[Volunteers] A couple of fixes needed to SVLUG DNS & domain records

Bill Ward bill at wards.net
Wed Nov 30 22:53:02 PST 2005


Thanks Rick for doing such great analysis.  I was waiting to hear back from
Paul Reed about this.

On 11/30/05, Rick Moen <rick at linuxmafia.com> wrote:
>
> (I showed these problems to BillW a week ago.)
>
>   ~ $ dig -t ns svlug.org @tld6.ultradns.co.uk  #per parent .ORG zone's
> zonefile
>   [...]
>   ;; AUTHORITY SECTION:
>   svlug.org.              86400   IN      NS      ns2.merlins.org.
>   svlug.org.              86400   IN      NS      ns1.merlins.org.
>   svlug.org.              86400   IN      NS      nimbus.thunder.net.
>   svlug.org.              86400   IN      NS      cumulus.thunder.net.
>
>   ;; ADDITIONAL SECTION:
>   ns1.merlins.org.        86400   IN      A       209.81.13.136
>   NS2.MERLINS.ORG.        172800  IN      A       204.80.101.251
>   [...]
>
>   ~ $ dig -t ns svlug.org @ns1.merlins.org      #per svlug.org's own
> zonefile
>   [...]
>   ;; ANSWER SECTION:
>   svlug.org.              36      IN      NS      ns1.merlins.org.
>   svlug.org.              36      IN      NS      ns2.merlins.org.
>   svlug.org.              36      IN      NS      nimbus.thunder.net.
>   svlug.org.              36      IN      NS      cumulus.thunder.net.
>
>   ;; ADDITIONAL SECTION:
>   ns1.merlins.org.        60      IN      A       209.81.13.136
>   ns2.merlins.org.        60      IN      A       68.166.220.119
>   nimbus.thunder.net.     3374    IN      A       209.142.3.6
>   cumulus.thunder.net.    3374    IN      A       64.71.149.18
>   [...]
>
> Note:  "ns2.merlins.org" is 204.80.101.251 in one place, but
> 68.166.220.119 in the other.
>
> And let's look up the missing glue ("A") records at one of .NET's
> nameservers (k.gtld-servers.net) for "cumulus", and compare the "A"
> records for that same host, in its domain's zonefile.
>
>   ~ $ dig cumulus.thunder.net @k.gtld-servers.net  #cumulus per its parent
> zone
>   [...]
>   ;; ANSWER SECTION:
>   cumulus.thunder.net.    172800  IN      A       64.71.149.18
>
>   ~ $ dig cumulus.thunder.net @cumulus.thunder.net #cumulus per its own
> 1st NS
>   [...]
>   ;; ANSWER SECTION:
>   cumulus.thunder.net.    131555  IN      A       64.71.149.18
>
>   ~ $ dig cumulus.thunder.net @nimbus.thunder.net #cumulus per its own 2nd
> NS
>   [...]
>   ;; ANSWER SECTION:
>   cumulus.thunder.net.    43200   IN      A       66.245.252.113
>
>
>
> Analysis:
>
> 1.  Wrong IP addresses in the authoritative (top-level domain) records
> for "ns2.merlins.org" and in "cumulus's" own local zonefile.  Therefore,
> queries for svlug.org's NS records will _fail_ if they happen to go down
> those paths.
>
>
>   ~ $ dig svlug.org @66.245.252.113    #at cumulus (per cumulus)
>   [...]
>   ;; connection timed out; no servers could be reached
>
>   ~ $ dig svlug.org @204.80.101.251   #at ns2.merlins.org (per .ORG
> nameserver)
>   [...]
>   ;; connection timed out; no servers could be reached
>
>
>
> 2.  Missing glue records.  Trying to add .NET nameservers' names
> directly to a .ORG zonefile is very sub-optimal:  Even aside from the
> wrong-IP problem, such NS queries result to .ORG in a second follow-up
> "A" query having to be made to .NET's nameservers -- on account of lack
> of glue records at .ORG.
>
> By contrast, creating NS and A records _within_ svlug.org (e.g.,
> NS1.SVLUG.ORG and NS2.SVLUG.ORG) pointing to "nimbus's" and "cumulus's"
> IPs averts that second lookup, since the data will be autofurnished
> as glue when NS info gets sent.  Two lookups for the price of one.
>
> Here's a snippet for svlug.org's zonefile that would do that.  (One
> would want to place it in the "@" section.)
>
>                   IN      NS      ns1.svlug.org.
>                   IN      NS      ns2.svlug.org.
>   ; ns1 is aka nimbus.thunder.net
>   ns1             IN      A       209.142.3.6
>   ; ns2 is aka cumulus.thunder.net
>   ns2             IN      A       64.71.149.18
>
> As always, one would want to change the parent zone records (at the
> domain registrar) to match.
>
>
>
> 3.  Last, the reverse DNS ("PTR" record) for SVLUG's sole MX (mail
> exchanger) is slightly wrong -- though this isn't fatal:
>
>   ~ $ dig -t mx svlug.org +short   #What's mail exchanger's name?
>   10 svlug.org.
>   ~ $ dig svlug.org +short         #And its address?
>   216.218.255.178
>   ~ $ dig -t ptr 178.255.218.216.in-addr.arpa +short  #And the IP's
> reverse?
>   svlug.svlug.org.
>
> RFC RFC1912 urges valid reverse DNS for all mail exchangers.  It doesn't
> _require_ that reverse and forward names match, but it's a good idea,
> -- and SVLUG could do this but doesn't yet.  (Easy fix, though.)
>
> --
> Cheers,
> Rick Moen                 "Anger makes dull men witty, but it keeps them
> poor."
> rick at linuxmafia.com                                   -- Elizabeth Tudor
>
> _______________________________________________
> Volunteers mailing list
> Volunteers at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/volunteers
>



--
Help save the San Jose Earthquakes - http://www.soccersiliconvalley.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.svlug.org/archives/volunteers/attachments/20051130/4c79af24/attachment.htm


More information about the volunteers mailing list