Some NXDomain entries that should be de-listed

[vdukhovni]

The suffixes below don't exist:

me.vu
blog.vu
dev.vu
us.kg
nyan.to
blog.gt
at.md
app.gp

[ Reproducer:

$ for zone in me.vu blog.vu dev.vu us.kg nyan.to blog.gt at.md app.gp; do dig +noall +comment +question -t soa $zone; done | grep -E 'HEADER|SOA'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5773
;me.vu.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24903
;blog.vu.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23178
;dev.vu.                                IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22936
;us.kg.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45346
;nyan.to.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44082
;blog.gt.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9568
;at.md.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46026
;app.gp.                                IN      SOA

]

The below ServFail SOA lookups, and are therefore unlikely public suffixes:

to.md
us.ax
de.md
blog.kg
neko.am
es.ax
eu.ax
ch.tc
tv.kg

[ Reproducer:

$ for zone in to.md us.ax de.md blog.kg neko.am es.ax eu.ax ch.tc tv.kg; do dig +noall +comment +question -t soa $zone; done | grep -E 'HEADER|SOA'
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11893
;to.md.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32794
;us.ax.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43243
;de.md.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15513
;blog.kg.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23054
;neko.am.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41333
;es.ax.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56421
;eu.ax.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6834
;ch.tc.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39922
;tv.kg.                         IN      SOA

]

[dnsguru]

This is helpful that you have done this testing, as submitters often stop engagement related to their entries once they get them added, and then never clean up after themselves, leaving "debris". Your volunteer help is appreciated. For transparency, especially because we are removing entries, could you please include the command and output per domain, as well as the nameserver checked? The objective is that anyone could repeat the same command and get the same result, so that it is abundantly clear why entries were removed.

…

On Wed, Apr 26, 2023, 9:49 AM Viktor Dukhovni ***@***.***> wrote: The suffixes below don't exist: me.vu blog.vu dev.vuus.kgnyan.toblog.gt at.mdapp.gp The below ServFail SOA lookups, and are therefore unlikely public suffixes: to.mdus.ax de.mdblog.kgneko.ames.axeu.axch.tctv.kg — Reply to this email directly, view it on GitHub <#1746>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACQTJLHGDL3PRVWN2TGSUDXDFGYFANCNFSM6AAAAAAXMWRQCI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[vdukhovni]

Commands to reproduce observations added.

[dnsguru]

Made small tweak to force use of 8.8.8.8 on the lookup to force a public resolver in replication

for zone in me.vu blog.vu dev.vu us.kg nyan.to blog.gt at.md app.gp; do dig +noall +comment +question -t soa $zone @8.8.8.8; done | grep -E 'HEADER|SOA'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62134
;me.vu.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44568
;blog.vu.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55489
;dev.vu.                                IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36202
;us.kg.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65425
;nyan.to.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49255
;blog.gt.                       IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39299
;at.md.                         IN      SOA
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12597
;app.gp.                                IN      SOA

[dnsguru]

duplicated empty results - confirmed this from 4 different hosts on 4 different providers using 4 different public resolvers.

[dnsguru]

Hi community, please make a pull request for these changes

[dnsguru]

this appears to be tied to #1741

[dnsguru]

#1755 tied to this;