Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-11 Thread Joe Maimon 



Tony Finch wrote:

Joe Maimon  wrote:


www.kissimmee.org

Windows appears to believe the rfc2308 type 2 response,


RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so
section 2.1 doesn't apply, and the response includes answers, so section
2.2 doens't apply.

Tony.



We must be reading different things.

   NXDOMAIN RESPONSE: TYPE 2.

   Header:
   RDCODE=NXDOMAIN
   Query:
   AN.EXAMPLE. A



Andrews Standards Track [Page 3]


RFC 2308   DNS NCACHE March 1998


   Answer:
   AN.EXAMPLE. CNAME TRIPPLE.XX.
   Authority:
   XX. SOA NS1.XX. HOSTMASTER.NS1.XX. 
   Additional:
   

c:\Documents and Settings\joe.JOE.000>c:\programs\bind\bin\dig.exe 
www.kissimmee

.org @ns1.nameresolve.com

; <<>> DiG 9.10a2 <<>> www.kissimmee.org @ns1.nameresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36437
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;www.kissimmee.org. IN  A

;; ANSWER SECTION:
www.kissimmee.org.  3600IN  CNAME   kissimmee-fl.vts.hosting.

;; AUTHORITY SECTION:
hosting.3600IN  SOA ns2.nshosts.com. 
info.webstrikes

olutions.com.hosting. 1089178331 900 3600 604800 3600

;; Query time: 62 msec
;; SERVER: 66.96.142.146#53(66.96.142.146)
;; WHEN: Thu Aug 11 08:36:59 Eastern Daylight Time 2016
;; MSG SIZE  rcvd: 163

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-11 Thread Tony Finch 
William Herrin  wrote:
>
> Oh! I missed that. ns*.nameresolve.com, the authoratative name servers
> for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea
> what DNS server nameresolve.com uses? Because that's... wow.

Er, me too, headdesk. NXDOMAIN with an answer?!

$ fpdns ns2.yourhostingaccount.com.
fingerprint (ns2.yourhostingaccount.com., 65.254.254.155): Unlogic Eagle DNS 
1.0 -- 1.0.1 [New Rules]

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Humber, Thames, Dover: West or southwest 4 or 5, increasing 6 at times. Slight
or moderate. Occasional rain at first. Good, occasionally poor at first.

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-11 Thread Tony Finch 
Joe Maimon  wrote:

> www.kissimmee.org
>
> Windows appears to believe the rfc2308 type 2 response,

RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so
section 2.1 doesn't apply, and the response includes answers, so section
2.2 doens't apply.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Fisher, German Bight: South, veering west or southwest, 4 or 5, increasing 6
at times. Slight or moderate. Occasional rain. Good, occasionally poor.

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread Mark Andrews 

In message <57abb456.5020...@ttec.com>, Joe Maimon writes:
> 
> 
> Mark Andrews wrote:
> 
> >
> > Nameresovle.com's servers are returning answers that can be seen
> > as a cache poisioning attempt.  They are NOT authorative for
> > ".hosting" but have been configured as if they are.  This is a big
> > NO NO.  You don't configure youself as authoritative for a zone
> > that has not been delegated to you and in particular you don't
> > configure yourself as authoritative for "." or a TLD.
> >
> > Windows 2008 is quite correct in rejecting this answer.  Named would
> > as well except for the number of DNS hosters that do this sort of
> > garbage.  Named just sees the CNAME and stops processing the message
> > after that.
> >
> > Mark
> >
> 
> Thanks for the replies Mark and Bill.
> 
> I think its fair to say that most DNS servers have at one time or 
> another hosted a zone they were not authoritative for according to the 
> DNS tree, as simple as a customer leaving without notice, cruft, split 
> view incorrectly configured, etc.

Having the odd leaf zone left over doesn't usually cause operational
problems.  You have to be very unlucky to be delegated a zone that
has a CNAME that points into the left over leaf zone.

In this case there is a fake TLD zone.  This isn't a left over zone.
This is a DNS hoster not understanding the DNS and the implications
of their operational decisions.

People forget nameservers return negative existance answers and
that they need to be as valid as the positive existance answers.

> In any event, windows is accepting the negative answer, BIND is 
> rejecting it and going forward with resolving the CNAME, sucessfully.
> 
> Joe
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread Joe Maimon 



Mark Andrews wrote:



Nameresovle.com's servers are returning answers that can be seen
as a cache poisioning attempt.  They are NOT authorative for
".hosting" but have been configured as if they are.  This is a big
NO NO.  You don't configure youself as authoritative for a zone
that has not been delegated to you and in particular you don't
configure yourself as authoritative for "." or a TLD.

Windows 2008 is quite correct in rejecting this answer.  Named would
as well except for the number of DNS hosters that do this sort of
garbage.  Named just sees the CNAME and stops processing the message
after that.

Mark



Thanks for the replies Mark and Bill.

I think its fair to say that most DNS servers have at one time or 
another hosted a zone they were not authoritative for according to the 
DNS tree, as simple as a customer leaving without notice, cruft, split 
view incorrectly configured, etc.


In any event, windows is accepting the negative answer, BIND is 
rejecting it and going forward with resolving the CNAME, sucessfully.


Joe

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread Mark Andrews 

In message <57ab8024.7010...@ttec.com>, Joe Maimon writes:
> 
> 
> William Herrin wrote:
> > On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon  wrote:
> >> www.kissimmee.org
> >>
> >> Windows 2008 dns cannot resolve it.
> >>
> >> BIND can.
> >
> > Hi Joe,
> >
> > Does Windows 2008 like anything in the "hosting" TLD?
> >
> > I notice that the nameresolve.com servers returning the CNAME to
> > kissimmee-fl.vts.hosting are also returning an SOA record for
> > "hosting" in the authority section which looks very strange to me.
> > Perhaps Windows is rejecting it as an invalid, possibly dangerous
> > response packet?
> >
> > Regards,
> > Bill Herrin
> >
> >
> 
> I think that provided SOA record is a "local" or "alternate" version and 
> its existence is why the nxdomain response is being sent to the windows 
> dns server that accepts it at face value (but does not appear to store 
> it in cache, so this is not precisely cache poisoning)

Nameresovle.com's servers are returning answers that can be seen
as a cache poisioning attempt.  They are NOT authorative for
".hosting" but have been configured as if they are.  This is a big
NO NO.  You don't configure youself as authoritative for a zone
that has not been delegated to you and in particular you don't
configure yourself as authoritative for "." or a TLD.

Windows 2008 is quite correct in rejecting this answer.  Named would
as well except for the number of DNS hosters that do this sort of
garbage.  Named just sees the CNAME and stops processing the message
after that.

Mark

> Here is another example, unrelated to the new TLD's
> 
> www.lomita.com
> 
> 
> Joe


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread William Herrin 
On Wed, Aug 10, 2016 at 3:27 PM, Joe Maimon  wrote:
> William Herrin wrote:
>> On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon  wrote:
>>> www.kissimmee.org
>>> Windows 2008 dns cannot resolve it.

>> I notice that the nameresolve.com servers returning the CNAME to
>> kissimmee-fl.vts.hosting are also returning an SOA record for
>> "hosting" in the authority section which looks very strange to me.
>> Perhaps Windows is rejecting it as an invalid, possibly dangerous
>> response packet?
>
> I think that provided SOA record is a "local" or "alternate" version and its
> existence is why the nxdomain response is being sent to the windows dns
> server that accepts it at face value (but does not appear to store it in
> cache, so this is not precisely cache poisoning)

Oh! I missed that. ns*.nameresolve.com, the authoratative name servers
for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea
what DNS server nameresolve.com uses? Because that's... wow.

-Bill

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web:

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread Joe Maimon 



William Herrin wrote:

On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon  wrote:

www.kissimmee.org

Windows 2008 dns cannot resolve it.

BIND can.


Hi Joe,

Does Windows 2008 like anything in the "hosting" TLD?

I notice that the nameresolve.com servers returning the CNAME to
kissimmee-fl.vts.hosting are also returning an SOA record for
"hosting" in the authority section which looks very strange to me.
Perhaps Windows is rejecting it as an invalid, possibly dangerous
response packet?

Regards,
Bill Herrin




I think that provided SOA record is a "local" or "alternate" version and 
its existence is why the nxdomain response is being sent to the windows 
dns server that accepts it at face value (but does not appear to store 
it in cache, so this is not precisely cache poisoning)


Here is another example, unrelated to the new TLD's

www.lomita.com


Joe

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread William Herrin 
On Wed, Aug 10, 2016 at 2:52 PM, William Herrin  wrote:
> On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon  wrote:
>> www.kissimmee.org
>>
>> Windows 2008 dns cannot resolve it.
>>
>> BIND can.
>
> Hi Joe,
>
> Does Windows 2008 like anything in the "hosting" TLD?
>
> I notice that the nameresolve.com servers returning the CNAME to
> kissimmee-fl.vts.hosting are also returning an SOA record for
> "hosting" in the authority section which looks very strange to me.
> Perhaps Windows is rejecting it as an invalid, possibly dangerous
> response packet?

BTW, here's what I'm talking about:

dig a www.kissimmee.org +trace +all

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> a www.kissimmee.org +trace +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2759
;; flags: qr aa ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13

;; QUESTION SECTION:
;.  IN  NS

;; ANSWER SECTION:
.   518400  IN  NS  a.root-servers.net.
.   518400  IN  NS  m.root-servers.net.
.   518400  IN  NS  i.root-servers.net.
.   518400  IN  NS  b.root-servers.net.
.   518400  IN  NS  h.root-servers.net.
.   518400  IN  NS  e.root-servers.net.
.   518400  IN  NS  j.root-servers.net.
.   518400  IN  NS  g.root-servers.net.
.   518400  IN  NS  l.root-servers.net.
.   518400  IN  NS  k.root-servers.net.
.   518400  IN  NS  f.root-servers.net.
.   518400  IN  NS  c.root-servers.net.
.   518400  IN  NS  d.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 360 IN  A   198.41.0.4
a.root-servers.net. 360 IN  2001:503:ba3e::2:30
b.root-servers.net. 360 IN  A   192.228.79.201
b.root-servers.net. 360 IN  2001:500:84::b
c.root-servers.net. 360 IN  A   192.33.4.12
c.root-servers.net. 360 IN  2001:500:2::c
d.root-servers.net. 360 IN  A   199.7.91.13
d.root-servers.net. 360 IN  2001:500:2d::d
e.root-servers.net. 360 IN  A   192.203.230.10
f.root-servers.net. 360 IN  A   192.5.5.241
f.root-servers.net. 360 IN  2001:500:2f::f
g.root-servers.net. 360 IN  A   192.112.36.4
h.root-servers.net. 360 IN  A   198.97.190.53

;; Query time: 12 msec
;; SERVER: 192.168.99.1#53(192.168.99.1)
;; WHEN: Wed Aug 10 14:54:00 2016
;; MSG SIZE  rcvd: 496

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53554
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12

;; QUESTION SECTION:
;www.kissimmee.org. IN  A

;; AUTHORITY SECTION:
org.172800  IN  NS  a0.org.afilias-nst.info.
org.172800  IN  NS  a2.org.afilias-nst.info.
org.172800  IN  NS  b0.org.afilias-nst.org.
org.172800  IN  NS  b2.org.afilias-nst.org.
org.172800  IN  NS  c0.org.afilias-nst.info.
org.172800  IN  NS  d0.org.afilias-nst.org.

;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN  A   199.19.56.1
a2.org.afilias-nst.info. 172800 IN  A   199.249.112.1
b0.org.afilias-nst.org. 172800  IN  A   199.19.54.1
b2.org.afilias-nst.org. 172800  IN  A   199.249.120.1
c0.org.afilias-nst.info. 172800 IN  A   199.19.53.1
d0.org.afilias-nst.org. 172800  IN  A   199.19.57.1
a0.org.afilias-nst.info. 172800 IN  2001:500:e::1
a2.org.afilias-nst.info. 172800 IN  2001:500:40::1
b0.org.afilias-nst.org. 172800  IN  2001:500:c::1
b2.org.afilias-nst.org. 172800  IN  2001:500:48::1
c0.org.afilias-nst.info. 172800 IN  2001:500:b::1
d0.org.afilias-nst.org. 172800  IN  2001:500:f::1

;; Query time: 217 msec
;; SERVER: 192.58.128.30#53(192.58.128.30)
;; WHEN: Wed Aug 10 14:54:02 2016
;; MSG SIZE  rcvd: 437

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27382
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;www.kissimmee.org. IN  A

;; AUTHORITY SECTION:
kissimmee.org.  86400   IN  NS  ns4.nameresolve.com.
kissimmee.org.  86400   IN  NS  ns3.nameresolve.com.
kissimmee.org.  86400   IN  NS  ns1.nameresolve.com.
kissimmee.org.  86400   IN  NS  ns2.nameresolve.com.

;; Query time: 105 msec
;; SERVER: 199.19.53.1#53(199.19.53.1)
;; WHEN: Wed Aug 10 14:54:03 2016
;; MSG SIZE  rcvd: 122

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, s

Re: nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread William Herrin 
On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon  wrote:
> www.kissimmee.org
>
> Windows 2008 dns cannot resolve it.
>
> BIND can.

Hi Joe,

Does Windows 2008 like anything in the "hosting" TLD?

I notice that the nameresolve.com servers returning the CNAME to
kissimmee-fl.vts.hosting are also returning an SOA record for
"hosting" in the authority section which looks very strange to me.
Perhaps Windows is rejecting it as an invalid, possibly dangerous
response packet?

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web:

nxdomain rfc2308 type 2, but authority is incorrect

2016-08-10 Thread Joe Maimon 

www.kissimmee.org

Windows 2008 dns cannot resolve it.

BIND can.

Windows appears to believe the rfc2308 type 2 response, even though 
recursing the CNAME results in a different authority, ns, and A 
response, which I assuming is why BIND returns the answer.


I must be missing a switch somewhere. Any pointers would be appreciated.