IETF Logo Mail Archive

[DNSOP] Glue is not optional, but sometimes it *is* sufficient...

Warren Kumari <warren@kumari.net> Thu, 21 May 2020 20:08 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9EB63A0791 for <dnsop@ietfa.amsl.com>; Thu, 21 May 2020 13:08:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6BndQu756VN for <dnsop@ietfa.amsl.com>; Thu, 21 May 2020 13:08:26 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29CBB3A0A64 for <dnsop@ietf.org>; Thu, 21 May 2020 13:08:21 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id q2so9819320ljm.10 for <dnsop@ietf.org>; Thu, 21 May 2020 13:08:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=91ZYkClhZUkXsTseMRdOdoVT0VTP3CKABlYnsJQP8eg=; b=EQUpSfy13gYgq0BRdj/DfKeW2RhbNoNi4Q3SSLHxTiyIj8gZhKAkQOrsvIFE5MdCss LnmGWyO2qp8dZqKgW18QT1kigMJ9gkdd3L88bHUvRdioGWiuGZjamLJ9aHVxgEAUwPl+ NAt61PkEUHAK2z2PwB0zcSdLdRMRKM7A2wxQkESOpwKWyiM+gEg5UQNlBXqyJS1fZjXX a6pTToxGDywZqtdrC8zzRw5NXL8frjfWTxa1CXIRc9DTgQa+8Ft4KrdOLMnLMWw2L98N +GdX8oqmolXVehEbNLJcbkOjPWZ4ToEJ7/fJIEU2piEXGQ0H6dbXL4YKP2oxS2S7Hhei VdAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=91ZYkClhZUkXsTseMRdOdoVT0VTP3CKABlYnsJQP8eg=; b=mnC8yODAEcgrMwRnW9klsc0NOg5seAMxRpb4tnx96KBerocKwIAzVCuciErYal1cYV lxvROLnPZUZFC6QWe5c3Xl8NJhOu7oGD0LHFIz3IrlrCih1Smy2R2LPKQoe0AT5f/vTa JeSc5uBN3lDIQ2TQSAFODrOofGXUW6Tl2psK9R7vzA3md8PVdnbEsv1nRQ6wK67+g8d+ QMQNfCM77ldUZs21BQuI3ujK/EN2jN+rrewVO9j1QPkgMUzvEMxhlK4579a2V4R05T1N PxCU/yR9PRjw+e53RqcoGoJAF0BehNioE6cAvJM8PAqhyWIpv6mrE4V3/WGKMRmOIz5E 0K0w==
X-Gm-Message-State: AOAM531+U60Gnksdf8lhkeJTF5rWk8eYQiYLMwIdLwIernknO0dIWh6u 7z1Gnhu8x+0hG8ZY+EeQx+MShzvjpzdQrvG9cce8SBqmkIQ=
X-Google-Smtp-Source: ABdhPJxv4i3QXiD7Sz5MggiJPbCfrocpY6wu3vYxHaeE2TebuWRGih3ickEAm0yeaWqEerkHtKYt6ZMXwpN/icwjXnQ=
X-Received: by 2002:a2e:958d:: with SMTP id w13mr6070802ljh.207.1590091698221; Thu, 21 May 2020 13:08:18 -0700 (PDT)
MIME-Version: 1.0
From: Warren Kumari <warren@kumari.net>
Date: Thu, 21 May 2020 16:07:41 -0400
Message-ID: <CAHw9_i+UsV9NkuPM4KYBZhO7_J78MkUEyVR3fr=vOX-vsjJeUA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Q0RYtv1qvuOY93mAUNWmlUNqQow>
Subject: [DNSOP] Glue is not optional, but sometimes it *is* sufficient...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 20:08:29 -0000

Hi all,

I decided to start a new thread for this, because it isn't really
about draft-andrews-dnsop-glue-is-not-optional - it is more of an
interesting aside / rathole...

What if you *only* have glue, and no authoritative answer / server?
Can I register example.com, put in www.example.com A 192.0.2.1 as
glue, and not bother with this whole annoying authoritative server
thing?


I asked this back in 2014, and was (correctly) told that this should
not work - I was pointed at RFC2181, which says:
"Unauthenticated RRs received and cached from the least trustworthy of
   those groupings, that is data from the additional data section, and
   data from the authority section of a non-authoritative answer, should
   not be cached in such a way that they would ever be returned as
   answers to a received query.  They may be returned as additional
   information where appropriate.  Ignoring this would allow the
   trustworthiness of relatively untrustworthy data to be increased
   without cause or excuse."

I did some testing on this back in late 2014, and the "success" rate
was ~75% - this has now dropped to ~5% (using Atlas to measure).

What on earth am I talking about? For the domain wow4dns.com, I have
*only* got glue (answers edited for brevity):

  $ dig +nostat +nocmd ns wow4dns.com @a.gtld-servers.com
  ;; QUESTION SECTION:
  ;wow4dns.com. IN NS
  ;; AUTHORITY SECTION:
  wow4dns.com. 172800 IN NS www.wow4dns.com.
  wow4dns.com. 172800 IN NS www1.wow4dns.com.
  ;; ADDITIONAL SECTION:
  www.wow4dns.com. 172800 IN A 193.151.173.35
  www1.wow4dns.com. 172800 IN A 193.151.173.35

There is no name-server listening on 193.151.173.35:
  $ dig www.wow4dns.com @193.151.173.35
  ;; connection timed out; no servers could be reached

There is, just for giggles, a webserver...

Using 1000 RIPE Atlas nodes, I try to resolve the name www.wow4dns.com
-- according to RFC2181 this Should Not Work(tm) -- and yet, ~3-5% of
resolvers (in this run, 38 out of 984) will resolve it, and to the
correct IP. This is RIPE Measurement #25400908 [0] for those who want
to play along at home...

The majority of these resolvers are in RFC1918 space, but there are
also some public addresses, including open recursives - e.g:
  $ dig www.wow4dns.com @37.32.120.136
  www.wow4dns.com. 86037 IN A 193.151.173.35

  $ host 37.32.120.136
  136.120.32.37.in-addr.arpa domain name pointer ns1.systec.ir.

  $ dig www.wow4dns.com @185.210.180.6
   www.wow4dns.com. 84737 IN A 193.151.173.35

  $ host 185.210.180.6
  6.180.210.185.in-addr.arpa domain name pointer ns2.txtv-tz.com.

Looking in the webserver log, there are also some hits - e.g:
- - [21/May/2020:19:09:10 +0000] "GET /favicon.ico HTTP/1.1" 404 209
"http://www.wow4dns.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X
10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
Safari/537.36"


What does all of this *mean*?
.
.
.
Sorry, I haven't a clue, other than maybe:
The DNS is weird.
We passed the complexity event horizon a long time back...


W
[0]: https://atlas.ripe.net/measurements/25400908/#!probes

-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.30.2 | Report a Bug | By Email | System Status