How not to set up your DNS (part 21)

September 6, 2011

This one is creative, and best presented in point form.

  • the nameservers for co. are ns1.cctld.co through ns6.cctld.co.
  • if you query them for the NS records of hotmail.co, all of them point you to NS1.MSFT.NET., NS2.MSFT.NET., and NS5.MSFT.NET.

    (They do this slightly oddly, with the aa bit unset, but nameservers for other important zones also do this so I assume that it's the modern style.)

  • if you ask any of these MSFT.NET nameservers for the A record for www.hotmail.co or hotmail.co, you get answers (with the aa bit set, as you'd expect from an authoritative nameserver).

  • if you ask any of these MSFT.NET nameservers for MX, NS, or SOA records for hotmail.co, you get an interesting reply:

flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; AUTHORITY SECTION:
. 3600 IN SOA ns1.msft.net. msnhst.microsoft.com. 2009082101 900 600 86400 3600

;; ADDITIONAL SECTION:
ns1.msft.net. 3600 IN A 65.55.37.62

(For bonus weirdness, whether or not you get the A record for ns1.msf.net depends on what query you're making; MX and NS queries do not, but SOA queries do.)

We've seen grandiose claims of authority before, and it doesn't work any better this time than it did before. Specifically, if you do MX lookups on hotmail.co, your DNS server will almost certainly give you a 'cannot resolve this right now' temporary failure result. This is kind of important because hotmail.co is one omitted letter away from hotmail.com and thus runs into my small wish for parked domains.

I guess I'm going to have to add another entry to our list of typo'd email domains that should have their email bounce explicitly.

(That hotmail.co has a working A record doesn't help; if an MX record lookup returns a temporary failure, a mailer must retry the MX lookup instead of falling back to the A record. It can only fall back to the A record if there is a definite 'no MX record' answer. Not that falling back to the A records would help in this case, as hotmail.co's IP addresses currently block SMTP connection attempts.)

(It's been a while since the last installment.)


Comments on this page:

From 203.26.95.65 at 2011-09-06 21:21:24:

The missing 'aa' flags are wrong, but too common to care about. BIND tried not that long ago:

http://www.isc.org/community/blog/201007/compatibility-issues-bind-970-and-971

--Robert Mibus <mibus@mibus.org>

From 109.144.219.68 at 2011-09-08 17:31:48:

The co nameservers aren't auth for hotmail.co (and that's perfect!), so the missing aa flags are fine.

-c
Written on 06 September 2011.
« The real reason why true asynchronous file IO is hard
Archival storage in the modern world »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Tue Sep 6 17:06:45 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.