[BALUG-Talk] [BALUG-Admin] balug.org DNS review

Rick Moen rick@linuxmafia.com
Wed Sep 27 22:30:32 PDT 2017

Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> Yea departing DreamHost.com!!!  (A.k.a. nightmare host <sigh>).

It's funny how they tempt the Irony Fairy.

[add'l auth nameservers:]

> Or, ... even not bother a friend and ...
> There are some free/complementary DNS slave services out there for the
> taking by any and/or all ... most of 'em suck (perhaps some exceptions?)

Either of the options you discussed seem pretty reasonable.  As to the
he.net quirk of needing to provide authority before they provide
service, I've noticed that the practical effect on a domain of one or
two auth nameservers doing RCODE SERVFAIL for a while is not serious.

> As for DNS server identifying its software/version ... what
> [il]legitimate uses for that?

Legitimate uses the CHAOSnet _hostname_ (or server_id) RR I've heard of
involve edge cases with multiple auth nameservers behind a load
balancer.  Publishing that RR lets you more quickly determine which
nameserver is giving you problems in some scenarios.

Legitimate use of the CHAOSnet _version_ RR?  Never heard of one.  Use
your imagination, and maybe you can contrive some scenario where there's
legitimate, beneficial use for programmatically determining what
nameserver/version a query is being answered from.

In fairness, the software/version of a nameserver can probably also be
determined pretty well by probing it with DNS fingerprinting methods,
such as using the fpdns utility.  https://github.com/kirei/fpdns
But the same can be said of other public-facing daemons, such as httpds
-- yet I would rather not make it easy for the bad guys, so I make mine
say as little as possible about its software/version/configuration.
Same logic.

> Is it entirely (or mostly) unique to BIND?

No.  BIND merely had the reference implementation.  CHAOSnet (originally
invented for completely different purposes involving coax connections
among LISP machines in the 1970s) is just one of many, mostly very
obscure, DNS class types that are in theory all valid for any and all
nameservers.  The CH class identity is just an IANA-assigned encoded
16-bit value sent along with RRs.  We think of class 'IN' (Internet) as
the regular and default class, but to nameserver sofware that's just a
two-byte binary-encoded value.  Once in a blue moon, you might come
across the Hesiod class (HS) from Project Athena
(http://en.wikipedia.org/wiki/Hesiod_(name_service) ).

RFC2929 says:

Dec         Hex           Description
0           0x0000        Assignment requires an IETF Standards Action.
1           0x0001        Internet (IN)
2           0x0002        Available for assignment by IETF Consensus as a 
                          data CLASS.
3           0x0003        Chaos (CH)
4           0x0004        Hesiod (HS)
5-127       0x0005-0x007F Available for assignment by IETF Consensus as
                          data CLASSes only.  
128-253     0x0080-0x00FD Available for assignment by IETF Consensus as 
                          QCLASSes only.
254         0x00FE        QCLASS None 
255         0x00FF        QCLASS Any
256-32767   0x0100-0x7FFF Assigned by IETF Consensus.
32768-65280 0x8000-0xFEFF Assigned based on Specification Required as defined
                          in RFC 2434
65280-65534 0xFF00-0xFFFE Private Use.
65535       0xFFFF        Can only be assigned by an IETF Standards Action.

Those are all valid DNS class values.  In theory, IETF could roll out
any of them in accordance with its bureaucratic process.  In practice, 
IN, CH, and HS are the limit for now.  Probably, any nameserver can
handle them, but I am not going to go around setting up Hesiod in order
to try (let alone a bunch of LISP machines on antique coax networking).

Disclaimer:  Specifically, I haven't checked _every_ auth nameserver
package to see if they default to certain CHAOS class 'hostname' and
'version' values the way BIND9 does.  NSD does.  Unbound does.  The
PowerDNS suite does.  djbdns does. MaraDNS does (IIRC).  I don't know
about the others.

More information about the BALUG-Talk mailing list