watchCNAME/ghs.google.com/KnotResolverについて、ここに記述してください。

cacheをclearしてからgoogle.com NS を問い合わせ、そのあと:

$ dig ghs.google.com @127.0.0.3 

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> ghs.google.com @127.0.0.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32920
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ghs.google.com.                        IN      A

;; ANSWER SECTION:
ghs.google.com.         604800  IN      CNAME   ghs.l.google.com.
ghs.l.google.com.       300     IN      A       173.194.72.121
ghs.l.google.com.       300     IN      A       173.194.72.121

;; Query time: 472 msec
;; SERVER: 127.0.0.3#53(127.0.0.3)
;; WHEN: Fri Jul 15 21:09:12 JST 2016
;; MSG SIZE  rcvd: 107

> [plan] plan 'ghs.google.com.' type 'A'
resolve_query ITERATE_LAYERS
--- kr_zonecut_find_cached ghsgooglecom
[resl]   ns_fetch_cut ret 0
[resl]   NT check; ghsgooglecom cut googlecom
[resl]   kr peekpkt ghsgooglecom ret -2
[resl]   zone_cut_check -> ns_fetch_cut = 0
[plan]   plan 'ns4.google.com.' type 'A'
--- kr_zonecut_find_cached com
[resl]     ns_fetch_cut ret 0
[resl]     NT check; ns4googlecom cut com
[resl]     kr peekpkt ns4googlecom ret -2
[resl]     kr peekpkt googlecom ret -2
[resl]     zone_cut_check -> ns_fetch_cut = 0
[plan]     plan 'm.gtld-servers.net.' type 'A'
[hint]       <= answered from hints
[iter]       resolve start 
[iter]       <= rcode: NOERROR
[iter]       AA terminate resolution chain
[iter]       resolved 0
[resl]     => querying: '192.55.83.30' score: 10 zone cut: 'com.' m12n: 'GOOGLe.cOm.' type: 'NS'
[resl]     ----
[iter]     resolve start 
[iter]     <= rcode: NOERROR
[iter]     <= referral response, follow
[iter]     process_referral
[iter]     process_NS RRSet googlecom
[iter]     not cached yet
[iter]     Update zone cut name com
[iter]     zonecut_add googlecom NS ns2googlecom
[iter]     <= using glue for 'ns2.google.com.'
[rrc ]     stash referral NS
[rrc ]     stash auth for googlecom
[resl]     <= server: '192.55.83.30' rtt: 294 ms
[resl]     => querying: '216.239.34.10' score: 72 zone cut: 'google.com.' m12n: 'Ns4.GOoGLe.coM.' type: 'A'
[resl]     ----
[iter]     resolve start 
[iter]     <= rcode: NOERROR
[iter]     AA terminate resolution chain
[iter]     resolved 0
[rrc ]     stash auth answer 
[rrc ]     stash auth skip
[resl]     <= server: '216.239.34.10' rtt: 73 ms
[resl]   => querying: '216.239.38.10' score: 10 zone cut: 'google.com.' m12n: 'gHs.GoOglE.Com.' type: 'A'
[resl]   ----
[iter]   resolve start 
[iter]   <= rcode: NOERROR
[iter]   AA terminate resolution chain
[iter]   resolved 1
[rrc ]   stash auth answer 
[rrc ]   stash auth skip
[resl]   <= server: '216.239.38.10' rtt: 103 ms
[resl] finished: 4, queries: 3, mempool: 32800 B

この記録から判断すると、ghs.l.google.com A を信用しているようだ。あぶないのでは。

-- ToshinoriMaeno 2016-07-15 12:14:33