nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

From: Scott Savage <scott () thewaystation com>
Date: Tue, 10 Feb 2004 00:02:07 -0600 (CST)

: this is nanog@.  if you think sitefinder poses an operational problem
: then please describe it (dispassionately).  if you think there is an
: operational thing that ought to be done in response to sitefinder, then
: please describe that (dispassionately).  the response you included...

I brought this issue up (dispassionately) offline at the last NANOG
conference.

As most everyone knows, the Windows resolver has its share of
problems under the hood. Well, we ran into a rather interesting glitch
when Verisign did away with the NXDOMAIN. In our internal enterprise, we
have DNS search suffixes defined on client workstations. If a user enters
a plain hostname it will impute the suffixes automatically to find a
matching winner within the various internal subdomains. Never had a
problem with it prior to this.

However, Microsoft's imputing implementation has an undocumented flaw (at
least from the command line that we could determine). If you enter more
than 5 search suffixes, the MS resolver, at least in NT and 2000,
demonstrates irrational behavior. In this scenario, the resolver will
actually append all of the search suffixes, instead of just one at a time,
and make one big request with all the domains separated by commas. In our
case we had 6 search suffix entries for internal subdomains and the root
domain. When a request was made for a plain hostname, the client would
send a request that looked like:

plainhostname.a.domain.com,b.domain.com,c.domain.com,d.domain.com.e.domain.com,domain.com

When our internal DNS server received the request it parsed the root
domain as com,domain.com. Our DNS servers, of course, would end up
forwarding the request out to the root servers and then receive back the
lovely Sitefinder IP address, instead of NXDOMAIN.

We actually lost quite a bit of time in remote troubleshooting during an
application test out of Amsterdam the day Sitefinder came online because
of this issue. We were making internal DNS changes for a test and using
dynamic DNS. We were having a user run nslookups from the command line and
they kept getting back the bogus Sitefinder address, which we couldn't
figure out where it was coming from. (It can pay to stay current on this
list) Oddly, the browser still resolved the name correctly in the end and
was able to function, even though command line still showed this very
strange behavior.

When NXDOMAIN returned, the issue disappeared and we haven't tested it
again.

-- 
 Scott Savage
 scott(at)thewaystation.com
 www.thewaystation.com

  Random Quote:
        Strange Laws:
        It is against the law for a monster to enter the corporate limits of
        Urbana, Illinois.
Previous By Date Next
Previous By Thread Next

Current thread: