| 1 |
>> I use a fairly well-known (free) DNS provider. I just checked my DNS |
| 2 |
>> settings at dnscheck.pingdom.com and I got: |
| 3 |
>> |
| 4 |
>> 1. No SOA record was found when querying the name server. This is most |
| 5 |
>> probably due to a misconfiguration at the name server - a zone must |
| 6 |
>> have a SOA record. |
| 7 |
>> |
| 8 |
>> 2. Nameserver * does not do DNSSEC extra processing. |
| 9 |
>> |
| 10 |
>> Are either of these something to worry about? |
| 11 |
> |
| 12 |
> Yes. Without an SOA record you don't actually have a zone. |
| 13 |
> |
| 14 |
> You should stop using those crappy dns checker sites, they tend to be |
| 15 |
> full of shit, unreliable and operate off someone's idea of how DNS |
| 16 |
> should be instead of reading the actual RFCs on the matter. Our abuse |
| 17 |
> team has long ticket lists from people trusting those sites and now |
| 18 |
> think there's something with how we do glue. Hint: Our glue is right and |
| 19 |
> proper :-) |
| 20 |
> |
| 21 |
> Instead just use dig, using google.com as an example get the NS records |
| 22 |
> first: |
| 23 |
> |
| 24 |
> $ dig ns google.com +short |
| 25 |
> ns3.google.com. |
| 26 |
> ns2.google.com. |
| 27 |
> ns1.google.com. |
| 28 |
> ns4.google.com. |
| 29 |
> |
| 30 |
> Then query each of those name server in turn directly for the SOA: |
| 31 |
> |
| 32 |
> $ dig soa google.com +short @ns3.google.com |
| 33 |
> ns1.google.com. dns-admin.google.com. 2013081400 7200 1800 1209600 300 |
| 34 |
> |
| 35 |
> That's a correct SOA record. |
| 36 |
|
| 37 |
Does this look OK? |
| 38 |
|
| 39 |
$ dig soa MASKED.com +short @MASKED1.MASKED.com |
| 40 |
MASKED1.MASKED.com. MASKED.MASKED.com. YYYYMMDD00 3600 1801 604800 3601 |
| 41 |
|
| 42 |
> What could have happened with that test site is the query timed out and |
| 43 |
> the site assumed the universe was therefore about to explode. Use such |
| 44 |
> if you want but always verify the results yourself using dig. |
| 45 |
|
| 46 |
Will do. |
| 47 |
|
| 48 |
> The DNSSEC message is not a problem. It means your provider does not use |
| 49 |
> DNSSEC. Again, the universe will not explode from this, we all got along |
| 50 |
> just fine with plain unsigned DNS transfers for 30 years. DNSSEC is a |
| 51 |
> way to digitally sign zone transfers and updates. Nothing to do with |
| 52 |
> zone resolution. |
| 53 |
|
| 54 |
Got it, thanks. |
| 55 |
|
| 56 |
- Grant |
Archives