Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

Mark Andrews marka at isc.org
Fri Jun 2 02:25:23 UTC 2023 

Yep, some people just don’t take care with delegations.  Complain to Huawei.
Complain to the other companies you list in your followup email.

All it takes to fix this is to change the name of the zone on the child servers
(ns3.dnsv5.com, gns1.huaweicloud-dns.org and ns4.dnsv5.com) from “huawei.com”
to “cloud.huawei.com” and perhaps adjust the NS and SOA records for the zone
if they are fully qualified.  If there are other delegations from huawei.com
for other sub zones to these servers they will also need to be instantiated.

It’s maybe 10 minute work for each subdomain to fix.  It just requires someone
to do the work.

This is a very old (last millennia) mis configuration method used by people who
want to avoid doing delegations.  Domain name speculators used to do this using
“com” or even “.” as the zone name and wildcard A records to provide A answers
for the zones delegated to the server.  It “works” if all you return is positive
answers but that hasn’t been true since IPv6 came into existence.

e.g.  "*. A <webserver-address>”

When people come to you and say that it works with Google, et al. point them at
https://dnsviz.net/d/cloud.huawei.com/dnssec/ which reports this error and say
“Here is a DNS configuration testing site and it reports the zone as broken, you
need to take it up with the company."

Mark

> On 2 Jun 2023, at 00:58, Jesus Cea <jcea at jcea.es> wrote:
> 
> I am getting errors "Name huawei.com (SOA) not subdomain of zone cloud.huawei.com". The problem raises when requesting AAAA on oauth-login.cloud.huawei.com . The problem was described in the mailing list:
> 
> https://lists.isc.org/pipermail/bind-users/2021-January/104064.html
> 
> BIND is replying with a SERVFAIL. This is correct and appropriate. Nevertheless resolvers like 8.8.8.8, 1.1.1.1, 9.9.9.9 and many (most) other are not doing that SOA verification, so for users we are the guilty, not Huawey, because "using Google it works!". In fact, we have a big customer phone app failing because of this (yes, this seems to be a bug with that app but, again, "with google it works!").
> 
> What can we do? Is possible to disable that check in bind?
> 
> We are using 9.16. We could upgrade to 9.18, if needed.
> 
> Thanks.
> 
> -- 
> Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
> jcea at jcea.es - https://www.jcea.es/    _/_/    _/_/  _/_/    _/_/  _/_/
> Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
> jabber / xmpp:jcea at jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
> "Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
> "My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list