nanog mailing list archives
Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls
From: Scott Savage <scott () thewaystation com>
Date: Tue, 10 Feb 2004 00:02:07 -0600 (CST)
: this is nanog@. if you think sitefinder poses an operational problem : then please describe it (dispassionately). if you think there is an : operational thing that ought to be done in response to sitefinder, then : please describe that (dispassionately). the response you included... I brought this issue up (dispassionately) offline at the last NANOG conference. As most everyone knows, the Windows resolver has its share of problems under the hood. Well, we ran into a rather interesting glitch when Verisign did away with the NXDOMAIN. In our internal enterprise, we have DNS search suffixes defined on client workstations. If a user enters a plain hostname it will impute the suffixes automatically to find a matching winner within the various internal subdomains. Never had a problem with it prior to this. However, Microsoft's imputing implementation has an undocumented flaw (at least from the command line that we could determine). If you enter more than 5 search suffixes, the MS resolver, at least in NT and 2000, demonstrates irrational behavior. In this scenario, the resolver will actually append all of the search suffixes, instead of just one at a time, and make one big request with all the domains separated by commas. In our case we had 6 search suffix entries for internal subdomains and the root domain. When a request was made for a plain hostname, the client would send a request that looked like: plainhostname.a.domain.com,b.domain.com,c.domain.com,d.domain.com.e.domain.com,domain.com When our internal DNS server received the request it parsed the root domain as com,domain.com. Our DNS servers, of course, would end up forwarding the request out to the root servers and then receive back the lovely Sitefinder IP address, instead of NXDOMAIN. We actually lost quite a bit of time in remote troubleshooting during an application test out of Amsterdam the day Sitefinder came online because of this issue. We were making internal DNS changes for a test and using dynamic DNS. We were having a user run nslookups from the command line and they kept getting back the bogus Sitefinder address, which we couldn't figure out where it was coming from. (It can pay to stay current on this list) Oddly, the browser still resolved the name correctly in the end and was able to function, even though command line still showed this very strange behavior. When NXDOMAIN returned, the issue disappeared and we haven't tested it again. -- Scott Savage scott(at)thewaystation.com www.thewaystation.com Random Quote: Strange Laws: It is against the law for a monster to enter the corporate limits of Urbana, Illinois.
Current thread:
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls, (continued)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Paul Vixie (Feb 09)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Suresh Ramasubramanian (Feb 09)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Michael Loftis (Feb 09)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls JC Dill (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Valdis . Kletnieks (Feb 09)
- RE: [IP] VeriSign prepares to relaunch "Site Finder" -- calls David Luyer (Feb 10)
- RE: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Paul Wouters (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Joshua Coombs (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls William Allen Simpson (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Paul Vixie (Feb 09)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls David Lesher (Feb 09)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Scott Savage (Feb 09)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Brian Bruns (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Stephane Bortzmeyer (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls JC Dill (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Paul Vixie (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls JC Dill (Feb 12)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Wayne E. Bouchard (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Michael Loftis (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Marshall Eubanks (Feb 10)
- Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Marshall Eubanks (Feb 10)