Re: [dns-operations] a question about the nameservers

[Lutz Donnerhacke]

* Feng He wrote:
> If the nameservers in parent is different from the ones in auth-servers,
> what will happen?

For the first query the glue data will be used (NS in the parent zone).
For later queries the resolver should requery the NS from the authorititve
servers.

> im.                     172800  IN      NS      hoppy.iom.com.
> im.                     172800  IN      NS      pebbles.iom.com.
> im.                     172800  IN      NS      ns4.ja.net.
> im.                     172800  IN      NS      barney.advsys.co.uk.
> ;; Received 222 bytes from 198.41.0.4#53(a.root-servers.net) in 240 ms

So we have
 hoppy.iom.com       has address 217.23.163.140
 pebbles.iom.com     has address 80.168.83.242
 ns4.ja.net          has address 193.62.157.66
 ns4.ja.net          has IPv6 address 2001:630:0:47::42
 barney.advsys.co.uk has address 217.23.160.50
five different IP addresses to ask for anthing beyond im.


All thise servers report:
 ;; ANSWER SECTION:
 im.                    3600    IN      NS      hoppy.iom.com.
 im.                    3600    IN      NS      pebbles.iom.com.
 im.                    3600    IN      NS      barney.advsys.co.uk.
 im.                    3600    IN      NS      ns4.ja.net.
 ;; SERVER: 80.168.83.242#53(and for each other server)
 ;; WHEN: Fri Oct 26 12:06:50 2012
 ;; MSG SIZE  rcvd: 174


But you see:

> tel.im.                 259200  IN      NS      ans.amchina.net.
> tel.im.                 259200  IN      NS      bns.amchina.net.
> tel.im.                 259200  IN      NS      cns.amchina.net.
> tel.im.                 259200  IN      NS      dns.amchina.net.
> ;; Received 107 bytes from 80.168.83.242#53(pebbles.iom.com) in 271 ms

That's forged. And those servers will update the NS again to:

> tel.im.                 3600    IN      A       14.1.20.54
> tel.im.                 3600    IN      NS      ns1.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns2.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns3.cloudwebdns.com.
> tel.im.                 3600    IN      NS      ns4.cloudwebdns.com.
> ;; Received 191 bytes from 173.254.229.119#53(bns.amchina.net) in 234 ms

Which keeps your resolver on the wrong NS for im.

So you are a vitim of an attacker.

OTOH, let's query correctly:
 im.    NS      ns4.ja.net.
 im.    NS      hoppy.iom.com.
 im.    NS      barney.advsys.co.uk.
 im.    NS      pebbles.iom.com.
 im.    NSEC    in. NS RRSIG NSEC
 im.    RRSIG   NSEC 8 1 86400 20121101000000 20121024230000 24220 . 
k+LhRtqiGpILTphjgFyy0nQQupnx48rg/G8RFckfKBETtLZw8rrT5FKl 
bnUiV3R3eg7mOG9EFj65ST5YVmbxk4TPLO8CDs3BnYUFIex0W4mq3lyT 
gqm1va0ICul9jpYeMs9+JfJsnJuHWrXFJWX6vlwjHtHSXQn5QwgkxEtt z7I=
 ;; Received 412 bytes from 2001:500:3::42#53(L.ROOT-SERVERS.NET) in 45 ms

Bad luck, the IM registry is not up to date.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs