Hurricane Electric's IPv6 Tunnel Broker Forums

DNS.HE.NET Topics => General Questions & Suggestions => Topic started by: CrunkBass on September 08, 2011, 04:20:11 PM

Title: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: CrunkBass on September 08, 2011, 04:20:11 PM
I am using the free DNS service from HE with the domain crunkbass.net and can't set a wildcard.

The nameservers are set correctly but i could only add 4 NS entrys at my domain registrar.
Code: [Select]
root@Vmware-Debian:~# dig crunkbass.net NS

; <<>> DiG 9.7.3 <<>> crunkbass.net NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43446
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;crunkbass.net.                 IN      NS

;; ANSWER SECTION:
crunkbass.net.          86378   IN      NS      ns1.he.net.
crunkbass.net.          86378   IN      NS      ns3.he.net.
crunkbass.net.          86378   IN      NS      ns2.he.net.
crunkbass.net.          86378   IN      NS      ns4.he.net.

;; ADDITIONAL SECTION:
ns3.he.net.             86378   IN      A       216.218.132.2
ns4.he.net.             86378   IN      A       216.66.1.2
ns2.he.net.             86378   IN      A       216.218.131.2
ns1.he.net.             86378   IN      A       216.218.130.2

;; Query time: 23 msec
;; SERVER: 192.168.158.1#53(192.168.158.1)
;; WHEN: Fri Sep  9 01:23:03 2011
;; MSG SIZE  rcvd: 170

Does anyone know what could be the problem?
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: broquea on September 08, 2011, 05:28:57 PM
Were you...trying to create a wildcard entry? I think the reporting error sums it up if you were.
Wildcarding has been disabled due to abuse.
Not you specifically, this is a global setting. :D
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: CrunkBass on September 09, 2011, 06:00:27 AM
Thank you for your answer. Are there any plans to enabled wildcarding again or do i have to use an other dns service?
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: broquea on September 09, 2011, 06:04:23 AM
You would need to email dnsadmin@he.net for that answer.
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: ionvz on October 30, 2011, 11:39:48 PM
I wonder what kind of abuse they speak of? It's rather disappointing though when it comes to dynamic applications to not have wildcard DNS available (and I'd prefer not to go back to using something like namecheap's DNS etc).
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: chaz6 on October 31, 2011, 01:50:12 AM
Is wildcarding still available to paying customers?
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: jrocha on November 03, 2011, 03:56:09 PM
You will have to email dnsadmin@he.net.
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: mralexgray on November 12, 2011, 01:07:09 AM
Managing zone: XXXXXX.com.  Zone failed validation test.
Wildcarding has been disabled due to abuse.


My note to support:

Quote
Is this error specific to my account - or is this a site-wide change (as is being reported in the forums)?

Is this feature going to be re-enabled? Is it up for discussion?  Was it going to be mentioned?

I hope so…  I would consider wildcards - an "essential feature".

Seems a less drastic a solution would be to simply disable it for those who are abusing it, no?


Maybe dnsadmin@he.net can post a sticky or something - that explains this policy shift, more clearly?   ???

Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: jschv6 on March 03, 2012, 06:27:57 AM
Hi,
I just noticed, that it is no longer possible to add wildcard domains.
I found them very handy, because I want people to see a custom error page when mistyping a part of the domain.
Also I have several services behind my home-IP. This IP changes sometimes and with a wildcard subdomain I only have to set the new IP at two places (IPv6 Tunnel Endpoint and Wildcard Subdomain A entry).

I can understand that HE has to disable features that are commonly abused on their free service, but I would be very happy if there would be some way to enable this again.
Maybe only for Sages like the IRC connections at the tunnel.
Are there any plans for this?

I am not going to abuse that, at least not willingly, because I can not even imagine how to abuse wildcard subdomains Huh
Maybe someone can enlighten me, just out of curiosity (only if it is not tempting people to do it)
You even know my address, because you kindly sent me a free t-shirt, so if I ever abuse a wildcard subdomain you can send a SWAT team to get me Wink
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: DAR2133576 on April 17, 2012, 01:36:51 AM
Hi,
I just noticed, that it is no longer possible to add wildcard domains.
I found them very handy, because I want people to see a custom error page when mistyping a part of the domain.
Also I have several services behind my home-IP. This IP changes sometimes and with a wildcard subdomain I only have to set the new IP at two places (IPv6 Tunnel Endpoint and Wildcard Subdomain A entry).

I can understand that HE has to disable features that are commonly abused on their free service, but I would be very happy if there would be some way to enable this again.
Maybe only for Sages like the IRC connections at the tunnel.
Are there any plans for this?

I am not going to abuse that, at least not willingly, because I can not even imagine how to abuse wildcard subdomains Huh
Maybe someone can enlighten me, just out of curiosity (only if it is not tempting people to do it)
You even know my address, because you kindly sent me a free t-shirt, so if I ever abuse a wildcard subdomain you can send a SWAT team to get me Wink

Since their used to redirect nonexistent DNS Records it can be used in whats called Session fixation exploiting. Wildcard cookies can be set by one subdomain that will effect other subdomains. Their is also DNS hijacks and scripting exploits which can be used with that feature. This is why I doubt you would be able to get use of wildcards unfortunately because there will always be evil people who use features to harm others.
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: jschv6 on May 21, 2012, 04:04:48 AM
Since their used to redirect nonexistent DNS Records it can be used in whats called Session fixation exploiting. Wildcard cookies can be set by one subdomain that will effect other subdomains. Their is also DNS hijacks and scripting exploits which can be used with that feature. This is why I doubt you would be able to get use of wildcards unfortunately because there will always be evil people who use features to harm others.
Thanks for the answer! I don't really understand how this can be used if I "own" tho whole second level domain, but I will try and google a bit more with that keywords.
Sad, that some people abusing this take a usefull feature away from all people :(
Title: Re: Zone failed validation test. Wildcarding has been disabled due to abuse.
Post by: ionvz on May 20, 2013, 05:39:37 PM
I know this is a necro bump. But... others may see it from google searches. 

Thanks for the answer! I don't really understand how this can be used if I "own" tho whole second level domain, but I will try and google a bit more with that keywords.

Don't think the abuse in question is much about people attacking someone else's domains, but rather people using their own domains with the intent of abuse. For example phishing scams could dynamically respond to hundreds of different possible aliases, with a legit looking domain in the front of the alias.

Sad, that some people abusing this take a usefull feature away from all people :(

They didn't remove the feature, they just put the feature into the hands of the DNS admins, which you'll need to email  dnsadmin@he.net in order to request it's addition or modification.