<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>As further data points with BIND as a caching / recursive
sometimes it "works" and provides inconsistent AUTHORITY, although
anecdata suggests this is more prevalent with older versions of
BIND. In one case BIND 9.12 reports the AUTHORITY as the parent
zone in fact, with the parent's nameservers.<br>
</p>
<p>The facts are:</p>
<ul>
<li>191.131.in-addr.arpa is served from awsdns</li>
<li>It delegates 85.191.131.in-addr.arpa with
fs838.click-network.com and ns102.click-network.com above the
zone cut.</li>
<li>Below the zone cut the nameserver claims to be authoritative
for its parent's zone (191.131.in-addr.arpa) instead of
85.191.131.in-addr.arpa. (In other words it's lame.)</li>
<li>(Below the zone cut it also erroneously advertises one of its
nameservers as simply ns102. instead of ns102.click-network.com)</li>
<li>There is no server which actually advertises itself as
authoritative for 85.191.131.in-addr.arpa</li>
</ul>
<p>9.18.21 with "qname-minimization disabled; minimal-responses
no;":</p>
<blockquote>
<pre>; <<>> DiG 9.18.21 <<>> @127.0.0.1 -x 131.191.85.31
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45088
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1420
; COOKIE: 95f68497698c23e201000000662bd448c6b1f33814567a34 (good)
;; QUESTION SECTION:
;31.85.191.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
31.85.191.131.in-addr.arpa. 604800 IN PTR flame.m3047.net.
;; AUTHORITY SECTION:
85.191.131.in-addr.arpa. 1799 IN NS ns102.click-network.com.
85.191.131.in-addr.arpa. 1799 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 172799 IN A 131.191.7.194
ns102.click-network.com. 172799 IN A 131.191.7.12
;; Query time: 1620 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 26 09:20:24 PDT 2024
;; MSG SIZE rcvd: 201
</pre>
</blockquote>
<p>9.12.3 offering two different responses:</p>
<blockquote>
<pre>; <<>> DiG 9.12.3-P1 <<>> -x 131.191.85.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20212
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
; COOKIE: 22623b3f260659f6699dc2ae662bcf96945739b2062b578d (good)
;; QUESTION SECTION:
;31.85.191.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
31.85.191.131.in-addr.arpa. 183024 IN PTR flame.m3047.net.
;; AUTHORITY SECTION:
191.131.in-addr.arpa. 49595 IN NS ns-986.awsdns-59.net.
191.131.in-addr.arpa. 49595 IN NS ns-7.awsdns-00.com.
191.131.in-addr.arpa. 49595 IN NS ns-1603.awsdns-08.co.uk.
191.131.in-addr.arpa. 49595 IN NS ns-1165.awsdns-17.org.
;; ADDITIONAL SECTION:
ns-7.awsdns-00.com. 106009 IN A 205.251.192.7
ns-986.awsdns-59.net. 110789 IN A 205.251.195.218
ns-1165.awsdns-17.org. 110789 IN A 205.251.196.141
ns-1603.awsdns-08.co.uk. 110789 IN A 205.251.198.67
;; Query time: 1 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Apr 26 09:00:22 PDT 2024
;; MSG SIZE rcvd: 334
----
; <<>> DiG 9.12.3-P1 <<>> -x 131.191.85.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42172
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
; COOKIE: 166de4c8b3f9b189d0aad8b9662bd608135dc2782eb1138a (good)
;; QUESTION SECTION:
;31.85.191.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
31.85.191.131.in-addr.arpa. 181374 IN PTR flame.m3047.net.
;; AUTHORITY SECTION:
85.191.131.in-addr.arpa. 1794 IN NS ns102.click-network.com.
85.191.131.in-addr.arpa. 1794 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 294 IN A 131.191.7.194
ns102.click-network.com. 294 IN A 131.191.7.12
;; Query time: 1 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Apr 26 09:27:52 PDT 2024
;; MSG SIZE rcvd: 201
</pre>
</blockquote>
<p>Housekeeping: the version of DiG above also changes, but this is
not simply the version of dig:</p>
<blockquote>
<pre># dig @127.0.0.1 version.bind ch txt +short
"9.18.21"
# dig version.bind ch txt +short
"9.12.3-P1"
</pre>
</blockquote>
<p>There are other oddities, for instance the actual authoritative
TTL for the nameservers appears to be 300 not 172799:</p>
<blockquote>
<pre># rndc flush
# dig @127.0.0.1 click-network.com ns
; <<>> DiG 9.18.21 <<>> @127.0.0.1 click-network.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6461
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1420
; COOKIE: 64bf6532b614ec2101000000662be018a98c6134e8cea676 (good)
;; QUESTION SECTION:
;click-network.com. IN NS
;; ANSWER SECTION:
click-network.com. 300 IN NS ns102.
click-network.com. 300 IN NS ns102.click-network.com.
click-network.com. 300 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 172800 IN A 131.191.7.194
ns102.click-network.com. 172800 IN A 131.191.7.12
;; Query time: 112 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 26 10:10:48 PDT 2024
;; MSG SIZE rcvd: 165
# dig @127.0.0.1 ns102.click-network.com
; <<>> DiG 9.18.21 <<>> @127.0.0.1 ns102.click-network.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10463
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1420
; COOKIE: b75215ce03b76bd301000000662be03e0d2a5a9b6ab5e6d1 (good)
;; QUESTION SECTION:
;ns102.click-network.com. IN A
;; ANSWER SECTION:
ns102.click-network.com. 300 IN A 131.191.7.12
;; AUTHORITY SECTION:
click-network.com. 262 IN NS fs838.click-network.com.
click-network.com. 262 IN NS ns102.click-network.com.
click-network.com. 262 IN NS ns102.
;; ADDITIONAL SECTION:
fs838.click-network.com. 172762 IN A 131.191.7.194
;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 26 10:11:26 PDT 2024
;; MSG SIZE rcvd: 165
# dig @ns102.click-network.com ns102.click-network.com +norecurse
; <<>> DiG 9.18.21 <<>> @ns102.click-network.com ns102.click-network.com +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18892
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4208cbc13560fc4325c45599662be069b466b23a5890f8d2 (good)
;; QUESTION SECTION:
;ns102.click-network.com. IN A
;; ANSWER SECTION:
ns102.click-network.com. 300 IN A 131.191.7.12
;; AUTHORITY SECTION:
click-network.com. 300 IN NS ns102.
click-network.com. 300 IN NS ns102.click-network.com.
click-network.com. 300 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 300 IN A 131.191.7.194
;; Query time: 24 msec
;; SERVER: 131.191.7.12#53(ns102.click-network.com) (UDP)
;; WHEN: Fri Apr 26 10:12:09 PDT 2024
;; MSG SIZE rcvd: 165
</pre>
</blockquote>
<p> I don't know what broader implications might accrue. Since
Rainier Connect / Lightcurve hasn't seen fit to fix it or get back
to me in nearly a full business week I suspect they like it this
way. However it doesn't comport with the principle of least
surprise. The City of Tacoma doesn't seem to care that the
licensee operating in a portion of their /16 is impersonating them
(although as a consequence of the reputation service they use they
won't accept emails from the block inquiring about it).<br>
</p>
<p>--</p>
<p><br>
Fred Morris</p>
<p><br>
</p>
</body>
</html>