[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

Aki Tuomi cmouse at cmouse.fi
Fri Feb 17 10:14:57 UTC 2017 


On 17.02.2017 12:11, Thomas Mieslinger wrote:
> On 17.02.17 10:58, bert hubert wrote:
>> On Fri, Feb 17, 2017 at 10:49:08AM +0100, Thomas Mieslinger wrote:
>>> ovh changed its MX A records and now my employers Mail relays can't
>>> send
>>> email to ovh.
>>
>> Have you attempted to talk to OVH about their misconfiguration?
>
> There is no misconfiguration at ovh.
>
>> I ask this because the DNS Resolver community keeps getting asked to
>> solve
>> problems which are not ours. But it is easier to ask us to change.
>>
>> We (BIND, Unbound) keep running into broken F5 configurations for
>> example,
>> and yes, we can fix those with some special casing. But people always
>> ask us
>> because we are easier to talk to than the operators of the F5 machines.
>
> In my experience operating F5 gtm is hard... ( but that is completely
> of topic.)
>
>> And so the code in resolvers becomes ever more a set of exceptions and
>> workarounds. And please know, every workaround breaks something else.
>>
>> So please ask OVH to fix their stuff.
>
> They can't.
>
> If verisign had a policy like denic or .fr, this mess would not be in
> the tld zone file.
>
>>> Many many domains are wrongly delegated with wrong glue records in
>>> the tld
>>> zone.
>>
>> Let us not encourage broken things to work well. Some pain is quite
>> motivational to clean this up.
>
> The pain is only felt by people who can't fix it.
>
>>> I understand that this must have a performance impact but having the
>>> choice
>>> between 1000s of customer calls a day "I can't send emails to ovh
>>> and it is
>>> your fault" and buying some more recursor boxes, I clearly want more
>>> recursor boxes and less disappointed customers.
>>
>> The disappointed customers may want to ask OVH why it is publishing the
>> wrong IP addresses?
>
> It is not ovh publishing wrong A records, it is glue from the tld zone.
>
> The example domain is register with gandi.net, so gandi or their
> customer would need to update NS Records and glue. I can't fix it, ovh
> can't fix it.
>
>

Those additional records are placed there by the owner of the name(s).

~$ whois dns103.ovh.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Server Name: DNS103.OVH.NET
   IP Address: 213.251.188.147
   IP Address: 2001:41D0:1:4A93:0:0:0:1
   Registrar: OVH
   Whois Server: whois.ovh.com
   Referral URL: http://www.ovh.com


   Server Name: DNS103.OVH.NET.VITABAT.FR
   Registrar: OVH
   Whois Server: whois.ovh.com
   Referral URL: http://www.ovh.com


So the owner can fix it, or request gandi to fix it.

Aki

More information about the Pdns-users mailing list