Re: Conflicting glue records?
For someone to register a domain and listing our server name with a bogus IP, the registry has to be incredibly careless I wonder if he is seeing the same thing I was a few days ago. I had a certain *.edu host listed as a nameserver of mine with several registries (gandi for .com, arin for in-addr.arpa and nro for rDNS in 2002:: space.) Last friday mail stopped flowing from my machine to this nameserver because someone was injecting a stale A-record into gtld-servers.net (the address injected was formerly correct, but changed over a year ago). This record either hadn't appeared before or my bind ignored it up to this point. Could something have changed with bind 9.5.1-P1 that would cause it to put more value on glue/host records than it did before? This command clearly showed an A-record with an old, now incorrect ipv4 address. dig mgm.mit.edu @a.gtld-servers.net a As a quick fix I dropped the nameserver in question from gandi and nro (arin is still in the stone age and wants you to be their pen-pal, so nothing has been changed there.) The problem seems to have fixed itself within 24 hours of making the changes at the two registries mentioned. Weird huh? -wolfgang -- Wolfgang S. Rupprecht http://www.full-steam.org/ (ipv6-only) You may need to config 6to4 to see the above pages. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
On Jan 26 2009, Wolfgang S. Rupprecht wrote: For someone to register a domain and listing our server name with a bogus IP, the registry has to be incredibly careless I wonder if he is seeing the same thing I was a few days ago. I had a certain *.edu host listed as a nameserver of mine with several registries (gandi for .com, arin for in-addr.arpa and nro for rDNS in 2002:: space.) Last friday mail stopped flowing from my machine to this nameserver because someone was injecting a stale A-record into gtld-servers.net (the address injected was formerly correct, but changed over a year ago). This record either hadn't appeared before or my bind ignored it up to this point. Could something have changed with bind 9.5.1-P1 that would cause it to put more value on glue/host records than it did before? This command clearly showed an A-record with an old, now incorrect ipv4 address. dig mgm.mit.edu @a.gtld-servers.net a As a quick fix I dropped the nameserver in question from gandi and nro (arin is still in the stone age and wants you to be their pen-pal, so nothing has been changed there.) The problem seems to have fixed itself within 24 hours of making the changes at the two registries mentioned. Weird huh? See promoting glue to answer, and the evils thereof, passim. In particular https://lists.isc.org/pipermail/bind-users/2008-December/074107.html https://lists.isc.org/pipermail/bind-users/2008-December/074164.html -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
Right, but his question was regarding the host record for the name server. You tell the registrar the name and IP address of the name servers that are authoritative for the domain. The registrar then pushes those glue records to the root servers. Root doesn't care what the name and/or IP address of the name servers are. They are unrelated across domains. There isn't any cross domain verification. If you say that the FQDN and IP address of the authoritative name server is something, the registrar believes you and tells root. Root believes the registrar. The registrar and root don't do a lookup on the FQDN of the name server that is provided- hence it being called a glue record. You have to manually enter that data. At least that has been the case with ever registrar I've dealt with. On Thu, Jan 8, 2009 at 12:31 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On Wed, Jan 7, 2009 at 6:29 PM, Milo Hyson m...@cyberlifelabs.com wrote: If different registrars contain different host records for the same name server, what glue records are established in the root servers? Suppose two domains at different registrars both list ns1.mydomain.com as a nameserver but each gives a different IP. Are the results undefined? Is there some rule that is followed to resolve the conflict? On 07.01.09 19:14, Dawn Connelly wrote: Each registrars push the information that they have. So if you have apples.com with an NS record of ns1.dns.com==137.161.0.1 and oranges.com with a NS record of ns1.dns.com=137.161.0.2 I think only the registrar of dns.com should provide glue records for anything below dns.com. If it happend this way, it's imho broken. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Conflicting glue records?
On 08-Jan-2009, at 03:41 , Dawn Connelly wrote: Right, but his question was regarding the host record for the name server. You tell the registrar the name and IP address of the name servers that are authoritative for the domain. The registrar then pushes those glue records to the root servers. Root doesn't care what the name and/or IP address of the name servers are. They are unrelated across domains. There isn't any cross domain verification. If you say that the FQDN and IP address of the authoritative name server is something, the registrar believes you and tells root. Root believes the registrar. The registrar and root don't do a lookup on the FQDN of the name server that is provided- hence it being called a glue record. You have to manually enter that data. At least that has been the case with ever registrar I've dealt with. Again, this is quite wrong, on several points. Host records for his domain don't go into the root unless he's managing a TLD.. and if that's the case he's not dealing with a registrar. Whether or not the registrar or the registry do a lookup on the host records being supplied is irrelevant to why the entry in the DNS is called glue. In cases where a nameserver is a subdomain of the domain it is authoritative for, delegations can't happen without the parent zone supplying an IP address... without the address being supplied by the parent zone you'd have a catch-22 in the resolution process. Supplying that IP address glues the two zones together.. hence the name. And finally to the poster's original question.. This is actually more of an issues of registr operations and/or EPP, rather than DNS. According to the EPP spec only the registrar sponsoring the domain can register host records within it. So, to borrow from someone else's example, only the domain holder for apple.com can register the host records ns1.apple.com and ns2.apple.com. The orange.com registrant can't create a host record for ns1.apple.com and register an IP address with it. The registrar *may* accept this data from the registrant anyway, but it shouldn't (according to the spec) be passed on to the registry. I suppose the registry could also accept it from the registrar (though in the case of .com I doubt this violation is occurring) but it shouldn't be published into the DNS. Only the host records registered by the apple.com domain holder should wind up there. Matt PGP.sig Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Conflicting glue records?
Milo Hyson wrote: In our particular case, we have stale glue records for our name- servers that appear to be coming from a domain we host that is owned by someone else. Despite our best efforts, we have not been able to reach the owners and thus have not been able to get the host records changed at the registrar. The net result is that any domains listing those server names fail to resolve as the old IPs are no longer in service. This raises a scary question. If this is really an undefined situation, could it be used as an attack vector? Although our particular situation involves no component of fraud, what is to stop someone from registering a domain and listing our server name with a bogus IP? Milo Hyson Chief Scientist CyberLife Labs --- Nothing. But why would it matter? And why would they ask someone other than the TLDs for your NS? I don't really think this is a problem as it only comes into play if they query the registered domain. If one is hosting a domain owned by someone else they should be able to contact domain holder. If they cannot contact them, they can just stop hosting them and queries will not then bother them. I have several secondary nameservers out there and I have registered them with my register. Checking for my nameservers at the TLD servers gives this response: [r...@maplepark ~]# dig +norecurse @A.GTLD-SERVERS.NET maplepark.com ns ; DiG 9.6.0 +norecurse @A.GTLD-SERVERS.NET maplepark.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62282 ;; flags: qr; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5 ;; QUESTION SECTION: ;maplepark.com. IN NS ;; ANSWER SECTION: maplepark.com. 172800 IN NS maplepark.com. maplepark.com. 172800 IN NS ns5.dnsmadeeasy.com. maplepark.com. 172800 IN NS ns6.dnsmadeeasy.com. maplepark.com. 172800 IN NS ns6.gandi.net. maplepark.com. 172800 IN NS ns7.dnsmadeeasy.com. ;; ADDITIONAL SECTION: maplepark.com. 172800 IN A 64.216.205.121 ns5.dnsmadeeasy.com.172800 IN A 63.219.151.12 ns6.dnsmadeeasy.com.172800 IN A 64.246.42.203 ns6.gandi.net. 172800 IN A 217.70.177.40 ns7.dnsmadeeasy.com.172800 IN A 205.234.170.139 ;; Query time: 91 msec ;; SERVER: 192.5.6.30#53(192.5.6.30) ;; WHEN: Thu Jan 8 09:05:47 2009 ;; MSG SIZE rcvd: 218 As can be seen (or digged|dug), the glue has me (maplepark.com), three other .com(s), and a .net, all as it should be (and as I wanted it and registered it) Not allowing this setup would cripple lookups using my secondaries (all slaves). OTOH, if you were to add my nameservers to YOUR TLD (through your registrar) anyone querying your nameservers for anything could be directed to my nameserver and then find answers only as long as my nameservers were active. If I, as an active homebuilder, should fall prey to the ridiculous broken market I am dealing with and go out of business, those querying YOUR nameservers could get stupid answers. But if they query the TLD for me they would also get stupid answers until my registration expires. But I wouldn't care too much. Protect yourself by maintaining YOUR TLD through your registrar and don't add me to your list of NS. My short answer is Don't host domains that aren't maintained and rely on the DNS to normally resolve those who do maintain their domains. imho, the system ain't broke; so don't fix it. I'm dead sure someone will tell if I'm wrong, and maybe even if I'm not. -- David Forrest e-mail drf @ maplepark.com Maple Park Development Corporation http://www.maplepark.com St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Conflicting glue records?
If different registrars contain different host records for the same name server, what glue records are established in the root servers? Suppose two domains at different registrars both list ns1.mydomain.com as a nameserver but each gives a different IP. Are the results undefined? Is there some rule that is followed to resolve the conflict? -- Milo Hyson Chief Scientist CyberLife Labs ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users