> -----Original Message----- > From: Jeff Chan [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 5:51 PM > > Quoting Giampaolo Tomassoni <[EMAIL PROTECTED]>: > > > Please note that one generally can't issue a DNS request to a > specific > > server from SA, since its resolver engine only uses the globally- > defined DNS > > server(s). Thereby, in the common case I should get the NSes > published by > > root servers, which should be exactly the ones published in whois. > But they > > not always are! This is not because of a "change" in progress, but > because > > of the normal follow-up of the authoritative chain in domain names > > resolution: if a root server says that NSa and NSb are authoritative > for > > domain D, but NSa says that instead NSc and NSd are, the resolver > (which of > > course must apply "recursion", since you're not using a non-recursive > DNS > > server for your standard queries, right?) yields two NS RR with NSc > and NSd > > names in them, not with the ones defined by the root server. > > Yes, delegation is the other, more usual, way that the nameserver in > the whois and TLD root server may differ. Some spammers do make use > of a lot of delegation, more than usual and sometimes in long chains > of delegation, but delegation beyond the typical glue records is not > necessarily the sign of a spam domain.
It is not delegation. Delegation is when you delegate the handling of DNS requests on a subdomain of your domain to a different DNS server, not the handling of the domain itself. The latter is fooling your registration data: you register your domain specifying a couple of nameservers, then instead use others. Basically, wherever (in the world) you are, your registrar asks you to specify "at least two *authoritative* nameservers for your domain" in your registration. Then, that nameservers says they are not authoritative for the domain. See the conflict? > In short, this may result in false positives. It is not what I see, Jeff. I see the vast majority of "good" sites don't use delegation at all and keep their NSes in whois records up to date with the zone-defined ones. The obey to the rule often stipulated with the registrar that their registration data must be always up to date. There is also another reason to not do this kind of "zone warping": it often involves a delay when first accessing a site, which most of us prefer to avoid at the best possible extent. Then, of course there will be a small number of people who doesn't know what they are doing, or even that are somehow mandated to warp their zone, but I don't see big numbers here. After all, every SA rule has its own FPs, isn't it? Giampaolo > Jeff C.
