How not to set up your DNS (part 16)

July 9, 2007

Sort of presented in the traditional illustrated format:

; sdig ns ibc.com.au.
ns1.ibc.com.au.
ns2.ibc.com.au.
; dig cname ibc.com.au. @ns1.ibc.com.au.
[...]
;; flags: qr aa; QUERY: 1, ANSWER: 1, [...]
[...]
;; ANSWER SECTION:
ibc.com.au. IN SOA ns1.ibc.com.au. \
             hostmaster.localdomain. [....]

(The TTL has been omitted and the line wrapped for clarity.)

This is not how you are supposed to say 'I do not have a CNAME record'. What ibc.com.au should be doing is returning a reply with nothing in the 'answer' section and their SOA record in the 'additional authority' section.

The net result of this issue is that a number of resolving nameservers will return SERVFAIL when asked to see if ibc.com.au is a CNAME, which has various interesting downstream consequences.

(Technically the com.au zone says that ibc.com.au has two other nameservers, however a) ibc.com.au disagrees, since the extras are not in the NS records that the first two return and b) the extra two are non-authoritative anyways.)


Comments on this page:

From 202.43.0.253 at 2007-07-29 15:34:00:

Hi Chris, i noticed your comment on "How not to set up a DNS", and using ibc.com.au as an example. I have passed it on to my tech guys for their thoughts. Thanks for your comments.

Cheers Richard Keeves Managing Director, IBC www.ibc.com.au

email richard at you can figure the rest

By cks at 2007-07-29 23:37:59:

(An obligatory note: I used magic site admin powers to relocate this comment from the page it was originally left on to here.)

By cks at 2007-08-16 12:34:44:

As a followup, I note that ibc.com.au is now a CNAME to itself, and for extra bonus points their authoritative nameservers return the CNAME plus additional NS records. This doesn't work, to put it one way, and I have no idea why they want a CNAME that points to itself.

The net effect is that once you check ibc.com.au for a CNAME record, as our mailer does, you're not going to be able to look up anything about ibc.com.au for the next day or so.

(Apparently their primary nameservers are smart enough to not return the CNAME information unless asked specifically about it, which is both good and bad.)

Written on 09 July 2007.
« A suggestion for HMAC signature construction
How many bits of information are in a password? »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Jul 9 15:56:42 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.