[Volunteers] A couple of fixes needed to SVLUG DNS & domain records

Rick Moen rick at linuxmafia.com
Wed Nov 30 21:57:02 PST 2005


(I showed these problems to BillW a week ago.)

  ~ $ dig -t ns svlug.org @tld6.ultradns.co.uk  #per parent .ORG zone's zonefile
  [...]
  ;; AUTHORITY SECTION:
  svlug.org.              86400   IN      NS      ns2.merlins.org.
  svlug.org.              86400   IN      NS      ns1.merlins.org.
  svlug.org.              86400   IN      NS      nimbus.thunder.net.
  svlug.org.              86400   IN      NS      cumulus.thunder.net.

  ;; ADDITIONAL SECTION:
  ns1.merlins.org.        86400   IN      A       209.81.13.136
  NS2.MERLINS.ORG.        172800  IN      A       204.80.101.251
  [...]

  ~ $ dig -t ns svlug.org @ns1.merlins.org      #per svlug.org's own zonefile
  [...]
  ;; ANSWER SECTION:
  svlug.org.              36      IN      NS      ns1.merlins.org.
  svlug.org.              36      IN      NS      ns2.merlins.org.
  svlug.org.              36      IN      NS      nimbus.thunder.net.
  svlug.org.              36      IN      NS      cumulus.thunder.net.

  ;; ADDITIONAL SECTION:
  ns1.merlins.org.        60      IN      A       209.81.13.136
  ns2.merlins.org.        60      IN      A       68.166.220.119
  nimbus.thunder.net.     3374    IN      A       209.142.3.6
  cumulus.thunder.net.    3374    IN      A       64.71.149.18
  [...]

Note:  "ns2.merlins.org" is 204.80.101.251 in one place, but
68.166.220.119 in the other.

And let's look up the missing glue ("A") records at one of .NET's
nameservers (k.gtld-servers.net) for "cumulus", and compare the "A"
records for that same host, in its domain's zonefile.

  ~ $ dig cumulus.thunder.net @k.gtld-servers.net  #cumulus per its parent zone
  [...]
  ;; ANSWER SECTION:
  cumulus.thunder.net.    172800  IN      A       64.71.149.18

  ~ $ dig cumulus.thunder.net @cumulus.thunder.net #cumulus per its own 1st NS
  [...]
  ;; ANSWER SECTION:
  cumulus.thunder.net.    131555  IN      A       64.71.149.18

  ~ $ dig cumulus.thunder.net @nimbus.thunder.net #cumulus per its own 2nd NS
  [...]
  ;; ANSWER SECTION:
  cumulus.thunder.net.    43200   IN      A       66.245.252.113



Analysis:

1.  Wrong IP addresses in the authoritative (top-level domain) records
for "ns2.merlins.org" and in "cumulus's" own local zonefile.  Therefore,
queries for svlug.org's NS records will _fail_ if they happen to go down
those paths.


  ~ $ dig svlug.org @66.245.252.113    #at cumulus (per cumulus)
  [...]
  ;; connection timed out; no servers could be reached

  ~ $ dig svlug.org @204.80.101.251   #at ns2.merlins.org (per .ORG nameserver)
  [...]
  ;; connection timed out; no servers could be reached



2.  Missing glue records.  Trying to add .NET nameservers' names
directly to a .ORG zonefile is very sub-optimal:  Even aside from the
wrong-IP problem, such NS queries result to .ORG in a second follow-up
"A" query having to be made to .NET's nameservers -- on account of lack
of glue records at .ORG.

By contrast, creating NS and A records _within_ svlug.org (e.g.,
NS1.SVLUG.ORG and NS2.SVLUG.ORG) pointing to "nimbus's" and "cumulus's"
IPs averts that second lookup, since the data will be autofurnished
as glue when NS info gets sent.  Two lookups for the price of one.

Here's a snippet for svlug.org's zonefile that would do that.  (One
would want to place it in the "@" section.)

                  IN      NS      ns1.svlug.org.
                  IN      NS      ns2.svlug.org.
  ; ns1 is aka nimbus.thunder.net
  ns1             IN      A       209.142.3.6
  ; ns2 is aka cumulus.thunder.net
  ns2             IN      A       64.71.149.18

As always, one would want to change the parent zone records (at the
domain registrar) to match.



3.  Last, the reverse DNS ("PTR" record) for SVLUG's sole MX (mail
exchanger) is slightly wrong -- though this isn't fatal:

  ~ $ dig -t mx svlug.org +short   #What's mail exchanger's name?
  10 svlug.org.
  ~ $ dig svlug.org +short         #And its address?
  216.218.255.178
  ~ $ dig -t ptr 178.255.218.216.in-addr.arpa +short  #And the IP's reverse?
  svlug.svlug.org.

RFC RFC1912 urges valid reverse DNS for all mail exchangers.  It doesn't 
_require_ that reverse and forward names match, but it's a good idea, 
-- and SVLUG could do this but doesn't yet.  (Easy fix, though.)

-- 
Cheers,             
Rick Moen                 "Anger makes dull men witty, but it keeps them poor."
rick at linuxmafia.com                                   -- Elizabeth Tudor




More information about the volunteers mailing list