How not to set up your DNS (part 21)

September 6, 2011

This one is creative, and best presented in point form.

  • the nameservers for co. are through
  • if you query them for the NS records of, all of them point you to NS1.MSFT.NET., NS2.MSFT.NET., and NS5.MSFT.NET.

    (They do this slightly oddly, with the aa bit unset, but nameservers for other important zones also do this so I assume that it's the modern style.)

  • if you ask any of these MSFT.NET nameservers for the A record for or, you get answers (with the aa bit set, as you'd expect from an authoritative nameserver).

  • if you ask any of these MSFT.NET nameservers for MX, NS, or SOA records for, you get an interesting reply:

flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

. 3600 IN SOA 2009082101 900 600 86400 3600


(For bonus weirdness, whether or not you get the A record for depends on what query you're making; MX and NS queries do not, but SOA queries do.)

We've seen grandiose claims of authority before, and it doesn't work any better this time than it did before. Specifically, if you do MX lookups on, your DNS server will almost certainly give you a 'cannot resolve this right now' temporary failure result. This is kind of important because is one omitted letter away from and thus runs into my small wish for parked domains.

I guess I'm going to have to add another entry to our list of typo'd email domains that should have their email bounce explicitly.

(That has a working A record doesn't help; if an MX record lookup returns a temporary failure, a mailer must retry the MX lookup instead of falling back to the A record. It can only fall back to the A record if there is a definite 'no MX record' answer. Not that falling back to the A records would help in this case, as's IP addresses currently block SMTP connection attempts.)

(It's been a while since the last installment.)

Comments on this page:

From at 2011-09-06 21:21:24:

The missing 'aa' flags are wrong, but too common to care about. BIND tried not that long ago:

--Robert Mibus <>

From at 2011-09-08 17:31:48:

The co nameservers aren't auth for (and that's perfect!), so the missing aa flags are fine.

Written on 06 September 2011.
« The real reason why true asynchronous file IO is hard
Archival storage in the modern world »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Sep 6 17:06:45 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.