T 3.103 Incorrect domain information

Even if the use of DNS has been planned carefully and, thus, all security-related aspects were taken into consideration, this is not sufficient if incorrect domain information is created. "Incorrect" means that semantic and/or syntactical errors were made when creating the domain information. For example, if a host name was assigned an incorrect IP address, data is missing or characters that are not permitted are used. If domain information contains errors, services using this information only function to a limited extent due to the incorrect information. The examples below include common errors:

• For the forward resolution and the reverse resolution, data is updated in their own respective database. One of the most common errors is that newly added domain information is added to the data of the forward resolution. However, whoever adds this information forgets to also update the domain information in the data of the reverse resolution.
• Multi-homed hosts, such as routers, have a network connection to several network segments and thus several IP addresses. If, for a multi-homed host, you forget to enter the corresponding PTR records (short form for "pointer") in the domain information for all IP addresses, a reverse resolution will fail for IP addresses without PTR records. Services requiring the reverse resolutions are thus impaired.
• If characters which are not permitted are used in domain names, information is interpreted incorrectly and/or not all. Permitted characters include ASCII letters, numbers and the hyphen. Names valid in the DNS name space can also be interpreted differently by applications. "0xe", for example, is a valid host name. If you try to connect to this host using "telnet 0xe", Telnet will interpret "0xe" as an IP address. There is no name resolution, and if 0.0.0.14 is not the correct IP address, the connection will fail.
• In domain information, serial numbers stating the date at which the zone was updated last must be entered. Writing the date as a decimal number might result in unexpected events, since dates are internally converted by DNS servers into an integer.
• Resolving DNS servers as well as resolvers on pure client IT systems generally store the response data received in the cache. Thus, the number of required requests is reduced on the higher-level DNS server. The time period required for the temporary storage is referred to as "time to live" (TTL) and constitutes a part of the domain information. TTL times that are too long, especially for domain information which changes frequently, have the effect that buffered data is outdated. However, too short a TTL increases the load for DNS servers.
• "Glue records" are required in certain cases in order to be able to find the responsible DNS servers. Usually, a DNS server only stores the domain names of the DNS servers of its subdomains. If a DNS server of such a subdomain is within its own subdomain, it is necessary that the higher-level DNS servers have also stored its IP address, since otherwise no DNS server would be able to perform a name resolution. This entry is referred to as glue record. It may happen that adapting or deleting the associated "glue records" is overlooked when DNS servers are migrated or withdrawn from operation. In the event of corresponding requests, data is then returned using DNS servers which no longer exist.
• DNS offers the option of defining aliases. An alias is a freely chosen name which is usually easy to remember. An example of an often used alias in DNS is "www" for the web server. However, an alias must not be assigned any other data. It is, for example, not permitted to define an IP address for an alias. Another error regarding aliases is to delete a host, but not the associated alias.
• Since domain information constitutes important data, it is usually provided by at least two DNS servers, the primary DNS server and one or several secondary DNS servers. The data is maintained on the primary DNS server and synchronised on the secondary DNS server(s). DNS servers use the serial numbers available in the domain information as an indicator stating whether changes have been made. If domain information is changed and the included serial number is not increased, the new domain information is not synchronised. The inconsistency resulting from this will lead to different name resolutions depending on which DNS server is requested.

Domain information is stored in text files, so-called master files. If these text files are processed manually, an overly complicated, inconsistent structure constitutes an additional source of error.

Besides adding new information, deleting information in particular, if a host is withdrawn from operation, constitutes a major source of error. If not all the domain information is deleted, information on hosts which no longer exist remains available.