...making Linux just a little more fun!
Rick Moen [rick at linuxmafia.com]
Mon, 15 May 2006 19:17:25 -0700
Just so you know, this few nits for a domain is utterly outstanding.
----- Forwarded message from rick ---------- End forwarded message -----Date: Mon, 15 May 2006 19:14:51 -0700 To: hostmaster at linuxgazette.netCc: ben at linuxgazette.netSubject: Domain report for linuxgazette.netGreetings. You are getting this form-mail because someone arranged for me to have my NS1.LINUXMAFIA.COM nameserver (IP = 184.108.40.206) do [ ] master [x] slave DNS for the domain linuxgazette.net ...and you are either the domain owner, or the sysadmin of the SOA master server, or both. I periodically check such domains for troubles. Following are ones observed a/o today with the domain. YOU, not I, need to fix these, to make the domain work properly. Problems that have cropped up for other domains, but not this one, have been sorted to the bottom but still included in case you're interested. [x] The "www" record for your domain is a CNAME. This is legal, but very suboptimal, because it entails two lookups (like an unnecessary symlink on a filesystem, except with a more-significant performance hit). I recommend replacing it with an "A" record pointing directly to the IP in question. [x] Risk of single point of failure in whois contacts. You have just a single person (name, e-mail address, telephone number) listed in the domain's whois records for all contacts. While this is perfectly legal, and you might have compelling reasons for it, consider repointing at least one of the contacts to someone else, so that someone can be reached if you can't. Okopnik, Ben ben at linuxgazette.net 99 King Street St Augustine, FL 32084 US (443) 250-7895 [x] Risk of in-band communication limitation in whois contacts. All of the e-mail contacts for the domain record are in-domain. Are people going to be able to send you mail saying "Dude, I think your domain's mail service is broken"? Consider having at least one contact be out-of-domain, if only at a webmail service that's normally forwarded to the domain's MTAs. [ ] Lame nameserver. This nameserver doesn't believe itself to be authoritative for the domain. [ ] Security risk (cache poisoning risk). These nameservers are open to recursive queries from the global Internet, which is a very bad idea because it permits poisoning of your cached authoritative DNS data. I strongly recommend that those sites' admins follow this page's tips to close the hole, or that you find replacement nameservers. http://www.dnsreport.com/info/opendns.htm [ ] Fewer than recommended nameservers. RFC2182 section 5 recommends between 3 and 7 nameservers. You have: [ ] Your contact information in the domain record doesn't reach you (or no longer does, at any rate). I'm referring to the listed: [ ] telephone number [ ] e-mail address [ ] Missing glue records. (This is an extremely common problem, and leading source of pokey DNS performance.) You are using hostnames in your NS records that are out of your parent zone's "bailiwick", e.g., using .COM nameserver hostnames to serve a .ORG domain (or vice-versa) with the result that parent-zone responses to queries asking for your NS records cannot include the IP addresses that match those NS records. (Why? Because, to use the example above, the .ORG zone's nameservers are not allowed to speak authoritatively on the resolution of .COM hostnames: That portion of the query must be fetched separately from the .COM zone's separate nameservers -- thus, requiring two queries to find the domain's nameservers, rather than one. To fix this problem, you need merely refer to those same out-of-bailiwick nameservers' IP addresses by alternate names you create within the domain, and define those names in "A" records in the domain's zonefile. Note that you must, as always, refer to the nameservers in the same way in both the domain record (at the registrar) and in the master nameserver's zonefile. [ ] SOA hostname error. The hostname listed as master server in your zonefile SOA reference record is not among those listed in NS reference records in the parent zone (the list of authoritative servers). [ ] SOA e-mail address is wrong. The e-mail address shown in the SOA record (with the "@" symbol transformed into a period) really does need to be deliverable, and yours is not. [ ] Unresponsive nameserver. This nameserver doesn't respond to queries for the domain's NS records. [ ] SOA expire time is a bit low. RFC1912 suggests 2-4 weeks (1209600 to 2419200) under normal circumstances. You have: [ ] MX record points to an IP with no valid DNS reverse. RFC1912 section 2.1 says you need ("should" have) a valid reverse, and many mail servers will refuse your mail on this basis. [ ] MX machine is unreachable.