Hi all, I decided to start a new thread for this, because it isn't really about draft-andrews-dnsop-glue-is-not-optional - it is more of an interesting aside / rathole...
What if you *only* have glue, and no authoritative answer / server? Can I register example.com, put in www.example.com A 192.0.2.1 as glue, and not bother with this whole annoying authoritative server thing? I asked this back in 2014, and was (correctly) told that this should not work - I was pointed at RFC2181, which says: "Unauthenticated RRs received and cached from the least trustworthy of those groupings, that is data from the additional data section, and data from the authority section of a non-authoritative answer, should not be cached in such a way that they would ever be returned as answers to a received query. They may be returned as additional information where appropriate. Ignoring this would allow the trustworthiness of relatively untrustworthy data to be increased without cause or excuse." I did some testing on this back in late 2014, and the "success" rate was ~75% - this has now dropped to ~5% (using Atlas to measure). What on earth am I talking about? For the domain wow4dns.com, I have *only* got glue (answers edited for brevity): $ dig +nostat +nocmd ns wow4dns.com @a.gtld-servers.com ;; QUESTION SECTION: ;wow4dns.com. IN NS ;; AUTHORITY SECTION: wow4dns.com. 172800 IN NS www.wow4dns.com. wow4dns.com. 172800 IN NS www1.wow4dns.com. ;; ADDITIONAL SECTION: www.wow4dns.com. 172800 IN A 193.151.173.35 www1.wow4dns.com. 172800 IN A 193.151.173.35 There is no name-server listening on 193.151.173.35: $ dig www.wow4dns.com @193.151.173.35 ;; connection timed out; no servers could be reached There is, just for giggles, a webserver... Using 1000 RIPE Atlas nodes, I try to resolve the name www.wow4dns.com -- according to RFC2181 this Should Not Work(tm) -- and yet, ~3-5% of resolvers (in this run, 38 out of 984) will resolve it, and to the correct IP. This is RIPE Measurement #25400908 [0] for those who want to play along at home... The majority of these resolvers are in RFC1918 space, but there are also some public addresses, including open recursives - e.g: $ dig www.wow4dns.com @37.32.120.136 www.wow4dns.com. 86037 IN A 193.151.173.35 $ host 37.32.120.136 136.120.32.37.in-addr.arpa domain name pointer ns1.systec.ir. $ dig www.wow4dns.com @185.210.180.6 www.wow4dns.com. 84737 IN A 193.151.173.35 $ host 185.210.180.6 6.180.210.185.in-addr.arpa domain name pointer ns2.txtv-tz.com. Looking in the webserver log, there are also some hits - e.g: - - [21/May/2020:19:09:10 +0000] "GET /favicon.ico HTTP/1.1" 404 209 "http://www.wow4dns.com/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" What does all of this *mean*? .. .. .. Sorry, I haven't a clue, other than maybe: The DNS is weird. We passed the complexity event horizon a long time back... W [0]: https://atlas.ripe.net/measurements/25400908/#!probes -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
