117 comments

[ 13.9 ms ] story [ 2900 ms ] thread
This is article is a gem. There are so many quirks like this in various ancient utilities.
I could instantly tell this was going to be good when I saw the blog layout. Somehow people who end up going super low level and writing about it have the most unexpected layouts too
Thank you! I recently updated my blog's CSS as I was getting bored of the old monochrome style. Glad you like it :-)
Weird, i thought the article was clickbait because when i "dig" a TLD i always use the trailing dot. I guess i ran into this issue early on.
Going even further down the DNS tree, you can

  dig . NS
to get the root nameservers
Would have liked to know that sooner…
d and f seem to have vanished!
We should bring back internet alternatives
And tunnel them over https for security! ;)
As pointed out by someone on Mastodon - this also fails if you try to dig India's ccTLD.

https://hackers.town/@seachaint/108645588430551049

The full list: https://www.iana.org/assignments/dns-parameters/dns-paramete...

I recall (All) DNS Resource Records listed [1], which is another treasure of historical tidbits.

[1] https://www.netmeister.org/blog/dns-rrs.html

There are even more oddities buried in some RRTypes. For example, the 'protocol' field in the DNSKEY RRType. Back when DNSSEC was still in development, the concept of sub-typing was in vogue and it was thought that RRType codes should be jealously guarded. Fast forward a couple of years and everyone realizes that there are plenty of RRType codes to go around and no one really wants to use DNSKEY for other public keys, so the 'protocol' field was basically frozen with '3' being the only value used.

A 35 year old protocol has a lot of vestigial bits, but still vital to network operations.

DNSSEC has been in development since ~1995, and DNSKEY is an early-2000s thing, so a funny thing to look into is why it's DNSKEY and not KEY (this is the infamous "type code roll"), as it was originally.
This is very interesting. I'd love to read more about all these failed and discontinued ideas of computing.
When writing scripts, always use the options to dig; i.e. in this case, use

   dig -q ch -t NS
instead of

  dig ch NS
Using the options eliminates any possibility of misinterpretations like this.
I kind of think this is a dig bug -- the man page indicates you can specify `name type class queryopt` in an unargumented style, but when using IN in this fashion against `ch` it does not work correctly (testing on Debian 11 stable). Compare these 4 sets of results:

    dig ch NS IN +short
    dig -q ch -t NS -c IN +short
    dig uk NS IN +short
    dig -q uk -t NS -c IN +short
Only when using the first form do you get a comment ";; Warning, extra class option" and the incorrect results. So even when using the full pattern of un-argumented options as outlined in the man page, it fails to work as expected specifically for ch.
To avoid ambiguous queries like this, include the root zone in the domain name:

  dig ch. ns

  dig in. ns
Both return the expected results.
That’s literally what the article says.
Except upvoted comments continue to propagate confusion over what's actually happening by omitting the root zone from example hostname queries.

While this is a fully qualified domain name:

  www.example.com
This is the actual domain name:

  www.example.com.
The linked article and doesn't really explain why someone should add the trailing dot to the hostname. I do: It's the name of the root DNS zone and unambiguously identifies the `dig` parameter as a hostname.
And to avoid ambiguity, you can just include the root zone in all URLs you’re using as well (unless the server you’re talking to doesn’t implement the DNS RFCs correctly, which sadly is getting more and more common in recent years)
Funny coincidence. I'm helping out with a Chaosnet demo going live this Saturday.

https://wiki.dfupdate.se/projekt:mini-conference

These talks all look pretty interesting. Sadly, I am unavailable to participate online because of schedule. Will these be recorded at all?
wow, I need to see that. I tried (mostly unsuccessfully) to set up ChaosNet on my home LAN some time ago, I'd love to give it another shot ;-)
Wow, is your home LAN thicknet!?
no. I tried using Ethernet to transport Chaosnet between emulators. Didn't work as I hoped it would, although I forgot the exact issues that I encountered.

side note: Not thicknet, but I do have thinnet still running here although that only carries IPX/SPX and some TCP/IP :-D

>I tried using Ethernet to transport Chaosnet between emulators.

Hey, what ever you’ve got at layer 1 (thick eyes, thinner, 10baseT) the next layer up is Ethernet!

> I do have thinnet…

There must have been chaosnet over thinnet that I just don’t remember.

But since you have thinnet you should drop some pups on there so your Altos can talk to each other. Get your mail via Grapevine (still superior to IMAP)… have some fun!

Sadly I was unable to join the BBB today. Were the talks recorded?
very good article. thanks
This article reminds me of the Unicode Japanese "Ghost" characters: https://www.dampfkraft.com/ghost-characters.html

Long story short:

Someone entered some characters erroneously in the Unicode spec and now those characters are there FOREVER.

May as well find a use for them
SpooOooOky ghost keyboard mashing commences :-)
People have already written ghost stories using them as the names of the ghosts.

The fact that no-one necessarily knows how to read them aloud (some of them you can guess, some of them are very unclear) can be a fun wrinkle.

And this... character with an unknown meaning or purpose: U+237C ⍼ RIGHT ANGLE WITH DOWNWARDS ZIGZAG ARROW (https://ionathan.ch/2022/04/09/angzarr.html; https://news.ycombinator.com/item?id=31012865)
I'm changing my name to this
The artist formerly know as right angle with downward zigzag arrow
Isn't that just an icon to the bitcoin gainz ?
Down and to the left! To the moooooon!! (Sometimes. When it's not currently visible from your location.)
It used to be the case that you couldn't start a tweet with "M Night Shyamalan". Actually, with "M " but "M Night Shyamalan" made it seem more spooky.
IIRC that dated back to ye olde times where you could tweet by SMS... and "m " would be the starting sequence to compose a direct message.
(comment deleted)
What those chaosnet DNS records are used for?
The CH class record stores the chaosnet host id that corresponds to the dns entry. Chaosnet didn't use IP addresses (which are specific to the internet protocol) to identify hosts - it used a 16 bit number composed of an 8 bit subnet ID and a 8 bit subnet-local host ID.

When querying the DNS you specify the class of address you want (IN, CH, whatever) and the resolver returns you the corresponding record. So if a host has a connection to an IP network and an Chaosnet network then it would have two entwork identities and its DNS zone would contain both classes of ID.

Obviously IN is really the only network class that is used now, but these things persist in old code.

Ironically I was just looking at nslookup's man page[1] the other day and this bit of history is hinted at there:

    class=value

    Change the query class to one of:

    IN
        the Internet class
    CH
        the Chaos class
    HS
        the Hesiod class
    ANY
        wildcard
Man pages have amazing nuggets of history in them if one chooses to dig in!

[1] https://linux.die.net/man/1/nslookup

What is ironic about that?
You know, like when it rains on your wedding day.
Ironic literally means anything that Iron-man would find amusing.
(comment deleted)
It feels like a dig bug or inconsistent api doesn't it?
It is inconsistent but imagine this...

/bin is a directory called bin

/ is the root directory

/root is a directory called "root" based in the root directory

Did you get that?

Simples, now you see, dns is the same thing backwards with dots...

All that before user gets to type "www.google.com."

Interestingly, in China people just type a single word and the default search engine does the thinking. Giving them power that google.com can only dream of. ;)

The DNS "master file"/"zone file" format is a bloody disaster for the same reason, and practically unparseable. Every implementation parses them differently when it comes to parenthesis.

From the grammar in RFC 1035:

    <domain-name><rr> [<comment>]

    <blank><rr> [<comment>]

    <rr> contents take one of the following forms:

        [<TTL>] [<class>] <type> <RDATA>

        [<class>] [<TTL>] <type> <RDATA>
All the columns being optional creates the ambiguity between the <class> and <domain-name> columns in the TTL missing/2nd form. In the real world <class> is always "IN". It's even worse since the set of <type>'s is unbounded and the <RDATA> grammar depends on <type>

I believe this is one reason why tinydns has its own format https://cr.yp.to/djbdns/tinydns-data.html

Bind's config files are awful. I think it is like Sendmail where the only reason it is still awful is that there is too much infrastructure built around them to make them better. They could improve the configs, but it might break many thousands of scripts around the world.

Back in the 80s there were not many examples of configuration files, so everybody just invented their own idiosyncratic format. Most of those old formats have long since died off, but a few have survived to haunt us even today.

sendmail.cf is bytecode. At the time it was written, bytes mattered, and it did a magnificent job. Now we have the resources to make things easier on humans.

but there really should be some sort of charity foundation to help the victims of sendmail.cf trauma.

Yeah, though I would say human readable bytecode, and it is interesting to see that in the actual context. For anyone who's interested, there's a git repository containing a historical reconstruction of the original BSDs.

I believe one of the first BSD versions containing sendmail (by Eric Allman) is this one: https://github.com/weiss/original-bsd/blob/bd282c88c1b3c2575... (almost 40 years ago!)

Its a little hard to read due to the format, but here's some explanation of the (1983, earliest?) config file that was used back then: https://github.com/weiss/original-bsd/blob/bd282c88c1b3c2575...

From what I grasp, it started as an extensive dynamic parser that needed to understand a lot of rules, and I guess with each new RFC and version, the rules needed to be extended too. And the config file could be loaded into a memory image to improve performance.

It's not that bad.

You may have to rtfm, but only once.

I have to RTFM every time I get asked to write a Bind config.
I've been running BIND since 1995. Most configurations are very similar. A zone is either primary / master or secondary / slave. You copy and paste from a previous config entry, change a zone name, maybe add an extra secondary name server now and then.
Also, the zone file format is defined by an RFC. Which is why several a lot if DNS software uses that format, not just bind. Bind in particular, is conservative about deviating from the standardized format.
BIND's zone files are an implementation detail completely unnecessary to interoperate with the DNS protocol. Same for zone-transfers. Neither of these ever belonged in an RFC in the first place.
When I worked with MS Windows DNS server a few years ago, I was surprised to see that it stored domain information in (temporary?) files with a format very similar to that of BIND zone files (I can’t remember if the Windows server was primary or secondary for that domain).

Regarding zone transfers, I think it makes sense that the AXFR and IXFR protocols are specified in RFCs. Neither the server nor client should care about what software is used by the other host to implement the agreed protocols.

Keeping your secondary name server(s) in sync is necessary if you want things to work reliably. Zone transfers are necessary. File formats are not.
There’s a lot of ways to replicate zone data of which zone transfers are the worst. I’ve never used the protocol. Use scp or rsync.
What’s wrong with them? I’ve been using them for 25 years. Zone transfers are built in and “just work” once you set it up.
So I did used to use the axfrs back when I used to use bind. It’s clear text. It requires updating a serial number for no other reason than for the client to know to update. It’s based on polling. It exposes more complexity in the server that isn’t needed. It’s an archaic and dumb protocol.

There’s nothing wrong with it in the same way there was nothing wrong with telnet or ftp.

https://cr.yp.to/djbdns/axfr-notes.html

The primary can notify the secondary, so it doesn't have to poll: https://bind9.readthedocs.io/en/v9_16_6/advanced.html

That feature was added well over a decade ago. Your changes on the primary will be replicated (within seconds) to your secondaries.

I’m actually aware of that. Hacks upon hacks. And it doesn’t address the other issues.

I’m glad axfr works for you and you’re happy with it. I stopped using bind after a multitude of security issues it had over the years and I haven’t looked back. When I did used to use it, I switched to rsync for zone files probably sometime around 2000.

All of this is completely besides my original point: the zone file format needn’t have been an RFC, and probably not AXFR either. As far as I’m aware, no other RFC specifies implementation-specific decisions like the DNS RFCs do. It would be as if the sendmail.cf format had an RFC. AXFR is idiosyncratic and as recently as a decade ago underspecified:

https://datatracker.ietf.org/doc/html/rfc5936

And it looks like there’s still ongoing work to make it secure:

https://www.rfc-editor.org/rfc/rfc9103.html

(comment deleted)
Anyone audited that code for security problems? I like weird obsolete tech as much as the next nerd but perhaps dig's code could be simplified a bit.
It's in OpenBSD, so... probably yes?
I don’t know why the author laughed about Hesiod,* which, like chaosnet was another MIT protocol in use for a while.

There was a time when these records were handy — I was pretty excited when I could connect directly from my desktop machine at PARC to a host at the AI lab on the MIT chaosnet. Before the ARPANET transitioned to TCP I had to manually hop through a couple of protocol gateways to make connections like these. Afterwards it was transparent.

BTW CHAOS used strings to identify ports/protocols rather than reserved numbers. So there is a lot you can store in a compliant implementation of the DNS.

* Also the bane of some high school classes, but that’s quite another matter.

> I don’t know why the author laughed about Hesiod,* which, like chaosnet was another MIT protocol in use for a while.

Probably because you are maybe one of a few hundreds of people who have made use of this (and it was decades ago), out of the billions of people who have used the internet.

Cool story though.

Hesiod: still more comprehensible than LDAP, and probably more secure than NIS.
Well, I guess if you used Hesiod with DNSSEC. But that’s like saying you could use NIS with secure RPC, possible in theory but no one would build such an implementation because the world moved on.

Weirdly I did actually implement a Hesiod plugin for macOS once, it never shipped though.

All this does to me is show that the author didn't really research and just brushed it off. It is quite the trend. "I'm not aware of it, so it must not be important" type of thing.
Nah, I think it is more of a "here's this other thing that never caught on, and you probably don't know about that will live on forever because it is part of DNS."
TIL Switzerland is named after Apple’s favorite font.
Bell bottoms were not a failed experiment. They’re awesome and need to return.
OK. I'll give you that one. But what's your stance on Betamax?
ProTip: never take DNS advice from someone who cannot tell you the difference between ZONE and ZONE DOT.
DNS Erotica?!? ... I can't read.
> DNS Erotica?!? ... I can't read.

Every time I see the headline, that's how I first read it.

I wonder if I'll ever grow up.

So this is an ambiguity in dig's command-line parser? Not any failing of the DNS system?
Indeed:

dig Esoterica*

Great article, I did know about this at all... DNS is super interesting. I wrote dug, a cli tool I made to help visualize DNS 'propagation' but is a great learning tool. Similar to dig and dog, but specifically for querying or watching large numbers of DNS servers at once.

https://github.com/unfrl/dug

https://dug.unfrl.com