DNS A record with https:// in the label
up vote
16
down vote
favorite
I recently encountered for the first time an A record of the form:
https://www.example.com. <TTL> IN A <IP address>
As far as I know, this record is deliberate (i.e. not an error). I know that the colon and forward-slash are valid characters for a label, per RFC 2181, but I don't understand the record's purpose. Does some certificate authority use this form for domain control validation? Does this form protect against some type of exploit? Trap some kind of user error or known issue with software?
domain-name-system a-record
asked yesterday
Binky
816
add a comment |
up vote
16
down vote
favorite
I recently encountered for the first time an A record of the form:
https://www.example.com. <TTL> IN A <IP address>
As far as I know, this record is deliberate (i.e. not an error). I know that the colon and forward-slash are valid characters for a label, per RFC 2181, but I don't understand the record's purpose. Does some certificate authority use this form for domain control validation? Does this form protect against some type of exploit? Trap some kind of user error or known issue with software?
domain-name-system a-record
asked yesterday
Binky
816
1
Is the IP address different from the one for the matching www.example.com? What makes you think this is deliberate and not an error?
– jcaron
19 hours ago
The reason I suspect this A record is not misconfigured is because the organization controlling these records is a major corporation with a large online presence, whose DNS records I would expect to be under significant scrutiny. But I am fully capable of believing that these A records are an error. I will dig (no pun intended) into this issue further and post an update if I determine the reason for the records.
– Binky
13 hours ago
If anyone has a Farsight DNSDB account or a similar service, and would like to query the full DNS space for other A records having "https://", that'd be really cool. :)
– Binky
13 hours ago
The IP address mapping of the A record forhttps://www.example.comis different from the the IP address mapping forwww.example.com. The former maps to addresses (multiple A records) in the /16 netblock owned by "example.com" per ARIN whois. The latter maps to a CNAME in the domain of a major CDN provider. The CNAME chain ultimately maps to an IP address in the CDN provider's network
– Binky
12 hours ago
@Binky: That is not a good reason to suspect it's not misconfigured. Incompetence in major corporations is extremely common.
– R..
7 hours ago
add a comment |
up vote
16
down vote
favorite
up vote
16
down vote
favorite
I recently encountered for the first time an A record of the form:
https://www.example.com. <TTL> IN A <IP address>
As far as I know, this record is deliberate (i.e. not an error). I know that the colon and forward-slash are valid characters for a label, per RFC 2181, but I don't understand the record's purpose. Does some certificate authority use this form for domain control validation? Does this form protect against some type of exploit? Trap some kind of user error or known issue with software?
domain-name-system a-record
asked yesterday
Binky
816
I recently encountered for the first time an A record of the form:
https://www.example.com. <TTL> IN A <IP address>
As far as I know, this record is deliberate (i.e. not an error). I know that the colon and forward-slash are valid characters for a label, per RFC 2181, but I don't understand the record's purpose. Does some certificate authority use this form for domain control validation? Does this form protect against some type of exploit? Trap some kind of user error or known issue with software?
domain-name-system a-record
domain-name-system a-record
asked yesterday
Binky
816
asked yesterday
Binky
816
asked yesterday
Binky
816
asked yesterday
Binky
816
asked yesterday
Binky
816
816
1
Is the IP address different from the one for the matching www.example.com? What makes you think this is deliberate and not an error?
– jcaron
19 hours ago
The reason I suspect this A record is not misconfigured is because the organization controlling these records is a major corporation with a large online presence, whose DNS records I would expect to be under significant scrutiny. But I am fully capable of believing that these A records are an error. I will dig (no pun intended) into this issue further and post an update if I determine the reason for the records.
– Binky
13 hours ago
If anyone has a Farsight DNSDB account or a similar service, and would like to query the full DNS space for other A records having "https://", that'd be really cool. :)
– Binky
13 hours ago
The IP address mapping of the A record forhttps://www.example.comis different from the the IP address mapping forwww.example.com. The former maps to addresses (multiple A records) in the /16 netblock owned by "example.com" per ARIN whois. The latter maps to a CNAME in the domain of a major CDN provider. The CNAME chain ultimately maps to an IP address in the CDN provider's network
– Binky
12 hours ago
@Binky: That is not a good reason to suspect it's not misconfigured. Incompetence in major corporations is extremely common.
– R..
7 hours ago
add a comment |
1
Is the IP address different from the one for the matching www.example.com? What makes you think this is deliberate and not an error?
– jcaron
19 hours ago
The reason I suspect this A record is not misconfigured is because the organization controlling these records is a major corporation with a large online presence, whose DNS records I would expect to be under significant scrutiny. But I am fully capable of believing that these A records are an error. I will dig (no pun intended) into this issue further and post an update if I determine the reason for the records.
– Binky
13 hours ago
If anyone has a Farsight DNSDB account or a similar service, and would like to query the full DNS space for other A records having "https://", that'd be really cool. :)
– Binky
13 hours ago
The IP address mapping of the A record forhttps://www.example.comis different from the the IP address mapping forwww.example.com. The former maps to addresses (multiple A records) in the /16 netblock owned by "example.com" per ARIN whois. The latter maps to a CNAME in the domain of a major CDN provider. The CNAME chain ultimately maps to an IP address in the CDN provider's network
– Binky
12 hours ago
@Binky: That is not a good reason to suspect it's not misconfigured. Incompetence in major corporations is extremely common.
– R..
7 hours ago
1
1
Is the IP address different from the one for the matching www.example.com? What makes you think this is deliberate and not an error?
– jcaron
19 hours ago
Is the IP address different from the one for the matching www.example.com? What makes you think this is deliberate and not an error?
– jcaron
19 hours ago
The reason I suspect this A record is not misconfigured is because the organization controlling these records is a major corporation with a large online presence, whose DNS records I would expect to be under significant scrutiny. But I am fully capable of believing that these A records are an error. I will dig (no pun intended) into this issue further and post an update if I determine the reason for the records.
– Binky
13 hours ago
The reason I suspect this A record is not misconfigured is because the organization controlling these records is a major corporation with a large online presence, whose DNS records I would expect to be under significant scrutiny. But I am fully capable of believing that these A records are an error. I will dig (no pun intended) into this issue further and post an update if I determine the reason for the records.
– Binky
13 hours ago
If anyone has a Farsight DNSDB account or a similar service, and would like to query the full DNS space for other A records having "https://", that'd be really cool. :)
– Binky
13 hours ago
If anyone has a Farsight DNSDB account or a similar service, and would like to query the full DNS space for other A records having "https://", that'd be really cool. :)
– Binky
13 hours ago
The IP address mapping of the A record for
https://www.example.com is different from the the IP address mapping for www.example.com. The former maps to addresses (multiple A records) in the /16 netblock owned by "example.com" per ARIN whois. The latter maps to a CNAME in the domain of a major CDN provider. The CNAME chain ultimately maps to an IP address in the CDN provider's network– Binky
12 hours ago
The IP address mapping of the A record for
https://www.example.com is different from the the IP address mapping for www.example.com. The former maps to addresses (multiple A records) in the /16 netblock owned by "example.com" per ARIN whois. The latter maps to a CNAME in the domain of a major CDN provider. The CNAME chain ultimately maps to an IP address in the CDN provider's network– Binky
12 hours ago
@Binky: That is not a good reason to suspect it's not misconfigured. Incompetence in major corporations is extremely common.
– R..
7 hours ago
@Binky: That is not a good reason to suspect it's not misconfigured. Incompetence in major corporations is extremely common.
– R..
7 hours ago
add a comment |
2 Answers
2
active
oldest
votes
up vote
46
down vote
The most likely explanation is a user unfamiliar with DNS tried to configure the DNS records and made a mistake that's glaringly obvious to anyone familiar with DNS, but not to people who aren't.
While a DNS label can be any arbitary binary data generally, you should read the rest of section 11, in particular:
Note however, that the various applications that make use of DNS data
can have restrictions imposed on what particular values are
acceptable in their environment. For example, that any binary label
can have an MX record does not imply that any binary name can be used
as the host part of an e-mail address. Clients of the DNS can impose
whatever restrictions are appropriate to their circumstances on the
values they use as keys for DNS lookup requests, and on the values
returned by the DNS. If the client has such restrictions, it is
solely responsible for validating the data from the DNS to ensure
that it conforms before it makes any use of that data.
Among other things, this means that the label syntax may be constrained depending on the RR type. As specified in RFC 1123 section 2.1 and RFC 952, Internet host names have such a constrained syntax, in which the colon and slash are not valid.
answered yesterday
Michael Hampton♦
162k26302614
add a comment |
up vote
1
down vote
It's wrong for a standard address but it's possibly someone using DNS as a out of band communication device.
It's not hard to imagine having to pass data via DNS instead of through 'normal' channels.
answered 23 hours ago
djsmiley2k
320211
1
Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical.
– Saiboogu
16 hours ago
1
it's possibly someone using DNS as a out of band communication device. @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary.
– Binky
13 hours ago
@Blinky fair enough, it's unlikely in this case, but it's a possibility in others.
– djsmiley2k
2 hours ago
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
46
down vote
The most likely explanation is a user unfamiliar with DNS tried to configure the DNS records and made a mistake that's glaringly obvious to anyone familiar with DNS, but not to people who aren't.
While a DNS label can be any arbitary binary data generally, you should read the rest of section 11, in particular:
Note however, that the various applications that make use of DNS data
can have restrictions imposed on what particular values are
acceptable in their environment. For example, that any binary label
can have an MX record does not imply that any binary name can be used
as the host part of an e-mail address. Clients of the DNS can impose
whatever restrictions are appropriate to their circumstances on the
values they use as keys for DNS lookup requests, and on the values
returned by the DNS. If the client has such restrictions, it is
solely responsible for validating the data from the DNS to ensure
that it conforms before it makes any use of that data.
Among other things, this means that the label syntax may be constrained depending on the RR type. As specified in RFC 1123 section 2.1 and RFC 952, Internet host names have such a constrained syntax, in which the colon and slash are not valid.
answered yesterday
Michael Hampton♦
162k26302614
add a comment |
up vote
46
down vote
The most likely explanation is a user unfamiliar with DNS tried to configure the DNS records and made a mistake that's glaringly obvious to anyone familiar with DNS, but not to people who aren't.
While a DNS label can be any arbitary binary data generally, you should read the rest of section 11, in particular:
Note however, that the various applications that make use of DNS data
can have restrictions imposed on what particular values are
acceptable in their environment. For example, that any binary label
can have an MX record does not imply that any binary name can be used
as the host part of an e-mail address. Clients of the DNS can impose
whatever restrictions are appropriate to their circumstances on the
values they use as keys for DNS lookup requests, and on the values
returned by the DNS. If the client has such restrictions, it is
solely responsible for validating the data from the DNS to ensure
that it conforms before it makes any use of that data.
Among other things, this means that the label syntax may be constrained depending on the RR type. As specified in RFC 1123 section 2.1 and RFC 952, Internet host names have such a constrained syntax, in which the colon and slash are not valid.
answered yesterday
Michael Hampton♦
162k26302614
add a comment |
up vote
46
down vote
up vote
46
down vote
The most likely explanation is a user unfamiliar with DNS tried to configure the DNS records and made a mistake that's glaringly obvious to anyone familiar with DNS, but not to people who aren't.
While a DNS label can be any arbitary binary data generally, you should read the rest of section 11, in particular:
Note however, that the various applications that make use of DNS data
can have restrictions imposed on what particular values are
acceptable in their environment. For example, that any binary label
can have an MX record does not imply that any binary name can be used
as the host part of an e-mail address. Clients of the DNS can impose
whatever restrictions are appropriate to their circumstances on the
values they use as keys for DNS lookup requests, and on the values
returned by the DNS. If the client has such restrictions, it is
solely responsible for validating the data from the DNS to ensure
that it conforms before it makes any use of that data.
Among other things, this means that the label syntax may be constrained depending on the RR type. As specified in RFC 1123 section 2.1 and RFC 952, Internet host names have such a constrained syntax, in which the colon and slash are not valid.
answered yesterday
Michael Hampton♦
162k26302614
The most likely explanation is a user unfamiliar with DNS tried to configure the DNS records and made a mistake that's glaringly obvious to anyone familiar with DNS, but not to people who aren't.
While a DNS label can be any arbitary binary data generally, you should read the rest of section 11, in particular:
Note however, that the various applications that make use of DNS data
can have restrictions imposed on what particular values are
acceptable in their environment. For example, that any binary label
can have an MX record does not imply that any binary name can be used
as the host part of an e-mail address. Clients of the DNS can impose
whatever restrictions are appropriate to their circumstances on the
values they use as keys for DNS lookup requests, and on the values
returned by the DNS. If the client has such restrictions, it is
solely responsible for validating the data from the DNS to ensure
that it conforms before it makes any use of that data.
Among other things, this means that the label syntax may be constrained depending on the RR type. As specified in RFC 1123 section 2.1 and RFC 952, Internet host names have such a constrained syntax, in which the colon and slash are not valid.
answered yesterday
Michael Hampton♦
162k26302614
edited yesterday
answered yesterday
Michael Hampton♦
162k26302614
answered yesterday
Michael Hampton♦
162k26302614
answered yesterday
Michael Hampton♦
162k26302614
162k26302614
add a comment |
add a comment |
up vote
1
down vote
It's wrong for a standard address but it's possibly someone using DNS as a out of band communication device.
It's not hard to imagine having to pass data via DNS instead of through 'normal' channels.
answered 23 hours ago
djsmiley2k
320211
1
Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical.
– Saiboogu
16 hours ago
1
it's possibly someone using DNS as a out of band communication device. @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary.
– Binky
13 hours ago
@Blinky fair enough, it's unlikely in this case, but it's a possibility in others.
– djsmiley2k
2 hours ago
add a comment |
up vote
1
down vote
It's wrong for a standard address but it's possibly someone using DNS as a out of band communication device.
It's not hard to imagine having to pass data via DNS instead of through 'normal' channels.
answered 23 hours ago
djsmiley2k
320211
1
Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical.
– Saiboogu
16 hours ago
1
it's possibly someone using DNS as a out of band communication device. @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary.
– Binky
13 hours ago
@Blinky fair enough, it's unlikely in this case, but it's a possibility in others.
– djsmiley2k
2 hours ago
add a comment |
up vote
1
down vote
up vote
1
down vote
It's wrong for a standard address but it's possibly someone using DNS as a out of band communication device.
It's not hard to imagine having to pass data via DNS instead of through 'normal' channels.
answered 23 hours ago
djsmiley2k
320211
It's wrong for a standard address but it's possibly someone using DNS as a out of band communication device.
It's not hard to imagine having to pass data via DNS instead of through 'normal' channels.
answered 23 hours ago
djsmiley2k
320211
answered 23 hours ago
djsmiley2k
320211
answered 23 hours ago
djsmiley2k
320211
answered 23 hours ago
djsmiley2k
320211
320211
1
Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical.
– Saiboogu
16 hours ago
1
it's possibly someone using DNS as a out of band communication device. @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary.
– Binky
13 hours ago
@Blinky fair enough, it's unlikely in this case, but it's a possibility in others.
– djsmiley2k
2 hours ago
add a comment |
1
Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical.
– Saiboogu
16 hours ago
1
it's possibly someone using DNS as a out of band communication device. @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary.
– Binky
13 hours ago
@Blinky fair enough, it's unlikely in this case, but it's a possibility in others.
– djsmiley2k
2 hours ago
1
1
Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical.
– Saiboogu
16 hours ago
Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical.
– Saiboogu
16 hours ago
1
1
it's possibly someone using DNS as a out of band communication device. @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary.
– Binky
13 hours ago
it's possibly someone using DNS as a out of band communication device. @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary.
– Binky
13 hours ago
@Blinky fair enough, it's unlikely in this case, but it's a possibility in others.
– djsmiley2k
2 hours ago
@Blinky fair enough, it's unlikely in this case, but it's a possibility in others.
– djsmiley2k
2 hours ago
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f941735%2fdns-a-record-with-https-in-the-label%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Is the IP address different from the one for the matching www.example.com? What makes you think this is deliberate and not an error?
– jcaron
19 hours ago
The reason I suspect this A record is not misconfigured is because the organization controlling these records is a major corporation with a large online presence, whose DNS records I would expect to be under significant scrutiny. But I am fully capable of believing that these A records are an error. I will dig (no pun intended) into this issue further and post an update if I determine the reason for the records.
– Binky
13 hours ago
If anyone has a Farsight DNSDB account or a similar service, and would like to query the full DNS space for other A records having "https://", that'd be really cool. :)
– Binky
13 hours ago
The IP address mapping of the A record for
https://www.example.comis different from the the IP address mapping forwww.example.com. The former maps to addresses (multiple A records) in the /16 netblock owned by "example.com" per ARIN whois. The latter maps to a CNAME in the domain of a major CDN provider. The CNAME chain ultimately maps to an IP address in the CDN provider's network– Binky
12 hours ago
@Binky: That is not a good reason to suspect it's not misconfigured. Incompetence in major corporations is extremely common.
– R..
7 hours ago