Uhm, ... almost exactly correct. ;-)
One would think that ... but that's not quite how many/most DNS servers and their software behave and/or behave by default (and is often quite configurable too). Many will, by default, issue NOTIFY from all authoritative nameservers. At first that might seem odd, but, I believe the logic goes about like this: the overhead is low clients that don't care can/will (mostly) ignore authoritative (whether primary or secondary) has no way of knowing how other authoritatives downstream of it are configured, so, e.g. some authoritatives may only get their data via other secondary(/ies), and not direct from master, etc. So, DNS, etc., trying to be resilient and robust and fault tolerant and mostly continue working under even far from ideal circumstances, that's probably not a horrible design decision for default behaviors. Of course one can also make good arguments to have different or different default behavior ... and most nameservers (and including BIND9) are highly configurable as to how they'll actually behave in those regards.
But NOTIFY coming from other than actual authoritative nameservers (be they master/primary or a slave/secondary), something is quite odd or screwed up there. E.g. like some funky NAT/SNAT mapping (which shouldn't apply in our cases here, as we're talking Internet globally routable public IPs here, no NAT/SNAT or other mapping of the sort should at all apply between these), or, somebody <me giving Comcast Business the hairy eyeball look again> fscking around in ways with DNS traffic that they never ought be doing - and SecurityEdge would certainly be one of the guilty culprits found in such fscking up with port 53 traffic (at least we certainly hit lots of that earlier, and maybe we're hitting more of some same and/or similar, at least partially, in those regards).
On Tue, Jun 4, 2024 at 6:14 PM Rick Moen rick@linuxmafia.com wrote:
Quoting Al (awbalug@sunnyside.com):
Actually I take it back, 73.189.65.18 must be the WAN address of Michael's modem. That won't appear on a message from Michael, unless somehow NAT got involved in the modem? Not sure if that's quite right. I think NAT would come from the last of the assigned static IPv4 addresses, but IIRC I have also seen messages from a modem's WAN address.
Interest, if so -- but nonetheless completely improper. NOTIFY should only ever come from the domain master nameserver's IP.