1 |
I used to use "dlint" for this, but the package no longer builds easily |
2 |
- is there any equivalent package as dig is not ideal to find what the |
3 |
problem actually is? |
4 |
|
5 |
BillK |
6 |
|
7 |
|
8 |
On 27/08/13 19:53, Alan McKinnon wrote: |
9 |
> On 27/08/2013 12:30, Grant wrote: |
10 |
>> I use a fairly well-known (free) DNS provider. I just checked my DNS |
11 |
>> settings at dnscheck.pingdom.com and I got: |
12 |
>> |
13 |
>> 1. No SOA record was found when querying the name server. This is most |
14 |
>> probably due to a misconfiguration at the name server - a zone must |
15 |
>> have a SOA record. |
16 |
>> |
17 |
>> 2. Nameserver * does not do DNSSEC extra processing. |
18 |
>> |
19 |
>> Are either of these something to worry about? |
20 |
> |
21 |
> |
22 |
> Yes. Without an SOA record you don't actually have a zone. |
23 |
> |
24 |
> You should stop using those crappy dns checker sites, they tend to be |
25 |
> full of shit, unreliable and operate off someone's idea of how DNS |
26 |
> should be instead of reading the actual RFCs on the matter. Our abuse |
27 |
> team has long ticket lists from people trusting those sites and now |
28 |
> think there's something with how we do glue. Hint: Our glue is right and |
29 |
> proper :-) |
30 |
> |
31 |
> |
32 |
> Instead just use dig, using google.com as an example get the NS records |
33 |
> first: |
34 |
> |
35 |
> $ dig ns google.com +short |
36 |
> ns3.google.com. |
37 |
> ns2.google.com. |
38 |
> ns1.google.com. |
39 |
> ns4.google.com. |
40 |
> |
41 |
> |
42 |
> Then query each of those name server in turn directly for the SOA: |
43 |
> |
44 |
> $ dig soa google.com +short @ns3.google.com |
45 |
> ns1.google.com. dns-admin.google.com. 2013081400 7200 1800 1209600 300 |
46 |
> |
47 |
> That's a correct SOA record. |
48 |
> |
49 |
> What could have happened with that test site is the query timed out and |
50 |
> the site assumed the universe was therefore about to explode. Use such |
51 |
> if you want but always verify the results yourself using dig. |
52 |
> |
53 |
> The DNSSEC message is not a problem. It means your provider does not use |
54 |
> DNSSEC. Again, the universe will not explode from this, we all got along |
55 |
> just fine with plain unsigned DNS transfers for 30 years. DNSSEC is a |
56 |
> way to digitally sign zone transfers and updates. Nothing to do with |
57 |
> zone resolution. |
58 |
> |