[dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net
ietf-dane at dukhovni.org
Tue Sep 27 20:04:04 UTC 2022
On Tue, Sep 27, 2022 at 09:45:26PM +0200, Stephane Bortzmeyer wrote:
> This specific problem disappeared but there are other funny things in
> the zone. For instance, the three authoritative name servers for .bs
> claim that com.bs has three name servers, but they are the same.
> % dig @anyns.dns.bs. SOA com.bs
> ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @anyns.dns.bs. SOA com.bs
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32202
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: b6dd75980a42dca4e88a412663335275aec889b7585d3e59 (good)
> ;; QUESTION SECTION:
> ;com.bs. IN SOA
> ;; AUTHORITY SECTION:
> COM.bs. 21600 IN NS anyns.dns.bs.
> COM.bs. 21600 IN NS ns36.cdns.net.
> COM.bs. 21600 IN NS anyns.pch.net.
More precisely, this is a lame-delegation. The authoritative
nameservers of "com.bs" are replying to an SOA query for com.bs with a
referral to themselves. Fortunately, this seems to only affect the
zone apex, queries for delegated subdomains are answered correctly:
$ dig +norecur +nocmd +nocl +nottl @ns36.cdns.net -t ns mckinney.com.bs
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56722
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mckinney.com.bs. IN NS
;; AUTHORITY SECTION:
mckinney.com.bs. NS ns.sworth.net.
mckinney.com.bs. NS ns1.sworth.net.
mckinney.com.bs. NS ns2.sworth.net.
mckinney.com.bs. NS ns3.sworth.net.
;; Query time: 146 msec
;; SERVER: 2001:678:4::24#53(2001:678:4::24)
;; WHEN: Tue Sep 27 20:00:24 UTC 2022
;; MSG SIZE rcvd: 155
But this is still an odd configuration. There are NS records, for
".com.bs" in the parent pointing to its own nameservers, but no
zone cut, ... This is wrong.
To ensure that ".com.bs" is not an empty-non-terminal, Instead of "NS",
the parent should have added "TXT", or "RP" records...
More information about the dns-operations