[HN Gopher] DNS Esoterica - Why you can't dig Switzerland
___________________________________________________________________
DNS Esoterica - Why you can't dig Switzerland
Author : edent
Score : 545 points
Date : 2022-07-14 11:45 UTC (11 hours ago)
(HTM) web link (shkspr.mobi)
(TXT) w3m dump (shkspr.mobi)
| jgrahamc wrote:
| It used to be the case that you couldn't start a tweet with "M
| Night Shyamalan". Actually, with "M " but "M Night Shyamalan"
| made it seem more spooky.
| mschuster91 wrote:
| IIRC that dated back to ye olde times where you could tweet by
| SMS... and "m " would be the starting sequence to compose a
| direct message.
| lucakiebel wrote:
| Yes, there's a list of these commands[1] somewhere, I thing
| "D <username> <msg>" did the same [1] -
| https://archive.ph/Kqdqx
| [deleted]
| HomeDeLaPot wrote:
| DNS Erotica?!? ... I can't read.
| CoastalCoder wrote:
| > DNS Erotica?!? ... I can't read.
|
| Every time I see the headline, that's how I first read it.
|
| I wonder if I'll ever grow up.
| Anthony-G wrote:
| "Boring" explanation from the _dig_ manual page:
|
| > The IN and CH class names overlap with the IN and CH top level
| domain names. Either use the -t and -c options to specify the
| type and class, use the -q the specify the domain name, or use
| "IN." and "CH." when looking up these top level domains.
|
| Off-topic: I got excited when I saw the nicely coloured output
| from _dig_ which makes it more readable. I thought that maybe the
| author has some new version that's not yet available on Ubuntu
| LTS. Unfortunately, the nice colours are from judicious use of
| highlight.js1 - one good reason to have uMatrix configured to
| allow first-party JavaScript!
|
| 1 https://highlightjs.org/
| dflock wrote:
| There's this, which is a more modern dig, with color output,
| among other things: https://github.com/ogham/dog
|
| There's also stuff like this, which will postprocess & color
| output from any command: https://github.com/garabik/grc, or
| https://github.com/armandino/TxtStyle
| amir wrote:
| Going even further down the DNS tree, you can dig
| . NS
|
| to get the root nameservers
| gerdesj wrote:
| d and f seem to have vanished!
| brightball wrote:
| Would have liked to know that sooner...
| wordcloudsare wrote:
| We should bring back internet alternatives
| lrem wrote:
| And tunnel them over https for security! ;)
| xenophonf wrote:
| To avoid ambiguous queries like this, include the root zone in
| the domain name: dig ch. ns dig in. ns
|
| Both return the expected results.
| teddyh wrote:
| That's literally what the article says.
| xenophonf wrote:
| Except upvoted comments continue to propagate confusion over
| what's actually happening by omitting the root zone from
| example hostname queries.
|
| While this is a fully qualified domain name:
| www.example.com
|
| This is the actual domain name:
| www.example.com.
|
| The linked article and doesn't really explain why someone
| should add the trailing dot to the hostname. I do: It's the
| name of the root DNS zone and unambiguously identifies the
| `dig` parameter as a hostname.
| kuschku wrote:
| And to avoid ambiguity, you can just include the root zone in
| all URLs you're using as well (unless the server you're talking
| to doesn't implement the DNS RFCs correctly, which sadly is
| getting more and more common in recent years)
| edent wrote:
| As pointed out by someone on Mastodon - this also fails if you
| try to dig India's ccTLD.
|
| https://hackers.town/@seachaint/108645588430551049
| zinekeller wrote:
| (because it's IN)
|
| Seems similar to the problem on YAML's Norway
| (https://hitchdev.com/strictyaml/why/implicit-typing-removed/)
| and the Turkish Lira (TRY) problem (https://devblogs.microsoft.
| com/oldnewthing/20190912-00/?p=10...)
| fariszr wrote:
| Quick question, how did you setup the comment system that picks
| up comments from other platforms like Twitter and mastodon?
| edent wrote:
| I use https://brid.gy/ - It sends social media comments as
| WebMentions.
|
| I then use the WordPress WebMention plugin -
| https://github.com/pfefferle/wordpress-webmention - to render
| them nicely.
| mmerlin wrote:
| One possible method is build a Matrix Bridge
|
| https://matrix.org/bridges/
| larsbrinkhoff wrote:
| Funny coincidence. I'm helping out with a Chaosnet demo going
| live this Saturday.
|
| https://wiki.dfupdate.se/projekt:mini-conference
| EvanAnderson wrote:
| These talks all look pretty interesting. Sadly, I am
| unavailable to participate online because of schedule. Will
| these be recorded at all?
| larsbrinkhoff wrote:
| I think that is planned, at least some of them.
| dark-star wrote:
| wow, I need to see that. I tried (mostly unsuccessfully) to set
| up ChaosNet on my home LAN some time ago, I'd love to give it
| another shot ;-)
| larsbrinkhoff wrote:
| You should probably get https://github.com/bictorv/chaosnet-
| bridge up and running. http://chaosnet.net/ has some
| instructions. I did this the other day, so I can confirm it's
| doable.
| gumby wrote:
| Wow, is your home LAN thicknet!?
| vbezhenar wrote:
| What those chaosnet DNS records are used for?
| jcynix wrote:
| They where used for Chaosnet, which was, for example,
| implemented and usef on lisp machines from Symbolucs and
| others. cf. https://twobithistory.org/2018/09/30/chaosnet.html
| andyjohnson0 wrote:
| The CH class record stores the chaosnet host id that
| corresponds to the dns entry. Chaosnet didn't use IP addresses
| (which are specific to the internet protocol) to identify hosts
| - it used a 16 bit number composed of an 8 bit subnet ID and a
| 8 bit subnet-local host ID.
|
| When querying the DNS you specify the class of address you want
| (IN, CH, whatever) and the resolver returns you the
| corresponding record. So if a host has a connection to an IP
| network and an Chaosnet network then it would have two entwork
| identities and its DNS zone would contain both classes of ID.
|
| Obviously IN is really the only network class that is used now,
| but these things persist in old code.
| lifthrasiir wrote:
| The full list: https://www.iana.org/assignments/dns-
| parameters/dns-paramete...
|
| I recall (All) DNS Resource Records listed [1], which is another
| treasure of historical tidbits.
|
| [1] https://www.netmeister.org/blog/dns-rrs.html
| sybercecurity wrote:
| There are even more oddities buried in some RRTypes. For
| example, the 'protocol' field in the DNSKEY RRType. Back when
| DNSSEC was still in development, the concept of sub-typing was
| in vogue and it was thought that RRType codes should be
| jealously guarded. Fast forward a couple of years and everyone
| realizes that there are plenty of RRType codes to go around and
| no one really wants to use DNSKEY for other public keys, so the
| 'protocol' field was basically frozen with '3' being the only
| value used.
|
| A 35 year old protocol has a lot of vestigial bits, but still
| vital to network operations.
| tptacek wrote:
| DNSSEC has been in development since ~1995, and DNSKEY is an
| early-2000s thing, so a funny thing to look into is why it's
| DNSKEY and not KEY (this is the infamous "type code roll"),
| as it was originally.
| mtbkvc wrote:
| very good article. thanks
| Waterluvian wrote:
| Bell bottoms were not a failed experiment. They're awesome and
| need to return.
| edent wrote:
| OK. I'll give you that one. But what's your stance on Betamax?
| [deleted]
| jeffrallen wrote:
| ProTip: never take DNS advice from someone who cannot tell you
| the difference between ZONE and ZONE DOT.
| Fell wrote:
| This is very interesting. I'd love to read more about all these
| failed and discontinued ideas of computing.
| larsbrinkhoff wrote:
| Here's something to get you started:
| https://gunkies.org/wiki/Chaosnet
|
| Hobbyist Chaos network: http://chaosnet.net/
| dark-star wrote:
| the chaosnet.net URL doesn't resolve for me...
| kreeben wrote:
| I can reach it just fine.
| dark-star wrote:
| It works when I try it from home, so it's probably our
| company's DNS server
| larsbrinkhoff wrote:
| Clearly it's blocking subversive network information.
| bauruine wrote:
| I'm not sure if this is well known but you can actually dig
| (AXFR) the whole .ch and .li zone. Are there other tld that allow
| this?
|
| https://www.switch.ch/open-data/
| lucb1e wrote:
| yeah .com and many others. You just need to think of some
| research reason which can be a lot of things, there's no real
| verification on this, and then you get access to all of the
| domains at once (you need to be accepted into this central zone
| dump system once). I was quite surprised when a colleague told
| me this exists and that he was accepted, since to me this
| seemed to be coveted data by e.g. commercial dns history
| companies. Anyhow, if you didn't already --for the myriad of
| other reasons-- consider DNS data to be open, you should
| consider it open data.
| gumby wrote:
| I don't know why the author laughed about Hesiod,* which, like
| chaosnet was another MIT protocol in use for a while.
|
| There was a time when these records were handy -- I was pretty
| excited when I could connect directly from my desktop machine at
| PARC to a host at the AI lab on the MIT chaosnet. Before the
| ARPANET transitioned to TCP I had to manually hop through a
| couple of protocol gateways to make connections like these.
| Afterwards it was transparent.
|
| BTW CHAOS used strings to identify ports/protocols rather than
| reserved numbers. So there is a lot you can store in a compliant
| implementation of the DNS.
|
| * Also the bane of some high school classes, but that's quite
| another matter.
| Aicy wrote:
| > I don't know why the author laughed about Hesiod,* which,
| like chaosnet was another MIT protocol in use for a while.
|
| Probably because you are maybe one of a few hundreds of people
| who have made use of this (and it was decades ago), out of the
| billions of people who have used the internet.
|
| Cool story though.
| linksnapzz wrote:
| Hesiod: still more comprehensible than LDAP, and probably
| more secure than NIS.
| dylan604 wrote:
| All this does to me is show that the author didn't really
| research and just brushed it off. It is quite the trend. "I'm
| not aware of it, so it must not be important" type of thing.
| dmix wrote:
| Besides IN and CH there is also HS aka Hesiod
|
| https://en.wikipedia.org/wiki/Hesiod_(name_service)
|
| which is from Project Athena:
|
| https://en.wikipedia.org/wiki/Project_Athena
|
| > Project Athena was a joint project of MIT, Digital Equipment
| Corporation, and IBM to produce a campus-wide distributed
| computing environment for educational use.
| jaimehrubiks wrote:
| It feels like a dig bug or inconsistent api doesn't it?
| teknopaul wrote:
| It is inconsistent but imagine this...
|
| /bin is a directory called bin
|
| / is the root directory
|
| /root is a directory called "root" based in the root directory
|
| Did you get that?
|
| Simples, now you see, dns is the same thing backwards with
| dots...
|
| All that before user gets to type "www.google.com."
|
| Interestingly, in China people just type a single word and the
| default search engine does the thinking. Giving them power that
| google.com can only dream of. ;)
| remram wrote:
| So this is an ambiguity in dig's command-line parser? Not any
| failing of the DNS system?
| dmix wrote:
| Indeed:
|
| dig Esoterica*
| teddyh wrote:
| When writing scripts, always use the _options_ to dig; i.e. in
| this case, use dig -q ch -t NS
|
| instead of dig ch NS
|
| Using the options eliminates any possibility of
| misinterpretations like this.
| distantsounds wrote:
| sha256sum wrote:
| Be kind. Don't be snarky. Have curious conversation; don't
| cross-examine. Please don't fulminate. Please don't sneer,
| including at the rest of the community.
|
| https://news.ycombinator.com/newsguidelines.html
| ancientsofmumu wrote:
| I kind of think this is a dig bug -- the man page indicates you
| can specify `name type class queryopt` in an unargumented
| style, but when using IN in this fashion against `ch` it does
| not work correctly (testing on Debian 11 stable). Compare these
| 4 sets of results: dig ch NS IN +short
| dig -q ch -t NS -c IN +short dig uk NS IN +short
| dig -q uk -t NS -c IN +short
|
| _Only_ when using the first form do you get a comment ";;
| Warning, extra class option" and the incorrect results. So even
| when using the full pattern of un-argumented options as
| outlined in the man page, it fails to work as expected
| specifically for ch.
| nly wrote:
| The DNS "master file"/"zone file" format is a bloody disaster for
| the same reason, and practically unparseable. Every
| implementation parses them differently when it comes to
| parenthesis.
|
| From the grammar in RFC 1035: <domain-name><rr>
| [<comment>] <blank><rr> [<comment>]
| <rr> contents take one of the following forms:
| [<TTL>] [<class>] <type> <RDATA> [<class>]
| [<TTL>] <type> <RDATA>
|
| All the columns being optional creates the ambiguity between the
| <class> and <domain-name> columns in the TTL missing/2nd form. In
| the real world <class> is always "IN". It's even worse since the
| set of <type>'s is unbounded and the <RDATA> grammar depends on
| <type>
|
| I believe this is one reason why tinydns has its own format
| https://cr.yp.to/djbdns/tinydns-data.html
| jandrese wrote:
| Bind's config files are awful. I think it is like Sendmail
| where the only reason it is still awful is that there is too
| much infrastructure built around them to make them better. They
| could improve the configs, but it might break many thousands of
| scripts around the world.
|
| Back in the 80s there were not many examples of configuration
| files, so everybody just invented their own idiosyncratic
| format. Most of those old formats have long since died off, but
| a few have survived to haunt us even today.
| h2odragon wrote:
| sendmail.cf is bytecode. At the time it was written, bytes
| mattered, and it did a magnificent job. Now we have the
| resources to make things easier on humans.
|
| but there really should be some sort of charity foundation to
| help the victims of sendmail.cf trauma.
| aldrich wrote:
| Yeah, though I would say human readable bytecode, and it is
| interesting to see that in the actual context. For anyone
| who's interested, there's a git repository containing a
| historical reconstruction of the original BSDs.
|
| I believe one of the first BSD versions containing sendmail
| (by Eric Allman) is this one:
| https://github.com/weiss/original-
| bsd/blob/bd282c88c1b3c2575... (almost 40 years ago!)
|
| Its a little hard to read due to the format, but here's
| some explanation of the (1983, earliest?) config file that
| was used back then: https://github.com/weiss/original-
| bsd/blob/bd282c88c1b3c2575...
|
| From what I grasp, it started as an extensive dynamic
| parser that needed to understand a lot of rules, and I
| guess with each new RFC and version, the rules needed to be
| extended too. And the config file could be loaded into a
| memory image to improve performance.
| teknopaul wrote:
| It's not that bad.
|
| You may have to rtfm, but only once.
| jandrese wrote:
| I have to RTFM every time I get asked to write a Bind
| config.
| icedchai wrote:
| I've been running BIND since 1995. Most configurations
| are very similar. A zone is either primary / master or
| secondary / slave. You copy and paste from a previous
| config entry, change a zone name, maybe add an extra
| secondary name server now and then.
| nly wrote:
| Example in PowerDNS, where the allowance for the "IN" class is
| hard-coded to remove ambiguity:
|
| https://github.com/PowerDNS/pdns/blob/master/pdns/zoneparser...
|
| And in BIND where the <rdata> parsing is coded up for a bunch
| of <type>'s:
|
| https://github.com/isc-projects/bind9/tree/main/lib/dns/rdat...
| [deleted]
| js2 wrote:
| BIND's zone files are an implementation detail completely
| unnecessary to interoperate with the DNS protocol. Same for
| zone-transfers. Neither of these ever belonged in an RFC in the
| first place.
| icedchai wrote:
| Keeping your secondary name server(s) in sync is necessary if
| you want things to work reliably. Zone transfers are
| necessary. File formats are not.
| Anthony-G wrote:
| When I worked with MS Windows DNS server a few years ago, I
| was surprised to see that it stored domain information in
| (temporary?) files with a format very similar to that of BIND
| zone files (I can't remember if the Windows server was
| primary or secondary for that domain).
|
| Regarding zone transfers, I think it makes sense that the
| AXFR and IXFR protocols are specified in RFCs. Neither the
| server nor client should care about what software is used by
| the other host to implement the agreed protocols.
| alexpotato wrote:
| This article reminds me of the Unicode Japanese "Ghost"
| characters: https://www.dampfkraft.com/ghost-characters.html
|
| Long story short:
|
| Someone entered some characters erroneously in the Unicode spec
| and now those characters are there FOREVER.
| GoOnThenDoTell wrote:
| May as well find a use for them
| lmm wrote:
| People have already written ghost stories using them as the
| names of the ghosts.
|
| The fact that no-one necessarily knows how to read them aloud
| (some of them you can guess, some of them are very unclear)
| can be a fun wrinkle.
| goldenkey wrote:
| SpooOooOky ghost keyboard mashing commences :-)
| zinekeller wrote:
| And this... character with an unknown meaning or purpose:
| U+237C [?] RIGHT ANGLE WITH DOWNWARDS ZIGZAG ARROW
| (https://ionathan.ch/2022/04/09/angzarr.html;
| https://news.ycombinator.com/item?id=31012865)
| ddalex wrote:
| Isn't that just an icon to the bitcoin gainz ?
| hereforphone wrote:
| I'm changing my name to this
| isoprophlex wrote:
| The artist formerly know as right angle with downward
| zigzag arrow
| monkaiju wrote:
| Great article, I did know about this at all... DNS is super
| interesting. I wrote dug, a cli tool I made to help visualize DNS
| 'propagation' but is a great learning tool. Similar to dig and
| dog, but specifically for querying or watching large numbers of
| DNS servers at once.
|
| https://github.com/unfrl/dug
|
| https://dug.unfrl.com
| NelsonMinar wrote:
| Anyone audited that code for security problems? I like weird
| obsolete tech as much as the next nerd but perhaps dig's code
| could be simplified a bit.
| toyg wrote:
| It's in OpenBSD, so... probably yes?
| looshch wrote:
| that explains my issues with digging my own domain. I've chosen
| .ch so it is my surname: loosh.ch
| dixie_land wrote:
| TIL Switzerland is named after Apple's favorite font.
| JoeyBananas wrote:
| This is article is a gem. There are so many quirks like this in
| various ancient utilities.
| Tepix wrote:
| Weird, i thought the article was clickbait because when i "dig"
| a TLD i always use the trailing dot. I guess i ran into this
| issue early on.
| irae wrote:
| I could instantly tell this was going to be good when I saw the
| blog layout. Somehow people who end up going super low level
| and writing about it have the most unexpected layouts too
| edent wrote:
| Thank you! I recently updated my blog's CSS as I was getting
| bored of the old monochrome style. Glad you like it :-)
| signal11 wrote:
| Ironically I was just looking at nslookup's man page[1] the other
| day and this bit of history is hinted at there:
| class=value Change the query class to one of:
| IN the Internet class CH the
| Chaos class HS the Hesiod class ANY
| wildcard
|
| Man pages have amazing nuggets of history in them if one chooses
| to dig in!
|
| [1] https://linux.die.net/man/1/nslookup
| TrickyRick wrote:
| Dig in... I see what you did there
| breakingcups wrote:
| What is ironic about that?
| bgm1975 wrote:
| You know, like when it rains on your wedding day.
| teknopaul wrote:
| Ironic literally means anything that Iron-man would find
| amusing.
| josh2600 wrote:
| Man, not putting Fully Qualified Domain Names in code has been
| such a recurring source of pain in my software life. You make so
| many assumptions about the way people parse domain names and all
| of them are wrong. Vendors do all kinds of things to "simplify"
| their workflows internally and sometimes they just parse URLs and
| domains in all kinds of ways that break your brain.
|
| Reminds me so much of the way "smart" telecom engineers
| bastardized SS7 to ship new features onto legacy telco
| infrastructure. SS7 is like 20M lines of C. You can't really
| change it without breaking it in many other places, AT&T used to
| have a metric which was something like "for every 10 lines of
| code you alter in SS7, you create 8 bugs in other parts of the
| code." So "smart" telecom engineers would take existing fields in
| the SS7 logic and use them for different functions inside of
| their telco. A billing field could instead be used as a feature
| flag for some sort of customer state, but only inside of the
| telco's network (and re-written back to the compliant SS7
| standard when the data was headed out of the network). This was
| called encapsulation and wrapping and un-wrapping packets just in
| time was the source of many many problems in my telecom life.
|
| Just in time editing of network packets at the boundary is always
| fun. Most of the problems that would happen would come from
| forgetting to rewrite back to SS7 and transmitting the internal
| codes out.
| javajosh wrote:
| Honestly this seems more like a cautionary tale about why you
| should prefer named arguments.
___________________________________________________________________
(page generated 2022-07-14 23:00 UTC)