[Volunteers] A couple of fixes needed to SVLUG DNS & domain records
Rick Moen
rick at linuxmafia.com
Wed Nov 30 21:57:02 PST 2005
(I showed these problems to BillW a week ago.)
~ $ dig -t ns svlug.org @tld6.ultradns.co.uk #per parent .ORG zone's zonefile
[...]
;; AUTHORITY SECTION:
svlug.org. 86400 IN NS ns2.merlins.org.
svlug.org. 86400 IN NS ns1.merlins.org.
svlug.org. 86400 IN NS nimbus.thunder.net.
svlug.org. 86400 IN NS cumulus.thunder.net.
;; ADDITIONAL SECTION:
ns1.merlins.org. 86400 IN A 209.81.13.136
NS2.MERLINS.ORG. 172800 IN A 204.80.101.251
[...]
~ $ dig -t ns svlug.org @ns1.merlins.org #per svlug.org's own zonefile
[...]
;; ANSWER SECTION:
svlug.org. 36 IN NS ns1.merlins.org.
svlug.org. 36 IN NS ns2.merlins.org.
svlug.org. 36 IN NS nimbus.thunder.net.
svlug.org. 36 IN NS cumulus.thunder.net.
;; ADDITIONAL SECTION:
ns1.merlins.org. 60 IN A 209.81.13.136
ns2.merlins.org. 60 IN A 68.166.220.119
nimbus.thunder.net. 3374 IN A 209.142.3.6
cumulus.thunder.net. 3374 IN A 64.71.149.18
[...]
Note: "ns2.merlins.org" is 204.80.101.251 in one place, but
68.166.220.119 in the other.
And let's look up the missing glue ("A") records at one of .NET's
nameservers (k.gtld-servers.net) for "cumulus", and compare the "A"
records for that same host, in its domain's zonefile.
~ $ dig cumulus.thunder.net @k.gtld-servers.net #cumulus per its parent zone
[...]
;; ANSWER SECTION:
cumulus.thunder.net. 172800 IN A 64.71.149.18
~ $ dig cumulus.thunder.net @cumulus.thunder.net #cumulus per its own 1st NS
[...]
;; ANSWER SECTION:
cumulus.thunder.net. 131555 IN A 64.71.149.18
~ $ dig cumulus.thunder.net @nimbus.thunder.net #cumulus per its own 2nd NS
[...]
;; ANSWER SECTION:
cumulus.thunder.net. 43200 IN A 66.245.252.113
Analysis:
1. Wrong IP addresses in the authoritative (top-level domain) records
for "ns2.merlins.org" and in "cumulus's" own local zonefile. Therefore,
queries for svlug.org's NS records will _fail_ if they happen to go down
those paths.
~ $ dig svlug.org @66.245.252.113 #at cumulus (per cumulus)
[...]
;; connection timed out; no servers could be reached
~ $ dig svlug.org @204.80.101.251 #at ns2.merlins.org (per .ORG nameserver)
[...]
;; connection timed out; no servers could be reached
2. Missing glue records. Trying to add .NET nameservers' names
directly to a .ORG zonefile is very sub-optimal: Even aside from the
wrong-IP problem, such NS queries result to .ORG in a second follow-up
"A" query having to be made to .NET's nameservers -- on account of lack
of glue records at .ORG.
By contrast, creating NS and A records _within_ svlug.org (e.g.,
NS1.SVLUG.ORG and NS2.SVLUG.ORG) pointing to "nimbus's" and "cumulus's"
IPs averts that second lookup, since the data will be autofurnished
as glue when NS info gets sent. Two lookups for the price of one.
Here's a snippet for svlug.org's zonefile that would do that. (One
would want to place it in the "@" section.)
IN NS ns1.svlug.org.
IN NS ns2.svlug.org.
; ns1 is aka nimbus.thunder.net
ns1 IN A 209.142.3.6
; ns2 is aka cumulus.thunder.net
ns2 IN A 64.71.149.18
As always, one would want to change the parent zone records (at the
domain registrar) to match.
3. Last, the reverse DNS ("PTR" record) for SVLUG's sole MX (mail
exchanger) is slightly wrong -- though this isn't fatal:
~ $ dig -t mx svlug.org +short #What's mail exchanger's name?
10 svlug.org.
~ $ dig svlug.org +short #And its address?
216.218.255.178
~ $ dig -t ptr 178.255.218.216.in-addr.arpa +short #And the IP's reverse?
svlug.svlug.org.
RFC RFC1912 urges valid reverse DNS for all mail exchangers. It doesn't
_require_ that reverse and forward names match, but it's a good idea,
-- and SVLUG could do this but doesn't yet. (Easy fix, though.)
--
Cheers,
Rick Moen "Anger makes dull men witty, but it keeps them poor."
rick at linuxmafia.com -- Elizabeth Tudor
More information about the volunteers
mailing list