20

I recently encountered for the first time an A record of the form:

https://www.example.com.    <TTL>   IN  A   <IP address>

As far as I know, this record is deliberate (i.e. not an error). I know that the colon and forward-slash are valid characters for a label, per RFC 2181, but I don't understand the record's purpose. Does some certificate authority use this form for domain control validation? Does this form protect against some type of exploit? Trap some kind of user error or known issue with software?

Community
  • 1
Binky
  • 330
  • 2
  • 11
  • 1
    Is the IP address different from the one for the matching www.example.com? What makes you think this is deliberate and not an error? – jcaron Nov 27 '18 at 16:07
  • The reason I suspect this A record is not misconfigured is because the organization controlling these records is a major corporation with a large online presence, whose DNS records I would expect to be under significant scrutiny. But I am fully capable of believing that these A records are an error. I will dig (no pun intended) into this issue further and post an update if I determine the reason for the records. – Binky Nov 27 '18 at 22:21
  • If anyone has a Farsight DNSDB account or a similar service, and would like to query the full DNS space for other A records having "https://", that'd be really cool. :) – Binky Nov 27 '18 at 22:28
  • The IP address mapping of the A record for `https://www.example.com` is different from the the IP address mapping for `www.example.com`. The former maps to addresses (multiple A records) in the /16 netblock owned by "example.com" per ARIN whois. The latter maps to a CNAME in the domain of a major CDN provider. The CNAME chain ultimately maps to an IP address in the CDN provider's network – Binky Nov 27 '18 at 22:55
  • @Binky: That is **not** a good reason to suspect it's not misconfigured. Incompetence in major corporations is extremely common. – R.. GitHub STOP HELPING ICE Nov 28 '18 at 04:01

2 Answers2

51

The most likely explanation is a user unfamiliar with DNS tried to configure the DNS records and made a mistake that's glaringly obvious to anyone familiar with DNS, but not to people who aren't.

While a DNS label can be any arbitary binary data generally, you should read the rest of section 11, in particular:

Note however, that the various applications that make use of DNS data can have restrictions imposed on what particular values are acceptable in their environment. For example, that any binary label can have an MX record does not imply that any binary name can be used as the host part of an e-mail address. Clients of the DNS can impose whatever restrictions are appropriate to their circumstances on the values they use as keys for DNS lookup requests, and on the values returned by the DNS. If the client has such restrictions, it is solely responsible for validating the data from the DNS to ensure that it conforms before it makes any use of that data.

Among other things, this means that the label syntax may be constrained depending on the RR type. As specified in RFC 1123 section 2.1 and RFC 952, Internet host names have such a constrained syntax, in which the colon and slash are not valid.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
1

It's wrong for a standard address but it's possibly someone using DNS as a out of band communication device.

It's not hard to imagine having to pass data via DNS instead of through 'normal' channels.

djsmiley2kStaysInside
  • 341
  • 2
  • 11
  • 1
    Could you go ahead and imagine for us? As it is this answer doesn't really say what might be happening - just that the answerer thinks it is logical. – Saiboogu Nov 27 '18 at 19:20
  • 1
    _it's possibly someone using DNS as a out of band communication device._ @djsmiley2k I didn't mention this possibility in my original post because the organization controlling these A records is a corporation with substantial security/compliance requirements. For these records to be an out-of-band access mechanism would be highly unlikely, and if the records were an OOB hack, then the repercussions would be... scary. – Binky Nov 27 '18 at 22:32
  • @Blinky fair enough, it's unlikely in this case, but it's a possibility in others. – djsmiley2kStaysInside Nov 28 '18 at 09:11
  • This is certainly a possible thing, but DNS side channels are normally done with text in a TXT record, and not in the hostname itself. Additionally "https://" looks like an error, not a cyphered text. – Criggie Nov 28 '18 at 18:28