[HN Gopher] DNS Esoterica - Why you can't dig Switzerland ___________________________________________________________________ DNS Esoterica - Why you can't dig Switzerland Author : edent Score : 545 points Date : 2022-07-14 11:45 UTC (11 hours ago) (HTM) web link (shkspr.mobi) (TXT) w3m dump (shkspr.mobi) | jgrahamc wrote: | It used to be the case that you couldn't start a tweet with "M | Night Shyamalan". Actually, with "M " but "M Night Shyamalan" | made it seem more spooky. | mschuster91 wrote: | IIRC that dated back to ye olde times where you could tweet by | SMS... and "m " would be the starting sequence to compose a | direct message. | lucakiebel wrote: | Yes, there's a list of these commands[1] somewhere, I thing | "D <username> <msg>" did the same [1] - | https://archive.ph/Kqdqx | [deleted] | HomeDeLaPot wrote: | DNS Erotica?!? ... I can't read. | CoastalCoder wrote: | > DNS Erotica?!? ... I can't read. | | Every time I see the headline, that's how I first read it. | | I wonder if I'll ever grow up. | Anthony-G wrote: | "Boring" explanation from the _dig_ manual page: | | > The IN and CH class names overlap with the IN and CH top level | domain names. Either use the -t and -c options to specify the | type and class, use the -q the specify the domain name, or use | "IN." and "CH." when looking up these top level domains. | | Off-topic: I got excited when I saw the nicely coloured output | from _dig_ which makes it more readable. I thought that maybe the | author has some new version that's not yet available on Ubuntu | LTS. Unfortunately, the nice colours are from judicious use of | highlight.js1 - one good reason to have uMatrix configured to | allow first-party JavaScript! | | 1 https://highlightjs.org/ | dflock wrote: | There's this, which is a more modern dig, with color output, | among other things: https://github.com/ogham/dog | | There's also stuff like this, which will postprocess & color | output from any command: https://github.com/garabik/grc, or | https://github.com/armandino/TxtStyle | amir wrote: | Going even further down the DNS tree, you can dig | . NS | | to get the root nameservers | gerdesj wrote: | d and f seem to have vanished! | brightball wrote: | Would have liked to know that sooner... | wordcloudsare wrote: | We should bring back internet alternatives | lrem wrote: | And tunnel them over https for security! ;) | xenophonf wrote: | To avoid ambiguous queries like this, include the root zone in | the domain name: dig ch. ns dig in. ns | | Both return the expected results. | teddyh wrote: | That's literally what the article says. | xenophonf wrote: | Except upvoted comments continue to propagate confusion over | what's actually happening by omitting the root zone from | example hostname queries. | | While this is a fully qualified domain name: | www.example.com | | This is the actual domain name: | www.example.com. | | The linked article and doesn't really explain why someone | should add the trailing dot to the hostname. I do: It's the | name of the root DNS zone and unambiguously identifies the | `dig` parameter as a hostname. | kuschku wrote: | And to avoid ambiguity, you can just include the root zone in | all URLs you're using as well (unless the server you're talking | to doesn't implement the DNS RFCs correctly, which sadly is | getting more and more common in recent years) | edent wrote: | As pointed out by someone on Mastodon - this also fails if you | try to dig India's ccTLD. | | https://hackers.town/@seachaint/108645588430551049 | zinekeller wrote: | (because it's IN) | | Seems similar to the problem on YAML's Norway | (https://hitchdev.com/strictyaml/why/implicit-typing-removed/) | and the Turkish Lira (TRY) problem (https://devblogs.microsoft. | com/oldnewthing/20190912-00/?p=10...) | fariszr wrote: | Quick question, how did you setup the comment system that picks | up comments from other platforms like Twitter and mastodon? | edent wrote: | I use https://brid.gy/ - It sends social media comments as | WebMentions. | | I then use the WordPress WebMention plugin - | https://github.com/pfefferle/wordpress-webmention - to render | them nicely. | mmerlin wrote: | One possible method is build a Matrix Bridge | | https://matrix.org/bridges/ | larsbrinkhoff wrote: | Funny coincidence. I'm helping out with a Chaosnet demo going | live this Saturday. | | https://wiki.dfupdate.se/projekt:mini-conference | EvanAnderson wrote: | These talks all look pretty interesting. Sadly, I am | unavailable to participate online because of schedule. Will | these be recorded at all? | larsbrinkhoff wrote: | I think that is planned, at least some of them. | dark-star wrote: | wow, I need to see that. I tried (mostly unsuccessfully) to set | up ChaosNet on my home LAN some time ago, I'd love to give it | another shot ;-) | larsbrinkhoff wrote: | You should probably get https://github.com/bictorv/chaosnet- | bridge up and running. http://chaosnet.net/ has some | instructions. I did this the other day, so I can confirm it's | doable. | gumby wrote: | Wow, is your home LAN thicknet!? | vbezhenar wrote: | What those chaosnet DNS records are used for? | jcynix wrote: | They where used for Chaosnet, which was, for example, | implemented and usef on lisp machines from Symbolucs and | others. cf. https://twobithistory.org/2018/09/30/chaosnet.html | andyjohnson0 wrote: | The CH class record stores the chaosnet host id that | corresponds to the dns entry. Chaosnet didn't use IP addresses | (which are specific to the internet protocol) to identify hosts | - it used a 16 bit number composed of an 8 bit subnet ID and a | 8 bit subnet-local host ID. | | When querying the DNS you specify the class of address you want | (IN, CH, whatever) and the resolver returns you the | corresponding record. So if a host has a connection to an IP | network and an Chaosnet network then it would have two entwork | identities and its DNS zone would contain both classes of ID. | | Obviously IN is really the only network class that is used now, | but these things persist in old code. | lifthrasiir wrote: | The full list: https://www.iana.org/assignments/dns- | parameters/dns-paramete... | | I recall (All) DNS Resource Records listed [1], which is another | treasure of historical tidbits. | | [1] https://www.netmeister.org/blog/dns-rrs.html | sybercecurity wrote: | There are even more oddities buried in some RRTypes. For | example, the 'protocol' field in the DNSKEY RRType. Back when | DNSSEC was still in development, the concept of sub-typing was | in vogue and it was thought that RRType codes should be | jealously guarded. Fast forward a couple of years and everyone | realizes that there are plenty of RRType codes to go around and | no one really wants to use DNSKEY for other public keys, so the | 'protocol' field was basically frozen with '3' being the only | value used. | | A 35 year old protocol has a lot of vestigial bits, but still | vital to network operations. | tptacek wrote: | DNSSEC has been in development since ~1995, and DNSKEY is an | early-2000s thing, so a funny thing to look into is why it's | DNSKEY and not KEY (this is the infamous "type code roll"), | as it was originally. | mtbkvc wrote: | very good article. thanks | Waterluvian wrote: | Bell bottoms were not a failed experiment. They're awesome and | need to return. | edent wrote: | OK. I'll give you that one. But what's your stance on Betamax? | [deleted] | jeffrallen wrote: | ProTip: never take DNS advice from someone who cannot tell you | the difference between ZONE and ZONE DOT. | Fell wrote: | This is very interesting. I'd love to read more about all these | failed and discontinued ideas of computing. | larsbrinkhoff wrote: | Here's something to get you started: | https://gunkies.org/wiki/Chaosnet | | Hobbyist Chaos network: http://chaosnet.net/ | dark-star wrote: | the chaosnet.net URL doesn't resolve for me... | kreeben wrote: | I can reach it just fine. | dark-star wrote: | It works when I try it from home, so it's probably our | company's DNS server | larsbrinkhoff wrote: | Clearly it's blocking subversive network information. | bauruine wrote: | I'm not sure if this is well known but you can actually dig | (AXFR) the whole .ch and .li zone. Are there other tld that allow | this? | | https://www.switch.ch/open-data/ | lucb1e wrote: | yeah .com and many others. You just need to think of some | research reason which can be a lot of things, there's no real | verification on this, and then you get access to all of the | domains at once (you need to be accepted into this central zone | dump system once). I was quite surprised when a colleague told | me this exists and that he was accepted, since to me this | seemed to be coveted data by e.g. commercial dns history | companies. Anyhow, if you didn't already --for the myriad of | other reasons-- consider DNS data to be open, you should | consider it open data. | gumby wrote: | I don't know why the author laughed about Hesiod,* which, like | chaosnet was another MIT protocol in use for a while. | | There was a time when these records were handy -- I was pretty | excited when I could connect directly from my desktop machine at | PARC to a host at the AI lab on the MIT chaosnet. Before the | ARPANET transitioned to TCP I had to manually hop through a | couple of protocol gateways to make connections like these. | Afterwards it was transparent. | | BTW CHAOS used strings to identify ports/protocols rather than | reserved numbers. So there is a lot you can store in a compliant | implementation of the DNS. | | * Also the bane of some high school classes, but that's quite | another matter. | Aicy wrote: | > I don't know why the author laughed about Hesiod,* which, | like chaosnet was another MIT protocol in use for a while. | | Probably because you are maybe one of a few hundreds of people | who have made use of this (and it was decades ago), out of the | billions of people who have used the internet. | | Cool story though. | linksnapzz wrote: | Hesiod: still more comprehensible than LDAP, and probably | more secure than NIS. | dylan604 wrote: | All this does to me is show that the author didn't really | research and just brushed it off. It is quite the trend. "I'm | not aware of it, so it must not be important" type of thing. | dmix wrote: | Besides IN and CH there is also HS aka Hesiod | | https://en.wikipedia.org/wiki/Hesiod_(name_service) | | which is from Project Athena: | | https://en.wikipedia.org/wiki/Project_Athena | | > Project Athena was a joint project of MIT, Digital Equipment | Corporation, and IBM to produce a campus-wide distributed | computing environment for educational use. | jaimehrubiks wrote: | It feels like a dig bug or inconsistent api doesn't it? | teknopaul wrote: | It is inconsistent but imagine this... | | /bin is a directory called bin | | / is the root directory | | /root is a directory called "root" based in the root directory | | Did you get that? | | Simples, now you see, dns is the same thing backwards with | dots... | | All that before user gets to type "www.google.com." | | Interestingly, in China people just type a single word and the | default search engine does the thinking. Giving them power that | google.com can only dream of. ;) | remram wrote: | So this is an ambiguity in dig's command-line parser? Not any | failing of the DNS system? | dmix wrote: | Indeed: | | dig Esoterica* | teddyh wrote: | When writing scripts, always use the _options_ to dig; i.e. in | this case, use dig -q ch -t NS | | instead of dig ch NS | | Using the options eliminates any possibility of | misinterpretations like this. | distantsounds wrote: | sha256sum wrote: | Be kind. Don't be snarky. Have curious conversation; don't | cross-examine. Please don't fulminate. Please don't sneer, | including at the rest of the community. | | https://news.ycombinator.com/newsguidelines.html | ancientsofmumu wrote: | I kind of think this is a dig bug -- the man page indicates you | can specify `name type class queryopt` in an unargumented | style, but when using IN in this fashion against `ch` it does | not work correctly (testing on Debian 11 stable). Compare these | 4 sets of results: dig ch NS IN +short | dig -q ch -t NS -c IN +short dig uk NS IN +short | dig -q uk -t NS -c IN +short | | _Only_ when using the first form do you get a comment ";; | Warning, extra class option" and the incorrect results. So even | when using the full pattern of un-argumented options as | outlined in the man page, it fails to work as expected | specifically for ch. | nly wrote: | The DNS "master file"/"zone file" format is a bloody disaster for | the same reason, and practically unparseable. Every | implementation parses them differently when it comes to | parenthesis. | | From the grammar in RFC 1035: <domain-name><rr> | [<comment>] <blank><rr> [<comment>] | <rr> contents take one of the following forms: | [<TTL>] [<class>] <type> <RDATA> [<class>] | [<TTL>] <type> <RDATA> | | All the columns being optional creates the ambiguity between the | <class> and <domain-name> columns in the TTL missing/2nd form. In | the real world <class> is always "IN". It's even worse since the | set of <type>'s is unbounded and the <RDATA> grammar depends on | <type> | | I believe this is one reason why tinydns has its own format | https://cr.yp.to/djbdns/tinydns-data.html | jandrese wrote: | Bind's config files are awful. I think it is like Sendmail | where the only reason it is still awful is that there is too | much infrastructure built around them to make them better. They | could improve the configs, but it might break many thousands of | scripts around the world. | | Back in the 80s there were not many examples of configuration | files, so everybody just invented their own idiosyncratic | format. Most of those old formats have long since died off, but | a few have survived to haunt us even today. | h2odragon wrote: | sendmail.cf is bytecode. At the time it was written, bytes | mattered, and it did a magnificent job. Now we have the | resources to make things easier on humans. | | but there really should be some sort of charity foundation to | help the victims of sendmail.cf trauma. | aldrich wrote: | Yeah, though I would say human readable bytecode, and it is | interesting to see that in the actual context. For anyone | who's interested, there's a git repository containing a | historical reconstruction of the original BSDs. | | I believe one of the first BSD versions containing sendmail | (by Eric Allman) is this one: | https://github.com/weiss/original- | bsd/blob/bd282c88c1b3c2575... (almost 40 years ago!) | | Its a little hard to read due to the format, but here's | some explanation of the (1983, earliest?) config file that | was used back then: https://github.com/weiss/original- | bsd/blob/bd282c88c1b3c2575... | | From what I grasp, it started as an extensive dynamic | parser that needed to understand a lot of rules, and I | guess with each new RFC and version, the rules needed to be | extended too. And the config file could be loaded into a | memory image to improve performance. | teknopaul wrote: | It's not that bad. | | You may have to rtfm, but only once. | jandrese wrote: | I have to RTFM every time I get asked to write a Bind | config. | icedchai wrote: | I've been running BIND since 1995. Most configurations | are very similar. A zone is either primary / master or | secondary / slave. You copy and paste from a previous | config entry, change a zone name, maybe add an extra | secondary name server now and then. | nly wrote: | Example in PowerDNS, where the allowance for the "IN" class is | hard-coded to remove ambiguity: | | https://github.com/PowerDNS/pdns/blob/master/pdns/zoneparser... | | And in BIND where the <rdata> parsing is coded up for a bunch | of <type>'s: | | https://github.com/isc-projects/bind9/tree/main/lib/dns/rdat... | [deleted] | js2 wrote: | BIND's zone files are an implementation detail completely | unnecessary to interoperate with the DNS protocol. Same for | zone-transfers. Neither of these ever belonged in an RFC in the | first place. | icedchai wrote: | Keeping your secondary name server(s) in sync is necessary if | you want things to work reliably. Zone transfers are | necessary. File formats are not. | Anthony-G wrote: | When I worked with MS Windows DNS server a few years ago, I | was surprised to see that it stored domain information in | (temporary?) files with a format very similar to that of BIND | zone files (I can't remember if the Windows server was | primary or secondary for that domain). | | Regarding zone transfers, I think it makes sense that the | AXFR and IXFR protocols are specified in RFCs. Neither the | server nor client should care about what software is used by | the other host to implement the agreed protocols. | alexpotato wrote: | This article reminds me of the Unicode Japanese "Ghost" | characters: https://www.dampfkraft.com/ghost-characters.html | | Long story short: | | Someone entered some characters erroneously in the Unicode spec | and now those characters are there FOREVER. | GoOnThenDoTell wrote: | May as well find a use for them | lmm wrote: | People have already written ghost stories using them as the | names of the ghosts. | | The fact that no-one necessarily knows how to read them aloud | (some of them you can guess, some of them are very unclear) | can be a fun wrinkle. | goldenkey wrote: | SpooOooOky ghost keyboard mashing commences :-) | zinekeller wrote: | And this... character with an unknown meaning or purpose: | U+237C [?] RIGHT ANGLE WITH DOWNWARDS ZIGZAG ARROW | (https://ionathan.ch/2022/04/09/angzarr.html; | https://news.ycombinator.com/item?id=31012865) | ddalex wrote: | Isn't that just an icon to the bitcoin gainz ? | hereforphone wrote: | I'm changing my name to this | isoprophlex wrote: | The artist formerly know as right angle with downward | zigzag arrow | monkaiju wrote: | Great article, I did know about this at all... DNS is super | interesting. I wrote dug, a cli tool I made to help visualize DNS | 'propagation' but is a great learning tool. Similar to dig and | dog, but specifically for querying or watching large numbers of | DNS servers at once. | | https://github.com/unfrl/dug | | https://dug.unfrl.com | NelsonMinar wrote: | Anyone audited that code for security problems? I like weird | obsolete tech as much as the next nerd but perhaps dig's code | could be simplified a bit. | toyg wrote: | It's in OpenBSD, so... probably yes? | looshch wrote: | that explains my issues with digging my own domain. I've chosen | .ch so it is my surname: loosh.ch | dixie_land wrote: | TIL Switzerland is named after Apple's favorite font. | JoeyBananas wrote: | This is article is a gem. There are so many quirks like this in | various ancient utilities. | Tepix wrote: | Weird, i thought the article was clickbait because when i "dig" | a TLD i always use the trailing dot. I guess i ran into this | issue early on. | irae wrote: | I could instantly tell this was going to be good when I saw the | blog layout. Somehow people who end up going super low level | and writing about it have the most unexpected layouts too | edent wrote: | Thank you! I recently updated my blog's CSS as I was getting | bored of the old monochrome style. Glad you like it :-) | signal11 wrote: | Ironically I was just looking at nslookup's man page[1] the other | day and this bit of history is hinted at there: | class=value Change the query class to one of: | IN the Internet class CH the | Chaos class HS the Hesiod class ANY | wildcard | | Man pages have amazing nuggets of history in them if one chooses | to dig in! | | [1] https://linux.die.net/man/1/nslookup | TrickyRick wrote: | Dig in... I see what you did there | breakingcups wrote: | What is ironic about that? | bgm1975 wrote: | You know, like when it rains on your wedding day. | teknopaul wrote: | Ironic literally means anything that Iron-man would find | amusing. | josh2600 wrote: | Man, not putting Fully Qualified Domain Names in code has been | such a recurring source of pain in my software life. You make so | many assumptions about the way people parse domain names and all | of them are wrong. Vendors do all kinds of things to "simplify" | their workflows internally and sometimes they just parse URLs and | domains in all kinds of ways that break your brain. | | Reminds me so much of the way "smart" telecom engineers | bastardized SS7 to ship new features onto legacy telco | infrastructure. SS7 is like 20M lines of C. You can't really | change it without breaking it in many other places, AT&T used to | have a metric which was something like "for every 10 lines of | code you alter in SS7, you create 8 bugs in other parts of the | code." So "smart" telecom engineers would take existing fields in | the SS7 logic and use them for different functions inside of | their telco. A billing field could instead be used as a feature | flag for some sort of customer state, but only inside of the | telco's network (and re-written back to the compliant SS7 | standard when the data was headed out of the network). This was | called encapsulation and wrapping and un-wrapping packets just in | time was the source of many many problems in my telecom life. | | Just in time editing of network packets at the boundary is always | fun. Most of the problems that would happen would come from | forgetting to rewrite back to SS7 and transmitting the internal | codes out. | javajosh wrote: | Honestly this seems more like a cautionary tale about why you | should prefer named arguments. ___________________________________________________________________ (page generated 2022-07-14 23:00 UTC)