SuperDNS

RFC1034 states that the NSSet from both parent and child authoritative should be consistent
Does this really happen in the wild?
To answer that, together with researcher at the University of Twente and CAIDA, we found in a 2020 research paper (PDF) that ~8% of the domain names from .com, .org, and .net are not consistent (section 3).
The paper is available here (PDF). Reference:


               Raffaele Sommese,  Giovane C. M. Moura, Mattijs Jonker, Roland van Rijswijk-Deij, Alberto Dainotti, KC Claffy, Anna Sperotto.
               When parents and  children disagree: Diving into DNS delegation inconsistency.
               Proceedings of the Passive and Active Measurement Workshop. Eugene, OR, USA, Mar. 2020

This paper was also presented at RIPE 80 -- slides available here.

draft-huque-dnsop-ns-revalidation

Around the same time, there is a new Internet draft on the DNSOP WG that addresses this inconsistency issue:
- https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation
As requested by one of the draft’s authors, we provide here a similar setup as used in our paper, so developers can test their resolvers.

1. Experiments Setup

There are four misconfiguration cases we identify in the research paper.
These are the NSSet configurations summarized in each scenario.
Note: Minimial responses are disabled in this setup.

	Parent NSSet	Child NSSet
Disjoint	`ns1.disjoint.superdns.nl`	`ns2.disjoint.superdns.nl`
Subset	`ns1.subset.superdns.nl`	`ns1.subset.superdns.nl`,`ns2.subset.superdns.nl`
Superset	`ns1.superset.superdns.nl`,`ns2.superset.superdns.nl`	`ns1.superset.superdns.nl`
Rest (mixed)	`ns1.rest.superdns.nl`,`ns2.rest.superdns.nl`	`ns2.rest.superdns.nl`,`ns3.rest.superdns.nl`

2.How do I test my resolver?

From the paper: "Our goal is to determine, indirectly, which NS records were used to answer the [A] queries." (Section 4.1)
RFC2181 states that resolvers may prefer information from child authoritative servers

	Test Query	Parent Centric Answer	Child Centric Answer	Test goal
Disjoint	`A test.disjoint.superdns.nl`	192.168.0.1	10.0.0.1	How many are answered by `ns2.disjoint.superdns.nl` (10.0.0.1)
Subset	`A test.subset.superdns.nl`	192.168.0.1	10.0.0.1 or 192.168.0.1	How many queries are answered by `ns2.subset.superdns.nl`(10.0.0.1)
Superset	`A test.superset.superdns.nl`	192.168.0.1 or 10.0.0.1	10.0.0.1	How many queries are answered by `ns2.superset.superdns.nl` (10.0.0.1)
Rest (mixed)	`A test.rest.superdns.nl`	192.168.0.1 or 172.0.0.1	172.0.0.1 or 10.0.0.1	How many are answered by `ns3.test.superdns.nl` (10.0.0.1)

3. Zone files

In case you want need to debug it, we provide here the zone files used in each cases

3.1 zone: `superdns.nl`

3.1 zone files at `ns1.sidnlabs.nl` and `ns2.sidn.nl`


$ORIGIN .
$TTL 3600
superdns.nl		IN SOA	ns1.sidnlabs.nl. hostmaster.sidn.nl. 1 14400 3600 604800 300
			NS	ns1.sidnlabs.nl.
			NS	ns2.sidn.nl.
			A	94.198.159.35
			AAAA	2a00:d78:0:712:94:198:159:35
$ORIGIN superdns.nl.
disjoint		NS	ns1.disjoint
ns1.disjoint		A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39

subset			NS	ns1.subset
ns1.subset		A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39

superset		NS	ns1.superset
			NS	ns2.superset
ns1.superset		A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39
ns2.superset		A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27

rest			NS	ns1.rest
			NS	ns2.rest
ns1.rest		A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39
ns2.rest		A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27

3.2 zone `disjoint.superdns.nl`

3.2.1 zone file `ns1.disjoint.superdns.nl`:


$ORIGIN .
$TTL 3600	; 1 hour
disjoint.superdns.nl	IN SOA	ns1.disjoint.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns2.disjoint.superdns.nl.
$ORIGIN disjoint.superdns.nl.
ns2			A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27
$TTL 30	; 30 seconds
test			A	192.168.0.1
			TXT	"The resolver is **parent** centric"
			TXT	"This reply came from ns1.disjoint.superdns.nl"
			AAAA	2001:db8::192:168:0:1
$ORIGIN test.disjoint.superdns.nl.
*			A	192.168.0.1
			TXT	"The resolver is **parent** centric"
			TXT	"This reply came from ns1.disjoint.superdns.nl"
			AAAA	2001:db8::192:168:0:1

3.2.2 zone file `ns2.disjoint.superdns.nl`:


$ORIGIN .
$TTL 3600	; 1 hour
disjoint.superdns.nl	IN SOA	ns1.disjoint.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns2.disjoint.superdns.nl.
$ORIGIN disjoint.superdns.nl.
ns2			A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27
$TTL 30	; 30 seconds
test			A	10.0.0.1
			AAAA	2001:db8::10:0:0:1
$ORIGIN test.disjoint.superdns.nl.
*			A	10.0.0.1
			AAAA	2001:db8::10:0:0:1

3.3 zone: `subset.superdns.nl`

3.3.1 Zone file `ns1.subset.superdns.nl`:


$ORIGIN .
$TTL 3600	; 1 hour
subset.superdns.nl	IN SOA	ns1.subset.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns1.subset.superdns.nl.
			NS	ns2.subset.superdns.nl.
$ORIGIN subset.superdns.nl.
ns1			A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39
ns2			A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27
$TTL 30	; 30 seconds
test			A	192.168.0.1
			TXT	"This reply came from ns1.subset.superdns.nl"
			TXT	"The resolver can be either parent or child centric"
			AAAA	2001:db8::192:168:0:1
$ORIGIN test.subset.superdns.nl.
*			A	192.168.0.1
			TXT	"This reply came from ns1.subset.superdns.nl"
			TXT	"The resolver can be either parent or child centric"
			AAAA	2001:db8::192:168:0:1

3.3.2 Zone file `ns2.subset.superdns.nl`:


$ORIGIN .
$TTL 3600	; 1 hour
subset.superdns.nl	IN SOA	ns1.subset.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns1.subset.superdns.nl.
			NS	ns2.subset.superdns.nl.
$ORIGIN subset.superdns.nl.
ns1			A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39
ns2			A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27
$TTL 30	; 30 seconds
test			A	10.0.0.1
			TXT	"The resolver is **child** centric"
			TXT	"This reply came from ns2.subset.superdns.nl"
			AAAA	2001:db8::10:0:0:1
$ORIGIN test.subset.superdns.nl.
*			A	10.0.0.1
			TXT	"The resolver is **child** centric"
			TXT	"This reply came from ns2.subset.superdns.nl"
			AAAA	2001:db8::10:0:0:1

3.4 zone: `superset.superdns.nl`

3.4.1: zone file `ns1.superset.superdns.nl`:


$ORIGIN .
$TTL 3600	; 1 hour
superset.superdns.nl	IN SOA	ns1.superset.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns1.superset.superdns.nl.
$ORIGIN superset.superdns.nl.
ns1			A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39
$TTL 30	; 30 seconds
test			A	192.168.0.1
			TXT	"This reply came from ns1.superset.superdns.nl"
			TXT	"The resolver can be either parent or child centric"
			AAAA	2001:db8::192:168:0:1
$ORIGIN test.superset.superdns.nl.
*			A	192.168.0.1
			TXT	"This reply came from ns1.superset.superdns.nl"
			TXT	"The resolver can be either parent or child centric"
			AAAA	2001:db8::192:168:0:1

3.4.2: zone file `ns2.superset.superdns.nl`:


$ORIGIN .
$TTL 3600	; 1 hour
superset.superdns.nl	IN SOA	ns1.superset.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns1.superset.superdns.nl.
$ORIGIN superset.superdns.nl.
ns1			A	94.198.159.39
			AAAA	2a00:d78:0:712:94:198:159:39
$TTL 30	; 30 seconds
test			A	10.0.0.1
			TXT	"The resolver is **parent** centric"
			TXT	"This reply came from ns2.superset.superdns.nl"
			AAAA	2001:db8::10:0:0:1
$ORIGIN test.superset.superdns.nl.
*			A	10.0.0.1
			TXT	"The resolver is **parent** centric"
			TXT	"This reply came from ns2.superset.superdns.nl"
			AAAA	2001:db8::10:0:0:1

3.5 zone: `rest.superdns.nl`

3.5.1 zone file: `ns1.rest.superdns.nl`


$ORIGIN .
$TTL 3600	; 1 hour
rest.superdns.nl	IN SOA	ns1.superset.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns2.rest.superdns.nl.
			NS	ns3.rest.superdns.nl.
$ORIGIN rest.superdns.nl.
ns2			A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27
ns3			A	94.198.159.33
			AAAA	2a00:d78:0:712:94:198:159:33
$TTL 30	; 30 seconds
test			A	192.168.0.1
			TXT	"The resolver is **parent** centric"
			TXT	"This reply came from ns1.rest.superdns.nl"
			AAAA	2001:db8::192:168:0:1
$ORIGIN test.rest.superdns.nl.
*			A	192.168.0.1
			TXT	"The resolver is **parent** centric"
			TXT	"This reply came from ns1.rest.superdns.nl"
			AAAA	2001:db8::192:168:0:1

3.5.2 zone file: `ns2.rest.superdns.nl`


$ORIGIN .
$TTL 3600	; 1 hour
rest.superdns.nl	IN SOA	ns1.rest.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns2.rest.superdns.nl.
			NS	ns3.rest.superdns.nl.
$ORIGIN rest.superdns.nl.
ns2			A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27
ns3			A	94.198.159.33
			AAAA	2a00:d78:0:712:94:198:159:33
$TTL 30	; 30 seconds
test			A	172.0.0.1
			TXT	"This reply came from ns2.rest.superdns.nl"
			TXT	"The resolver can be either parent or child centric"
			AAAA	2001:db8::172:0:0:1
$ORIGIN test.rest.superdns.nl.
*			A	172.0.0.1
			TXT	"This reply came from ns2.rest.superdns.nl"
			TXT	"The resolver can be either parent or child centric"
			AAAA	2001:db8::172:0:0:1

3.5.3 zone file:`ns3.rest.superdns.nl`


$ORIGIN .
$TTL 3600	; 1 hour
rest.superdns.nl	IN SOA	ns1.rest.superdns.nl. hostmaster.sidn.nl. (
				1          ; serial
				14400      ; refresh (4 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				60         ; minimum (1 minute)
				)
			NS	ns2.rest.superdns.nl.
			NS	ns3.rest.superdns.nl.
$ORIGIN rest.superdns.nl.
ns2			A	94.198.159.27
			AAAA	2a00:d78:0:712:94:198:159:27
ns3			A	94.198.159.33
			AAAA	2a00:d78:0:712:94:198:159:33
$TTL 30	; 30 seconds
test			A	10.0.0.1
			TXT	"The resolver is *child* centric"
			TXT	"This reply came from ns3.rest.superdns.nl"
			AAAA	2001:db8::10:0:0:1
$ORIGIN test.rest.superdns.nl.
*			A	10.0.0.1
			TXT	"The resolver is *child* centric"
			TXT	"This reply came from ns3.rest.superdns.nl"
			AAAA	2001:db8::10:0:0:1

Status

Mo 11 May 2020 14:00:00 PM UTC: site updated

upwards

SuperDNS

draft-huque-dnsop-ns-revalidation

1. Experiments Setup

2.How do I test my resolver?

3. Zone files

3.1 zone: superdns.nl

3.1 zone files at ns1.sidnlabs.nl and ns2.sidn.nl

3.2 zone disjoint.superdns.nl

3.2.1 zone file ns1.disjoint.superdns.nl:

3.2.2 zone file ns2.disjoint.superdns.nl:

3.3 zone: subset.superdns.nl

3.3.1 Zone file ns1.subset.superdns.nl:

3.3.2 Zone file ns2.subset.superdns.nl:

3.4 zone: superset.superdns.nl

3.4.1: zone file ns1.superset.superdns.nl:

3.4.2: zone file ns2.superset.superdns.nl:

3.5 zone: rest.superdns.nl

3.5.1 zone file: ns1.rest.superdns.nl

3.5.2 zone file: ns2.rest.superdns.nl

3.5.3 zone file:ns3.rest.superdns.nl

Status

3.1 zone: `superdns.nl`

3.1 zone files at `ns1.sidnlabs.nl` and `ns2.sidn.nl`

3.2 zone `disjoint.superdns.nl`

3.2.1 zone file `ns1.disjoint.superdns.nl`:

3.2.2 zone file `ns2.disjoint.superdns.nl`:

3.3 zone: `subset.superdns.nl`

3.3.1 Zone file `ns1.subset.superdns.nl`:

3.3.2 Zone file `ns2.subset.superdns.nl`:

3.4 zone: `superset.superdns.nl`

3.4.1: zone file `ns1.superset.superdns.nl`:

3.4.2: zone file `ns2.superset.superdns.nl`:

3.5 zone: `rest.superdns.nl`

3.5.1 zone file: `ns1.rest.superdns.nl`

3.5.2 zone file: `ns2.rest.superdns.nl`

3.5.3 zone file:`ns3.rest.superdns.nl`