Earlier, i scanned the full TLD list to see if any more of them didn’t support
CAA, similar to the situation with
.sr. (Doing roughly
"dig cOm caa" and so forth.) There were no other broken TLDs.
Now i’ve done the same thing with the entire Public Suffix List.
- Unbound 1.5.8 with a similar configuration to unboundtest.com. (I enabled caching.)
- the Public Suffix List
- two Python scripts for processing it
For the Public Suffix List, i removed
!example.com entries and treated
Limitations: I checked from one location, repeatedly, over a short period of time. I didn’t check for issues with subdomains.
With that excessive introduction, i found two public suffixes with
I found 37 other public suffixes that were broken for
NS, suggesting wider and irrelevant problems. (DNSSEC, 0x20, routing issues, etc.) I’ll paste that list at the bottom. I didn’t check if any of them are in use.
So… except for
.sr, which we already knew about, probably not bad.
mil.ac res.aero gov.as com.bm edu.bm net.bm org.bm ar.com hu.com kr.com logoip.com qc.com uy.com mycd.eu user.party.eus tt.im trentino-suedtirol.it asso.km per.la gov.mr louvre.museum xn--h1aegh.museum biz.mv il.eu.org i.ph mil.rw mil.sh consulado.st edu.st embaixada.st mil.st net.st store.st test.tj cc.id.us cc.wa.us mil.zw
$ dig +short mil.no ns ns4.eonisp.net. ns5.eonisp.net. ns6.eonisp.net. $ dig +norecurse mil.no caa @ns5.eonisp.net. ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse mil.no caa @ns5.eonisp.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54228 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil.no. IN CAA ;; Query time: 111 msec ;; SERVER: 22.214.171.124#53(126.96.36.199) ;; WHEN: Wed Aug 09 08:59:04 UTC 2017 ;; MSG SIZE rcvd: 24
Yep, authoritative nameservers return
version.bind returns an invalid (class
IN) but informative response of “
Served by POWERDNS 2.9.22 $Id: packethandler.cc 1321 2008-12-06 19:44:36Z ahu $” and i hope i don’t get arrested by NATO…