-1

Do glue records/child hosts override DNS wildcard entries or A records at the domain names DNS servers records?

example: ns1.example.com = 1.1.1.1 at registrar DNS glue /child host

ns1.example.com = 2.2.2.2 wild card entry at DNS server example.com

if i ping ns1.example.com from 8.8.8.8 or external dns internet, will it go to 1.1.1.1 or 2.2.2.2?

if so which RFC states this policy?

So over 40 replies/answers/comments and people vote down my question?

so a million comments later another Example. If i have a wild card record in my DNS server for my domain, for *.example.com = 6.6.6.6 Registrar has a glue record for ns1.example.com = 1.1.1.1 On the global internet what would ns1.example.com resolve to? –

user3265051
  • 109
  • 2
  • You are asking about an invalid/wrong configuration. Flip a coin is the answer because the answer depends on the resolver and caching - both of which are outside your control. Your NS records need to match the entries at the registrar. – John Hanley Mar 28 '21 at 20:46
  • Please do not obfuscate so badly, do not use those real and existing IP addresses for real services right now as examples. Use 192.0.2.0/24 block reserved for documentation if you really need to not give real IP addresses. – Patrick Mevzek Mar 29 '21 at 15:10
  • @PatrickMevzek if were to use a 192.0.2.0/24 then you will get another smart ass saying NO Thats not PUBLIC its not going to work – user3265051 Apr 08 '21 at 00:10
  • @user3265051 Which is absolutely not true because this block is EXPLICITLY reserved for documentation purpose. Please read RFC 5737 and it says:"Three IPv4 unicast address blocks are reserved for use in examples in specifications and other documents. This document describes the use of these blocks.". Using `1.1.1.1` is specifically very BAD practice, see https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/ for an explanation on how such bad use creates major havoc on the Internet. Be a good netizen. – Patrick Mevzek Apr 08 '21 at 02:45
  • @PatrickMevzek which is fine with me but last question i asked using reserved blocks for doc got so many flagged comments and down voted saying its internal IP not reachable from DNS global. – user3265051 Apr 08 '21 at 17:18
  • I have no idea which case you are talking about (so depending on context, using ANY obfuscation might be wrong, which is why I always suggest to use the real names/IPs if possible and only at the extreme last recourse to do obfuscation), but if some people are disagreeing with the above just point them to the RFC text. I don't see anything to be argued there except of course the position of "I don't care what the RFCs say, I do my own". – Patrick Mevzek Apr 08 '21 at 17:25

2 Answers2

1

TL;DR: Where you will go is non-deterministic (depends on which resolver you will use) and no RFC clearly states that, but there are various hints described below.

First, do not obfuscate badly. The 3 IP addresses you use exists, and at least two of them today are heavily used. You gain nothing and create a lot of harm by using them. There is one RFC (5737) given advices on this, but in short use 192.0.2.0/24 for such needs.

Also your terminology is slightly wrong: glues are at parent of a given delegation cut, and that parent is often just called the registry at least when you are dealing close to the top of the tree. Note that the registrar here may play no role at all, except that if it is also the DNS hosting company but that is a separate job technically.

Then, there is no RFC that clearly state this policy and it is still today a subject of hot discussions. It is referenced as "child centric" vs "parent centric" to decide, when the "same" content is on both side of a zone cut, which one should be taken into account.

Of course, what the RFCs say, is that both content should be the same and hence the point be moot. However, and it is the same for NS records, it does indeed happen that there are discrepancies, which are often a sign of misconfiguration that yields to problem from a least extensive delay in resolution to more deep breakage.

See §4.2.2 of RFC 1034 on this:

As the last installation step, the delegation NS RRs and glue RRs necessary to make the delegation effective should be added to the parent zone. The administrators of both zones should insure that the NS and glue RRs which mark both sides of the cut are consistent and remain so.

The RFCs may lightly hint at the fact that the child should be authoritative because normally everything that is in the parent is just there to help find the child and communicate with it, so in case of differences, parent data should be discarded. This however has one consequence: one resolver doing that has to still periodically ask the parent again just to make sure the delegation didn't change, otherwise the child would stick forever.

Why we can interpret that from the RFCs: because DNS packets have section, there is one section could "ANSWER" and one could "ADDITIONAL". When a parent gives back a NS record set with details on glues, the glues are in "ADDITIONAL" because they are not considered part of the answer, they are just there to help resolution. Moreover, with DNSSEC, glues (and NS records in fact at parent side) are not signed, hinting that they are "less" authoritative.

For example, this document at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_dns_traffic_with_dnssec clearly states:

In a DNSSEC signed zone, each resource record set (RRset) has a corresponding RRSIG resource record. Note that records used for delegation to a child zone (NS and glue records) are not signed; these records appear in the child zone and are signed there.

There is also another hint at that in §5.4.1 of RFC 2181, which I quote partially here:

When considering whether to accept an RRSet in a reply, or retain an RRSet already in its cache instead, a server should consider the relative likely trustworthiness of the various data.

[..]

Trustworthiness shall be, in order from most to least:

[..]

  • The authoritative data included in the answer section of an authoritative reply.

[..]

  • Glue from a primary zone, or glue from a zone transfer,

[..]

  • Additional information from an authoritative answer, Data from the authority section of a non-authoritative answer, Additional information from non-authoritative answers.

Note that on this abridged list, only first point can come from the child, the next 2 are coming from the parent. Hence by reading this list you normally would infer that resolvers should be child centric (and the rest of the section discuss glues further and the fact that DNSSEC signed data should be considered more trustworthy which again puts the child over the parent). But exactly because it adds other complexities, not all recursive nameservers are child centric.

So some resolvers are parent centric instead in cases like that.

There are various studies on the subject, such as:

  • https://www.dns-oarc.net/files/workshop-201103/ICANN-SF-Looking-at-DNS-traces.pdf which further discuss the difference between child centric and child sticky (never asking the parent again) showing that most resolvers are child centric or child sticky... except at least Google Public DNS that is parent-centric
  • https://conferences.sigcomm.org/imc/2019/presentations/p10.pdf discusses how the TTL is chosen if different between parent and child; showing that in their case most resolvers are child-centric (as expected)
  • https://annasperotto.org/publication/papers/2020/sommese-pam-2020.pdf a recent full research paper; among the conclusions: "This is the first study that shows, across the .com, .net and org zones (50% of the DNS namespace), that roughly 8% (13M) domains do not conform to that. " and "Finally, we also recommend that resolver vendors conform to the authoritative information ranking in RFC2181 (taking into account the recommendations to mitigate the Kaminsky attack as specified in RFC5452), and when possible, to explicitl yask for the child’s NS records, similarly to what is done in DNSSEC, where signed records are only available at the child"

Also, the current canonical document on DNS terminology, RFC 8499, sadely avoids the subject, but you can find the subject touched in a previous email discussion starting at https://mailarchive.ietf.org/arch/msg/dnsop/fXmzHFzh153OO01hA5Oq8-T-fO8/ ; this archived proposal at https://www.ietf.org/archive/id/draft-huque-dnsop-ns-revalidation-01.txt discusses the problem of having to revalidate the NS records at parent when you are operating as child-centric.

To show how much debate there still is, or more precisely the problem of zone cuts and data being on both sides, right now at least these documents in the IETF touch on the subject, each proposing new records or new ways to handle that cut:

But exactly because the point is not clear, and everyone chooses one case or the other you fell into a dark spot of the DNS where the outcome is not deterministic depending on who you ask. Said differently: you should avoid at all costs situations like that.

Community
  • 1
Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
  • I don't think the parent/child centric discussion really applies to answering client queries, only the internal "infrastructure" lookups during the resolver lookup process (where there is indeed varying behaviors). The referral is not authoritative, the answer section is empty, etc. Ie, it's quite clear in terms of how you can answer client queries that it is child-centric. – Håkan Lindqvist Mar 26 '21 at 11:05
  • "I don't think the parent/child centric discussion really applies to answering client queries, only the internal "infrastructure" lookups during the resolver lookup process (where there is indeed varying behaviors)." It applies when the query is exactly for a record that exists on both side of the cut like `NS` or `A`/`AAAA` if glues, the recursive nameserver has to decide which data to give back to client, so it has to choose between parent and child. – Patrick Mevzek Mar 26 '21 at 14:56
  • I understand that there is some form of data from both sides, but it only receives an actual authoritative answer from the child side; I just don't perceive there being much discussion regarding *that*. The internal use during the lookup process is a different matter, though. – Håkan Lindqvist Mar 26 '21 at 14:59
  • I would recommend you get a look at the various papers referenced, because if, as you say, there is no discussion around that, then I don't understand why there would be recursive nameserver, including major ones, that remain parent-centric. Again take this simple case: you ask for `NS` records. The parent has `NS` records with TTL 1 and the child has `NS` records with TTL 1000000. Who should win? Not an easy answer, as, if you say "the child always wins", it means a child can forever keep a name existing even if the parent has deleted the delegation in the future. – Patrick Mevzek Mar 26 '21 at 15:03
  • I will look at the papers, but in your example it seems quite clear that you are conflating the two separate cases of what data is used internally and what data can be sent to clients. That is, it should *always* return the data from the authority (child) to clients but it needs to continue checking the referral (parent) data for its own internal use. – Håkan Lindqvist Mar 26 '21 at 15:07
  • Again let me try once more and then I stop: the client asks for an `A` record that is at apex and at the parent as glue. The address and/or the TTL are not the same. Which one wins? If that seems a non problem for you, then all the best. Yet a lot of people and papers do discuss it, as I have referenced so at least it seems to be a valid point of discussion for others. – Patrick Mevzek Mar 26 '21 at 15:13
  • "it needs to continue checking the referral (parent) data for its own internal use. " This is the child-centric view with revalidation at parent. The most common one it seems but 1) nowhere written explicitely as is in any RFC, so bound for interpretation and diversity and 2) hence not clear how/when the revalidation should happen, so again operational diversity to expect (again, take example of child forcing very long TTL on NS to try to make a domain still exist, even if parent removes it from its delegation points) – Patrick Mevzek Mar 26 '21 at 15:14
  • From what I know it's the only view that aligns with how the DNS messages look. Ie, the answer from the authority has the `aa` flag and the answer in the ANSWER section. A referral does not have the `aa` flag (as the parent is not authoritative) and only data in the AUTHORITY and ADDITIONAL sections. The referral is not an answer to the question, it only provides information about who to ask. As such, a resolver server cannot treat the referral responses as answers and must store these separately. Signing just underlines this even more as it would have bogus data if it were to use the referral – Håkan Lindqvist Mar 26 '21 at 15:22
  • All this said, I really appreciate the thoroughness of the answer, I just disagree that it's actually wide open for interpretation as only one of the options actually works in practice in terms of what to return to clients. I absolutely agree that particularly the original DNS specs (from 1980s) are not particularly well written, leaving lots of things to the reader to interpret, so finding a direct citation is unnecessarily difficult, it's more of a "by process of elimination" kind of deal. – Håkan Lindqvist Mar 26 '21 at 15:30
  • "The referral is not an answer to the question, it only provides information about who to ask. " Yes, but as simple as it looks on paper, it brings itself various questions. For example if the child nameservers do not reply (timeout), should the information from the parent be used even if stale? There are questions there, and it is a compromise obviously to be drawn between security/integrity/trustworthiness (see discussion in RFC2181 on this) and performance/reliability. I am just trying to point out there are no simple/immediate answer. – Patrick Mevzek Mar 26 '21 at 16:17
  • "as only one of the options actually works in practice in terms of what to return to clients. " Yet Google Public DNS is parent-centric, so... – Patrick Mevzek Mar 26 '21 at 16:22
  • In terms of 8.8.8.8's internal workings, it is very likely true and not something I question. But 8.8.8.8 does not respond with the data from the referral response to clients. That difference is the distinction that I was trying to point out from the start. I won't keep going on about this any further, but I just really think that it's important to separate the idea of parent-centricity *for the internal workings of the resolver* from the idea of parent-centricity in terms what data is used in responses to clients; I think conflating these is largely what we keep going back and forth about. – Håkan Lindqvist Mar 26 '21 at 16:47
  • The external end result depends on the internal workings. Otherwise no one would be able to see if a given recursive nameserver was parent centric or child centric... Again please have a look, at least, to https://conferences.sigcomm.org/imc/2019/presentations/p10.pdf and the discussion on where does the TTL come from – Patrick Mevzek Mar 26 '21 at 17:12
  • I'm not saying the end result isn't affected; if the referral response doesn't agree with the authoritative response, of course it matters which one you choose to use. But that is wildly different from using the referral data in responses. As for that presentation, they conclude that the vast majority of responses in their experiment are child-centric (which I find completely expected) but there doesn't seem to be any discussion there regarding the few interesting responses with longer TTL. Are those actually parent-centric or rather just overriding the TTL altogether (resolver-defined TTL)? – Håkan Lindqvist Mar 26 '21 at 17:58
  • §5.1 Result section of https://annasperotto.org/publication/papers/2020/sommese-pam-2020.pdf might give some ideas/insights. – Patrick Mevzek Mar 26 '21 at 20:01
  • Thanks. Yes, those results are interesting. Although, that paper seems to be strongly worded in favor of my interpretation and citing https://tools.ietf.org/html/rfc2181#section-5.4.1 where it says "Unauthenticated RRs received and cached from the least trustworthy of those groupings, that is data from the additional data section, and data from the authority section of a non-authoritative answer, should not be cached in such a way that they would ever be returned as answers to a received query." – Håkan Lindqvist Mar 27 '21 at 08:15
  • Yes, and it shows experimentally that not all resolvers are following this. Again child centric might be "obvious" yet it poses the problem of parent revalidation, which was never really touched by any RFC. – Patrick Mevzek Mar 27 '21 at 16:34
  • *Again child centric might be "obvious" yet it poses the problem of parent revalidation*, to me this reads as yet again conflating the two issues of internal resolver workings and data sent to clients. Parent revalidation is unrelated to the type of data sent to clients, and it's only in terms of the type of data sent to clients that child-centricity is obvious, right? Am I missing something? – Håkan Lindqvist Mar 27 '21 at 18:49
  • To be clear, I am not trying to say that there doesn't exist a small amount of deviation from the expected behavior in the wild, I'm really just saying that there is a clear expected behavior with regards to what type of data is returned to clients. Also, I'll note again that I think where we keep getting stuck in this discussion is that the bigger issue (for me, at least) of conflating the cache of delegations (w/ two workable options) from the cache of record sets from authorities (w/ only one option) completely overshadows the "there is some deviation from the norm in the wild" point. – Håkan Lindqvist Mar 28 '21 at 11:44
  • All that said, I'm not sure we are getting further. I'm going to go with "let's agree to disagree" at this point. – Håkan Lindqvist Mar 28 '21 at 11:49
  • so a million comments later. If i have a wild card for *.example.com = 6.6.6.6 Registrar has a glue record for ns1.example.com = 1.1.1.1 on the global internet what would ns1.example.com resolve to? – user3265051 Mar 28 '21 at 20:16
  • @user3265051 As already said, the problem is not the registrar but the DNS provider. And also as everyone told you, DO NOT create such configurations, you will have problems. Also please do not obfuscate badly and do not use those IP addresses in any example. You have 192.0.2.0/24 if you really need to obfuscate. – Patrick Mevzek Mar 29 '21 at 15:09
1

I'll try to write a very concise answer to complement the huge answer that Patrick posted:

First of all, no, the wildcard record in itself is not affected by the glue records in any way.
But this scenario that you describe where the glue records do not match address records (there should probably exist non-wildcard ones in your example) in the authoritative zone is clearly bad and is not something that is ever desired as it will lead to inconsistent lookup results.

When a resolver server looks up names in example.com (eg foo.example.com), it is (as Patrick is stating) undefined if it, for its own internal use during the lookup process performed on behalf of the client, simply uses the NS and glue records from the referral response or if it actually looks up NS + related address record(s) from the authoritative server before making the actual query the client asked for.
So here you may get different results, possibly outright failure in some cases if you have mixed up the glue and/or authoritative records for the nameservers.

That said, if a client asks for ns1.example.com, then it is always an answer from the authoritative server that will be returned, not the glue in the referral response (there is no uncertainty regarding this).
The complicating factor here is that if you have an inconsistent view of which server actually is authoritative (see above), then it could vary by implementation which supposedly authoritative server is queried.

TL;DR don't ever do things like in the scenario described in the question.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • oh ok . i really wonder why there are so many comments and my question was voted down. its obviously a good question if it had so many people talking. So in a simple way can i exclude a wildcard entry in centos6 linux bind? – user3265051 Mar 28 '21 at 20:21
  • @user3265051 Please see the tour and the on-topic help section. Your question has nothing to do with running systems in a business environment, It is a generic question. Also you deliberately consider wrong/invalid configuration which is also against the list of questions being on topic. And you also obfuscate badly and potentially harm the Internet by reusing IP addresses that exist today for real services. – Patrick Mevzek Mar 29 '21 at 15:11
  • @user3265051 Just add the relevant address (`A`/`AAAA`) records for the nameservers in the zone? – Håkan Lindqvist Mar 29 '21 at 15:59