Tag: domain

  • DNSSEC 诱出的一些 bugs

    我在 Netcetera 买有几个域名,其中一个出现一个问题:设好 MX 并在邮件服务器上开有邮箱,能收到大部分的邮件,但 hotmail.com 发给它的邮件总是收不到,hotmail 发件人邮箱也收到拒收提示。

    因为找不到原因,我把域名注册商迁移到 Godaddy。之后我没关注 hotmail 能不能往该域名的邮箱投递邮件(因为域名迁移又出了一点小插曲,迁移成功已经是一个多月以后的事,没有继续检测),直到最近邮件服务器试图为该域名的子域名 auto renew Letsencrypt certificate 时,总是失败。

    我花了一点时间看懂了 Letsencrypt 的失败通知邮件,里面提到了 DNSSEC: DNSKEY Missing。

    可我从来不用 DNSSEC,有这种提示就很诡异。我用第三方工具查了一下 DNSSEC 状态,显示 Signed。Godaddy 的 DNSSEC 页里显示该域名没有启用 DNSSEC。

    或许在 Netcetera 时 DNSSEC 就已经不正常了。我回 Netcetera 看了看,人家根本没提供 DNSSEC 管理页面。要是 DNSSEC 在那时就被 Signed,那肯定是 Netcetera 的 bug,但现在无从查证。

    Godaddy 的 bug 在于没有正确提示 DNSSEC 的状态。

    最后,我用 Godaddy 的 DNSSEC 页 enable 一下,再马上 disable,静待一段时间等它生效,终于 auto renew Letsencrypt certificate 成功。顺手再测试用 hotmail 发信,也能收到了。

  • No-IP becomes no IP today

    今年是 DDNS(动态域名)的多事之秋。5月初最早最出名的 DDNS 服务商 DynDNS 中止免费服务,所有服务项目开始收费。我在想,DynDNS 自信过了头,凭什么用户要交钱而不是直接离开 DynDNS?!

    总之,我是选择离开 DynDNS 改投 No-IP 的环抱。

    No-IP domains seized by microsoft
    No-IP domains seized by microsoft

    经过几个月观察,No-IP 还是很稳定的,直到今天,No-IP 塌了半边天。今天,我的IPPBX监控程序不停在提醒我,我家的 IP 地址和 No-IP DDNS 解析出来的 IP 不一致,这通常是在路由器掉线重拨,IP 地址刚发生改变才会收到的邮件,我不停收到几百封这样邮件,我还以为是宽带出问题了,直到吃晚饭时,收到 No-IP 发来的一封邮件:

    We want to update all our loyal customers about the service outages that many of you are experiencing today. This is NOT A TECHINCAL ISSUE WITH NO-IP.
    This morning, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.

    We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.

    Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.

    回家一测,果然是 noip.me 不解析任何子域名了。我在上面有三个子域名,全部中了躺枪。我赶紧按照 No-IP 的提示,将 DDNS 换用还未中枪的 onthewifi.com 子域名来解析。

    我只是没想通,No-IP 的域名怎么归着微软管?但这个事件说明:为了域名的健康,远离微软。小庆幸一下:我奉行的“尽量不用微软产品”的方针大致是正确的。