== How not to set up your DNS (part 21)

This one is creative, and best presented in point form.

* the nameservers for _co._ are ns1.cctld.co through ns6.cctld.co.
* if you query them for the NS records of hotmail.co, all of them
  point you to NS1.MSFT.NET., NS2.MSFT.NET., and NS5.MSFT.NET.

  (They do this slightly oddly, with [[the aa bit unset DNSAnswersFlags]],
  but nameservers for other important zones also do this so I assume
  that it's the modern style.)

* if you ask any of these MSFT.NET nameservers for the A record
  for _www.hotmail.co_ or _hotmail.co_, you get answers (with the
  [[aa bit set DNSAnswersFlags]], as you'd expect from an
  authoritative nameserver).

* if you ask any of these MSFT.NET nameservers for MX, NS, or SOA
  records for _hotmail.co_, you get an interesting reply:

> _flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1_ \\
>
> _;; AUTHORITY SECTION:_ \\
> _. 3600 IN SOA ns1.msft.net. msnhst.microsoft.com. 2009082101 900 600 86400 3600_ \\
>
> _;; ADDITIONAL SECTION:_ \\
> _ns1.msft.net. 3600 IN A 65.55.37.62_

(For bonus weirdness, whether or not you get the A record for ns1.msf.net
depends on what query you're making; MX and NS queries do not, but SOA
queries do.)

We've seen [[grandiose claims of authority HowNotToDoDNSXIII]]
before, and it doesn't work any better this time than it did
before. Specifically, if you do MX lookups on _hotmail.co_, your DNS
server will almost certainly give you a 'cannot resolve this right
now' temporary failure result.  This is kind of important because
_hotmail.co_ is one omitted letter away from _hotmail.com_ and thus runs
into [[my small wish for parked domains ../spam/ParkingAndMail]].

I guess I'm going to have to add another entry to our list of typo'd
email domains that should have their email bounce explicitly.

(That _hotmail.co_ has a working A record doesn't help; if an MX
record lookup returns a temporary failure, a mailer must retry the
MX lookup instead of falling back to the A record. It can only fall
back to the A record if there is a definite 'no MX record' answer.
Not that falling back to the A records would help in this case, as
_hotmail.co_'s IP addresses currently block SMTP connection attempts.)

(It's been a while since [[the last installment HowNotToDoDNSXX]].)