1 |
On 27/08/2013 12:30, Grant wrote: |
2 |
> I use a fairly well-known (free) DNS provider. I just checked my DNS |
3 |
> settings at dnscheck.pingdom.com and I got: |
4 |
> |
5 |
> 1. No SOA record was found when querying the name server. This is most |
6 |
> probably due to a misconfiguration at the name server - a zone must |
7 |
> have a SOA record. |
8 |
> |
9 |
> 2. Nameserver * does not do DNSSEC extra processing. |
10 |
> |
11 |
> Are either of these something to worry about? |
12 |
|
13 |
|
14 |
Yes. Without an SOA record you don't actually have a zone. |
15 |
|
16 |
You should stop using those crappy dns checker sites, they tend to be |
17 |
full of shit, unreliable and operate off someone's idea of how DNS |
18 |
should be instead of reading the actual RFCs on the matter. Our abuse |
19 |
team has long ticket lists from people trusting those sites and now |
20 |
think there's something with how we do glue. Hint: Our glue is right and |
21 |
proper :-) |
22 |
|
23 |
|
24 |
Instead just use dig, using google.com as an example get the NS records |
25 |
first: |
26 |
|
27 |
$ dig ns google.com +short |
28 |
ns3.google.com. |
29 |
ns2.google.com. |
30 |
ns1.google.com. |
31 |
ns4.google.com. |
32 |
|
33 |
|
34 |
Then query each of those name server in turn directly for the SOA: |
35 |
|
36 |
$ dig soa google.com +short @ns3.google.com |
37 |
ns1.google.com. dns-admin.google.com. 2013081400 7200 1800 1209600 300 |
38 |
|
39 |
That's a correct SOA record. |
40 |
|
41 |
What could have happened with that test site is the query timed out and |
42 |
the site assumed the universe was therefore about to explode. Use such |
43 |
if you want but always verify the results yourself using dig. |
44 |
|
45 |
The DNSSEC message is not a problem. It means your provider does not use |
46 |
DNSSEC. Again, the universe will not explode from this, we all got along |
47 |
just fine with plain unsigned DNS transfers for 30 years. DNSSEC is a |
48 |
way to digitally sign zone transfers and updates. Nothing to do with |
49 |
zone resolution. |
50 |
|
51 |
-- |
52 |
Alan McKinnon |
53 |
alan.mckinnon@×××××.com |