Comment by quuxplusone

7 days ago

As I understand it, yeah, there's a way to ask the .ai nameserver for its entire "zone" (the mapping from domain names to... everything else). That's a "zone transfer" a.k.a. "AXFR" request, which you can make by first locating a nameserver that knows about .ai:

    $ dig NS ai.

Now you have the names of .ai's nameservers, and the glue records for some of them:

    ;; ADDITIONAL SECTION:
    v0n3.nic.ai.  107 IN A 199.115.155.1
    v0n3.nic.ai.  107 IN AAAA 2001:500:a3::1
    v0n0.nic.ai.  7 IN A 199.115.152.1

Now you ask that nameserver for a zone transfer:

    $ dig AXFR ai. @199.115.155.1

...And it quickly says "no, not to you; I don't know you and so I'm not going to spend the bandwidth to tell you all that."

    ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> AXFR ai. @199.115.155.1
    ;; global options: +cmd
    ; Transfer failed.

But hey, that's how you'd ask. Now, if you were on the nameserver's whitelist, you'd see the whole zone, and the answer to the blog's puzzle would be somewhere in there. (But note that the answer is also at the end of TFA; you don't have to solve it yourself if you don't want to.)

I wouldn't use the words "API access" to describe "permission to make AXFR requests," but yeah, it's the same general idea: if you're not on the list, you can't do the thing.

More than I care to know about AXFR: https://cr.yp.to/djbdns/axfr-notes.html

2 comments

quuxplusone

tux3 7 days ago

You can usually also ask ICANN's CZDS service for a particular zone file, if you can give them a valid reason. But in this case, they don't seem to have the ai tld.

VladVladikoff 6 days ago

Thanks for this comment I found it very informative. :)