mhoran
New Member
I'm in the process of moving some domains back to ZoneEdit. However, I've encountered an issue with subdomains that are delegated to Google Cloud DNS. ZoneEdit returns a bogus additional section for those NS records which points to an IP address owned by voodoo.com.
To see the bogus additional section, run `dig test-sub.matthoran.com @dns1.zoneedit.com`.
You can see that this is delegated to Google Cloud DNS via the corresponding NS entries. However, the additional section includes A records pointing to 192.64.147.142. This is not a Google IP, and does not resolve the delegated records.
This additional section seems to be returned for any NS records. I created another dummy subdomain `nonexistent.matthoran.com`. This points to some nonsense nonexistent record on example.com. Again I get this bogus A record pointing to the voodoo.com owned IP.
This is not just dangerous (allowing someone to hijack my records) but also adds additional latency into requests. Since this IP being returned in the additional section doesn't resolve the records being requested, those requests must first time out before the proper upstream nameserver is contacted. This additional latency can be 5 seconds or more.
Is this intended?
To see the bogus additional section, run `dig test-sub.matthoran.com @dns1.zoneedit.com`.
You can see that this is delegated to Google Cloud DNS via the corresponding NS entries. However, the additional section includes A records pointing to 192.64.147.142. This is not a Google IP, and does not resolve the delegated records.
This additional section seems to be returned for any NS records. I created another dummy subdomain `nonexistent.matthoran.com`. This points to some nonsense nonexistent record on example.com. Again I get this bogus A record pointing to the voodoo.com owned IP.
This is not just dangerous (allowing someone to hijack my records) but also adds additional latency into requests. Since this IP being returned in the additional section doesn't resolve the records being requested, those requests must first time out before the proper upstream nameserver is contacted. This additional latency can be 5 seconds or more.
Is this intended?