more spaces in PTRs, this time totisp.net
Anyone? 1.179.154.11:1-179-180.11.cisp.totisp.\\ net dig -x 1.179.154.11 11.154.179.1.in-addr.arpa. 7200 IN PTR 1-179-180.11.cisp.totisp.\032net. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/
Typo I’d say. DB-drive DNS servers, which don’t keep their entries in traditional PTR-record text format, can fall victim to this. Rather than parse the text every times, they just spit out whatever is in the table column, even if it has embedded spaces. I’ve seen this happen in SnitchDNS. -mel via cell
On Oct 21, 2021, at 9:08 PM, Steven Champeon <schampeo@hesketh.com> wrote:
Anyone?
1.179.154.11:1-179-180.11.cisp.totisp.\\ net
dig -x 1.179.154.11
11.154.179.1.in-addr.arpa. 7200 IN PTR 1-179-180.11.cisp.totisp.\032net.
-- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/
\032 is not a space. Decimal 32 (0x20, \040) is a space. \032 is a Ctrl-Z (26 decimal, 0x1a) Owen
On Oct 21, 2021, at 22:14 , Mel Beckman <mel@beckman.org> wrote:
Typo I’d say. DB-drive DNS servers, which don’t keep their entries in traditional PTR-record text format, can fall victim to this. Rather than parse the text every times, they just spit out whatever is in the table column, even if it has embedded spaces. I’ve seen this happen in SnitchDNS.
-mel via cell
On Oct 21, 2021, at 9:08 PM, Steven Champeon <schampeo@hesketh.com> wrote:
Anyone?
1.179.154.11:1-179-180.11.cisp.totisp.\\ net
dig -x 1.179.154.11
11.154.179.1.in-addr.arpa. 7200 IN PTR 1-179-180.11.cisp.totisp.\032net.
-- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/
Owen, Ah, so a cross-base typo! :) -mel via cell
On Oct 21, 2021, at 10:40 PM, Owen DeLong <owen@delong.com> wrote:
\032 is not a space.
Decimal 32 (0x20, \040) is a space. \032 is a Ctrl-Z (26 decimal, 0x1a)
Owen
On Oct 21, 2021, at 22:14 , Mel Beckman <mel@beckman.org> wrote:
Typo I’d say. DB-drive DNS servers, which don’t keep their entries in traditional PTR-record text format, can fall victim to this. Rather than parse the text every times, they just spit out whatever is in the table column, even if it has embedded spaces. I’ve seen this happen in SnitchDNS.
-mel via cell
On Oct 21, 2021, at 9:08 PM, Steven Champeon <schampeo@hesketh.com> wrote:
Anyone?
1.179.154.11:1-179-180.11.cisp.totisp.\\ net
dig -x 1.179.154.11
11.154.179.1.in-addr.arpa. 7200 IN PTR 1-179-180.11.cisp.totisp.\032net.
-- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/
\032 is space. Go read STD13 aka RFC 1034 and RFC 1035. -- Mark Andrews
On 22 Oct 2021, at 16:40, Owen DeLong via NANOG <nanog@nanog.org> wrote:
\032 is not a space.
Decimal 32 (0x20, \040) is a space. \032 is a Ctrl-Z (26 decimal, 0x1a)
Owen
On Oct 21, 2021, at 22:14 , Mel Beckman <mel@beckman.org> wrote:
Typo I’d say. DB-drive DNS servers, which don’t keep their entries in traditional PTR-record text format, can fall victim to this. Rather than parse the text every times, they just spit out whatever is in the table column, even if it has embedded spaces. I’ve seen this happen in SnitchDNS.
-mel via cell
On Oct 21, 2021, at 9:08 PM, Steven Champeon <schampeo@hesketh.com> wrote:
Anyone?
1.179.154.11:1-179-180.11.cisp.totisp.\\ net
dig -x 1.179.154.11
11.154.179.1.in-addr.arpa. 7200 IN PTR 1-179-180.11.cisp.totisp.\032net.
-- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/
on Fri, Oct 22, 2021 at 04:05:44AM +0000, Steven Champeon wrote:
Anyone?
FWIW, I took a look at my scans data and there's a lot of this around. Of the 5477 PTRs with spaces, in approximately ~490 domains*, those with more than twenty hosts with PTRs containing spaces are the following: 2178 bbox.fr (still) 961 misc (basically, domains that don't exist, garbage rdns, etc.) 255 yorku.ca 203 hostforweb.com 157 teknotel.com 156 uncg.edu 129 lacoe.edu 55 is.co.mz 52 uni-bonn.de 41 ncsu.edu 41 bell.ca** 40 fuse.net 36 dartmouth.edu 27 gatech.edu 26 uni-goettingen.de 25 isu.edu 25 csub.edu 21 qut.edu.au Anyone from these orgs that cares can contact me offlist for more info, or as someone who saw the bbox.fr post did, forward to the relevant people and ask them to do the same. FWIW, some involve leading, some involve trailing, but most contain spaces in the labels themselves. * FSVO "domain" ** I had a contact at bell.ca but she has since retired and they have apparently kept introducing more bad rDNS. TIA, Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/
participants (6)
-
Mark Andrews -
Mel Beckman -
Owen DeLong -
Ray Bellis -
Steven Champeon -
tim@pelican.org