Re: Cloudflare reverse DNS SERVFAIL, normal?

[Owen DeLong <owen () delong com>]

> On Aug 30, 2016, at 15:50 , Valdis.Kletnieks () vt edu wrote:
>
> On Tue, 30 Aug 2016 14:39:10 -0700, Owen DeLong said:
>
> > I run a pair of nameservers. Let’s call them ns1.company.com
> > and ns2.company.com
>
> > Someone registers example.com and points NS records in the COM zone at my
> > nameservers.
>
> I would have expected that the resulting NXDOMAIN replies from ns1 and ns2
> would usually make this a self-correcting problem.

You don’t get NXDOMAIN when a nameserver gets a request for a zone it doesn’t
serve.

You either get SERVFAIL or you  get NS records back as a referral.

> Are there actually people who do this misconfiguration on a zone big enough
> for the traffic to matter, and leave it that way for very long before they
> clue in that things aren't working right?  I'd think that if somebody points
> billy-bobs-bait-tackle-and-internet.com at you, it might take you quite some
> time to notice - and if somebody whoopsies and points ebay.com's NS records
> at you, the resulting disfunction would be noticed fairly soon….

Depends on your definition of “matter”.

Also, misconfiguring one important zone doesn’t necessarily generate significantly
more traffic than generating a whole lot of unimportant ones. Especially if
you misconfigure zones in ip6.arpa or in-addr.arpa as was the case at the
beginning of this topic.

> (Miscreants who do this intentionally are, of course, a totally different
> kettle of fish, and need to be dealt with as micreants....)

Yep, though one has to wonder why they would bother.

Owen