nameservers.
>But these nameserver choose to announce "ns1.example.com" and "ns2.example.com" as authoritative.
>These names are garbage.
>But most resolver do not fail to give an answer for "xn--80atcidr8i.xn--p1ai. /A"
>So I wonder, why do so many resolver [1] obviously do only follow a delegation and ignore authoritative data?
>Is it really some sort of "Hey, you asked for $domain/A, the setup is so broken, but I tried really my best: here as an answer..." ?

For better or worse, DNSSEC validates the data itself, not the path
you took to get there. I have a local root which gets its info from
some servers at ICANN, not any of the regular root servers, but since
the DNSSEC signatures are OK, I don't care.

Parent and child NS have been out of sync as long as there have been
NS, and I have seen no pattern about which is more likely to be
"correct". If the server has the data and the signatures are good, why
do you care where it came from? And if it's not signed, the zone owner
apparently doesn't care either.

I realize that with DoH and DoT we are edging toward path validation, but I'd prefer to leave those
worms in the can for the moment.

John Levine, johnl at taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

More information about the dns-operations mailing list