[AusNOG] DNS delegations and QNAME MINIMISATION
Mark Andrews
marka at isc.org
Tue Apr 30 00:23:38 EST 2019
Recursive servers that perform QNAME MINIMISATION (to prevent
leaking the full QNAME to high level zones) find *broken*
delegations as they ask for and learn the NS records at top
of zone. This happens for EVERY delegation in the path.
This includes delegation in load balancers like this one (company name
changes to example) that points to a non-existent TLD (.local) which I
found when attempting to lookup the web site.
egslb.example.com.au. 0 IN NS XXXXXXXXXXX.mgmt.example.local.
Please check every delegation under your control. The delegating NS
records and those at top of zone should match. If they don’t some of
your customers may not be able to successfully resolve records from
your zones.
Yes, there are representatives of this company on this list. Yes, they
are being informed by other channels. This is just a reminder to
everyone on this list that the DNS should be managed properly. Most
of the time we see issues like this, it is with GLBs as is the case
here.
Check the delegations to you GLB and the NS published by the GLB *match*
and fix them if they do not.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list