[NBLUG/talk] Nitpicking on nblug.org DNS

Rick Moen rick at linuxmafia.com
Fri Jul 8 17:54:20 PDT 2016

Copying/pasting from my comment on #nblug:


17:16 < redrick> I just looked pedantically throught nblug.org DNS
looking for gaffes, and it's pretty good, so DNS Pedant's Seal of
Approval for thee.

17:18 < redrick> SOA EXPIRE at 2592000 (30 days) is longer than RFC1912
recommended range (1209600 to 2419200).

17:22 < redrick> b.auth-ns.sonic.net and ns1.devin.com (auth DNS
servers) fail best practices by giving accurate responses to the
version.bind query, e.g., dig -t txt -c CHAOS version.bind @[$FQDN] +short

17:24 < redrick> Respectively, they say "Served by PowerDNS -
https://www.powerdns.com/" and "9.9.5-9+deb8u6-Debian".  Telling the
global Internet your exact nameserver software and version+patchlevel's a 
bad idea.  (But again, a fine point.)

17:26 < redrick> One _serious_ problem only:  ns1.devin.com doesn't
respond to TCP-type DNS queries.  This is usually the result of a
blunder with firewalling rules on the nameserver host.  To see this do 'dig
www.nblug.org @ns1.devin.com.' (defaults to UDP) and then the same with
'+tcp' added.

17:27 < redrick> Failure to answer TCP queries can cause weird DNS
flakiness, especially with long responses that need to be in multiple

17:39 < redrick> Looks like devin.com is admined by Devin Carraway.  Can
tell him:  Just put something like this into
/etc/bind/named.conf.options :  version "Shirley, you're joking";

17:40 < redrick> The firewalling gaffe, he'll have to figure out.


Alongside 'version "Shirley, you're joking";' in
/etc/bind/named.conf.options's 'options' stanza, it's also a good idea
to have

    hostname    "ns1.devin.com";

...because CHAOS-class queries also supports a query for abstract name entity
'hostname.bind' in addition to the rather ill-advised 'verion.bind'
abstract name entity.  Quoting RFC 4892, which details all about the
CHAOS class:

   (BIND) implementation of the DNS protocol suite from the Internet
   Systems Consortium [BIND] has supported a way of identifying a
   particular server via the use of a standards-compliant, if somewhat
   unusual, DNS query.  Specifically, a query to a recent BIND server
   for a TXT resource record in class 3 (CHAOS) for the domain name
   "HOSTNAME.BIND." will return a string that can be configured by the
   name server administrator to provide a unique identifier for the
   responding server.  (The value defaults to the result of a
   gethostname() call).  This mechanism, which is an extension of the
   BIND convention of using CHAOS class TXT RR queries to sub-domains of
   the "BIND." domain for version information, has been copied by
   several name server vendors.

Again, very much a fine point, but I see no downside to clearly
declaring the nameserver's hostname both the regular way (NS and A
records in the IN class) and the unusual but standards-compliant way
(hostname.bind in the CHAOS class).

There's also a -third- bstract name entity in CHAOS class, 'id.server',
which you can read about in the RFC but I don't bother with, mostly
because it's redundant to 'hostname.bind' and even more obscure.

Cheers,                    "A man is his own easiest dupe, for what he wishes
Rick Moen                  to be true he generally believes to be true."
rick at linuxmafia.com        -- Demosthenes, Third Olynthiac, sct. 19 (349 BCE)
McQ! (4x80)

More information about the talk mailing list