IP addresses in NS records seem to be breaking hostname resolution

[Kevin Darcy]

Chris Davis wrote:

> Thank you, David.  Hopefully the phone call from an objective third party
> will get them motivated!
>
> Unfortunately, when I've e-mailed them, and when my "technical liason" and I
> have spoken with them on the phone, we have had no luck.  Since
> nslookup/dig/host tells them their host records resolve fine, the problem is
> mine from their point of view.
>
> That's why I'm looking for something I can do on my side, without boogering
> up my configuration, to have the bad NS records rejected or at least dumped
> from the cache after failure.
>
> Hosting my own pacetech-inc.com zone file, though a possibility, opens a
> door to headaches that I don't care to open.  As time marched on and I ran
> across more companies with misconfigured NS records, I'd accumulate more
> than a few zone files for zones that are not mine.
>
> So, my question is still out there.  Is there any way to reject or dump the
> bad NS records that contain IP addresses rather than hostnames?
>
> Of 6,667 NS records in my resolver's cache yesterday, 15 had I.P. addresses
> rather than hostnames.  I'd imagine everyone's dns caches look about like
> that everywhere percentage wise, statistically speaking.
>
> 15 of 6,667 being wrong is only two tenths of one percent, which isn't much,
> but this 2/10 of 1% of failed lookups could be solved if there were a way to
> dump or reject the bad NS records and use the correct NS records provided by
> the GTLD servers.
>
> These dns failures are exacerbated with multiple failed attempts to send
> mail, and then support calls and research about lost mail, and now this
> discussion thread involving all of you!
>
> It's not my misconfiguration, and it's been very difficult (read
> "impossible") to convince the other guy it's his misconfiguration because
> everything resolves fine at first glance.  It's caused me some headaches.
> I'd like some legitimate defense against it.
>
> My bet is that everyone everywhere is experiencing a "not insignificant"
> amount of failures due to this type of problem.
>
> Would a new bind feature to dump or reject invalid NS records be in order?
> Or is there in fact a way to do this already?
>
> Chris Davis
> Site Engineer
> ComputerJobs.com
>
> -----Original Message-----
> From: David Botham [mailto:dns at botham.net]
> Sent: Wednesday, July 17, 2002 12:08 PM
> To: bind-users at isc.org
> Subject: RE: IP addresses in NS records seem to be breaking hostname
> resolution
>
> As a follow up, I forwarded this thread to both the soa responsible
> email and whois responsible email.  And as an extra bonus, I called the
> whois admin contact on the phone.  He was happy to here from me and said
> he would call his ISP and light a fire under...

I'm not sure what you're trying to accomplish here. "Reject or dump" bogus
NS records? The NS records are already unresolvable, how much more "rejection"
do you want? If an NS RRset consists of mixture of good and bad names,
nameservers will automatically find the good ones after maybe a few wasted
queries; if the RRset contains only bad names, it's useless anyway. Seems like
what you really want here is a "treat DNS failure as a fatal
error" option/setting in your mailer software. That's not really a DNS issue,
_per_se_...

If you wanted to massively kludge this using DNS, you could a) define all 256
last-octet TLDs (i.e. the "0" through "255" TLDs) privately on your nameserver,
with each zone containing a wildcard pointing to one of your IP addresses,
b) run a specially-configured nameserver on that IP address, with a single root
wildcard MX record -- maybe 2 for redundancy :-) -- pointing to the address of
a specially-configured mailserver, c) have this mailserver bounce or simply
discard any mail sent to it (call it "blackhole").


- Kevin