1

Yesterday, I noticed that a client (who has just enough knowledge of networking to be dangerous) had messed up one of his nameserver records. We'd recently relocated to a different colocation provider, and ns2.his-domain.com was pointing back to the network in the recently vacated cabinet. I instructed him, "go to your registrar, and change the IP this name server points to, because until then you have only one working nameserver for all your clients' domains".

Due to time zone differences - he lives in Europe, and I'm in the US - we couldn't talk live.

This morning, I discovered that he'd used a shotgun to solve this problem. Not only did he change ns2.his-domain.com to point to the correct IP, he then proceeded to create more host records - at the registrar level, using their web tools for creating name servers - for every host name he'd ever used in the past, and some that he thought he might want in the future, all of them pointing to the same IP.

ns3.his-domain.com, ns4.his-domain.com, www.his-domain.com, ftp.his-domain.com, kirk.his-domain.com, spock.his-domain.com, scotty.his-domain.com, etc. - all of these may now be looked up with Whois, bypassing our local name server, cluttering up the root name space. He created about twenty host records in the domain registry, all of them pointing to the exact same IP.

My gut feeling is that this is very, very bad. It defeats the fundamental design of DNS, which is supposed to be hierarchical!

What are the consequences of this? Is there anything in the standards - in RFCs or elsewhere - that prohibits this, and describes what might happen as a result?

Example (name changed to protect the guilty:)

$ whois spock.his-domain.com

Whois Server Version 2.0

   Server Name: SPOCK.HIS-DOMAIN.COM
   IP Address: 22.33.44.55
   Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
   Whois Server: whois.joker.com
   Referral URL: http://www.joker.com
Matt Hucke
  • 113
  • 5
  • I know quite a bit about DNS, but I don't understand the problem? A person may create as many A records as they'd like without "cluttering up the root name space." Strictly speaking, to clutter the root, they'd need to create a whole bunch of new TLD's (which obviously isn't possible). Would you mind clarifying things a bit? – jamieb Feb 16 '10 at 15:20
  • These aren't "A" records, but hosts registered at the registrar level. They show up in "whois", while ordinary host records don't, and I believe they may be part of the massive root zone file that's distributed to the root nameservers. I'll add an example at the end of the original post... – Matt Hucke Feb 16 '10 at 15:25
  • @jamieb - Sounds like the user in question created glue records for *all* their hosts, not just the NS. – voretaq7 Feb 16 '10 at 15:27
  • voretaq7: yes, exactly. Some of these hosts don't even exist anymore, and are commented out in the real nameserver. – Matt Hucke Feb 16 '10 at 15:33
  • A point of contention: the root servers (. domain) don't hold any records for anything below the gTLD domains (.com, .edu, etc). The gTLD servers are not root servers, they are gTLD servers. There are two levels of hierarchy in front of your customers namespace: . and .com – joeqwerty Feb 16 '10 at 15:38
  • @joeqwerty - They most certainly do: Glue records. `dig -t A @c.gtld-servers.net ns1.bsd-box.net` and you will get an A record answer. – voretaq7 Feb 16 '10 at 15:43
  • 1
    @ voretaq7: I'm not quite sure what you're saying but c.gtld-servers.net is not a root server, it is a gTLD server. the root servers (responsible for the . domain at the root of the DNS hierarchy) are a.root-servers.net, b.root-servers.net, etc. The gTLD servers (c.gtld-servers.net, etc.) are responsible for the gTLD's, such as .com, .edu, .org, etc. – joeqwerty Feb 16 '10 at 15:56
  • @joequerty - you're right, I was reading gtld instead of root (only my first cup of coffee this morning :) - problem is the same for any delegation though: Matt's client has his records "one level too high" in the hierarchy – voretaq7 Feb 16 '10 at 16:00
  • @ voretaq7: I've had two cups and I'm still a little foggy. ;) – joeqwerty Feb 16 '10 at 16:14

2 Answers2

4

A couple of things:

I don't think this is very, very bad from the standpoint that nothing is going to happen other than the fact that his namespace is not going to be resolved correctly and consistently until this gets fixed.

As far as hierarchy goes, that hasn't changed. His namespace and DNS records are still at the same level in the hierarchy. Creating multiple name servers doesn't change where his namespace sits in the hierarchy.

The gTLD servers don't care how many name servers he has. They're going to look for the NS for his namespace and refer DNS requests for his namespace to whichever name servers are listed. Because the gTLD servers do not perform recursion, this puts no additional load on them. A DNS client (DNS server on behalf of a client) will ask the gTLD server that's responsible for the relevant gTLD domain (.com, .edu, etc.) where to find his namespace and the gTLD server will refer them to the name servers listed. The DNS client will then query one of the name servers listed.

Other than having some flaky name resolution and failures, I don't see this as an earth shattering problem. The fix is simply to log back in to his registrar's web site and remove the errant records.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • That's what I've asked him to do (delete the records); he's just going to want to know why, as he'd likely consider it a convenience that all his machines are registered at the registrar, where he can edit them with a web form, and not in some icky complicated name server he has to ask me for help with! – Matt Hucke Feb 16 '10 at 15:32
  • I would explain to him the difference between an NS record and an A record and why he only wants NS records that actually point to real name servers for his namespace. After that, he can create any number of A records, to his heart's content. Good luck with this one. ;) – joeqwerty Feb 16 '10 at 15:40
  • 1
    The best (short) reason to remove these records is "They don't belong at the registrar/tld level because they're not records for a nameserver." – voretaq7 Feb 16 '10 at 15:55
0

As far as I'm aware nothing in the standards prohibits doing what he did, but it's definitely not "correct" -- the records created at your registrar are only supposed to be used for NS glue, and including other records can put an excessive load on the root servers.

In this case I believe the top-level (.com) servers will return the A record they have rather than referring the query to your client's nameserver -- this is certainly not what they want, so the errant records should be removed.

If someone can point to a specific RFC/STD document that prohibits or deprecates this behavior it would be nice to be able to quote that too :-)

voretaq7
  • 79,879
  • 17
  • 130
  • 214