[dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

Mark Andrews marka at isc.org
Wed Sep 28 01:58:34 UTC 2022 


> On 28 Sep 2022, at 06:04, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Tue, Sep 27, 2022 at 09:45:26PM +0200, Stephane Bortzmeyer wrote:
> 
>> This specific problem disappeared but there are other funny things in
>> the zone. For instance, the three authoritative name servers for .bs
>> claim that com.bs has three name servers, but they are the same.
>> 
>> % dig @anyns.dns.bs. SOA com.bs      
>> 
>> ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @anyns.dns.bs. SOA com.bs
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32202
>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ; COOKIE: b6dd75980a42dca4e88a412663335275aec889b7585d3e59 (good)
>> ;; QUESTION SECTION:
>> ;com.bs.			IN SOA
>> 
>> ;; AUTHORITY SECTION:
>> COM.bs.			21600 IN NS anyns.dns.bs.
>> COM.bs.			21600 IN NS ns36.cdns.net.
>> COM.bs.			21600 IN NS anyns.pch.net.
> 
> More precisely, this is a lame-delegation.  The authoritative
> nameservers of "com.bs" are replying to an SOA query for com.bs with a
> referral to themselves.  Fortunately, this seems to only affect the
> zone apex

Which breaks resolvers using QNAME minimisation using NS queries which
is really the only way to do QNAME minimisation properly.

> queries for delegated subdomains are answered correctly:
> 
>    $ dig +norecur +nocmd +nocl +nottl @ns36.cdns.net -t ns mckinney.com.bs
>    ;; Got answer:
>    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56722
>    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
>    ;; OPT PSEUDOSECTION:
>    ; EDNS: version: 0, flags:; udp: 4096
>    ;; QUESTION SECTION:
>    ;mckinney.com.bs.       IN NS
> 
>    ;; AUTHORITY SECTION:
>    mckinney.com.bs.        NS      ns.sworth.net.
>    mckinney.com.bs.        NS      ns1.sworth.net.
>    mckinney.com.bs.        NS      ns2.sworth.net.
>    mckinney.com.bs.        NS      ns3.sworth.net.
> 
>    ;; Query time: 146 msec
>    ;; SERVER: 2001:678:4::24#53(2001:678:4::24)
>    ;; WHEN: Tue Sep 27 20:00:24 UTC 2022
>    ;; MSG SIZE  rcvd: 155
> 
> But this is still an odd configuration.  There are NS records, for
> ".com.bs" in the parent pointing to its own nameservers, but no
> zone cut, ...  This is wrong.
> 
> To ensure that ".com.bs" is not an empty-non-terminal, Instead of "NS",
> the parent should have added "TXT", or "RP" records...
> 
> -- 
>    Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list