[191250] in North American Network Operators' Group
Re: Cloudflare reverse DNS SERVFAIL, normal?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Aug 30 19:46:58 2016
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <8738.1472597403@turing-police.cc.vt.edu>
Date: Tue, 30 Aug 2016 16:43:59 -0700
To: Valdis.Kletnieks@vt.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Aug 30, 2016, at 15:50 , Valdis.Kletnieks@vt.edu wrote:
>=20
> On Tue, 30 Aug 2016 14:39:10 -0700, Owen DeLong said:
>=20
>> I run a pair of nameservers. Let=E2=80=99s call them ns1.company.com
>> and ns2.company.com
>=20
>> Someone registers example.com and points NS records in the COM zone =
at my
>> nameservers.
>=20
> I would have expected that the resulting NXDOMAIN replies from ns1 and =
ns2
> would usually make this a self-correcting problem.
You don=E2=80=99t get NXDOMAIN when a nameserver gets a request for a =
zone it doesn=E2=80=99t
serve.
You either get SERVFAIL or you get NS records back as a referral.
> Are there actually people who do this misconfiguration on a zone big =
enough
> for the traffic to matter, and leave it that way for very long before =
they
> clue in that things aren't working right? I'd think that if somebody =
points
> billy-bobs-bait-tackle-and-internet.com at you, it might take you =
quite some
> time to notice - and if somebody whoopsies and points ebay.com's NS =
records
> at you, the resulting disfunction would be noticed fairly soon=E2=80=A6.=
Depends on your definition of =E2=80=9Cmatter=E2=80=9D.
Also, misconfiguring one important zone doesn=E2=80=99t necessarily =
generate significantly
more traffic than generating a whole lot of unimportant ones. Especially =
if
you misconfigure zones in ip6.arpa or in-addr.arpa as was the case at =
the
beginning of this topic.
> (Miscreants who do this intentionally are, of course, a totally =
different
> kettle of fish, and need to be dealt with as micreants....)
Yep, though one has to wonder why they would bother.
Owen
