[NBLUG/talk] Nitpicking on nblug.org DNS

Rick Moen rick at linuxmafia.com
Fri Jul 8 17:54:20 PDT 2016


Copying/pasting from my comment on #nblug:

---<snippity>---

17:16 < redrick> I just looked pedantically throught nblug.org DNS
looking for gaffes, and it's pretty good, so DNS Pedant's Seal of
Approval for thee.

17:18 < redrick> SOA EXPIRE at 2592000 (30 days) is longer than RFC1912
recommended range (1209600 to 2419200).

17:22 < redrick> b.auth-ns.sonic.net and ns1.devin.com (auth DNS
servers) fail best practices by giving accurate responses to the
version.bind query, e.g., dig -t txt -c CHAOS version.bind @[$FQDN] +short

17:24 < redrick> Respectively, they say "Served by PowerDNS -
https://www.powerdns.com/" and "9.9.5-9+deb8u6-Debian".  Telling the
global Internet your exact nameserver software and version+patchlevel's a 
bad idea.  (But again, a fine point.)

17:26 < redrick> One _serious_ problem only:  ns1.devin.com doesn't
respond to TCP-type DNS queries.  This is usually the result of a
blunder with firewalling rules on the nameserver host.  To see this do 'dig
www.nblug.org @ns1.devin.com.' (defaults to UDP) and then the same with
'+tcp' added.

17:27 < redrick> Failure to answer TCP queries can cause weird DNS
flakiness, especially with long responses that need to be in multiple
datagrams.

17:39 < redrick> Looks like devin.com is admined by Devin Carraway.  Can
tell him:  Just put something like this into
/etc/bind/named.conf.options :  version "Shirley, you're joking";

17:40 < redrick> The firewalling gaffe, he'll have to figure out.

---<snippity>---

Alongside 'version "Shirley, you're joking";' in
/etc/bind/named.conf.options's 'options' stanza, it's also a good idea
to have

    hostname    "ns1.devin.com";

...because CHAOS-class queries also supports a query for abstract name entity
'hostname.bind' in addition to the rather ill-advised 'verion.bind'
abstract name entity.  Quoting RFC 4892, which details all about the
CHAOS class:

   (BIND) implementation of the DNS protocol suite from the Internet
   Systems Consortium [BIND] has supported a way of identifying a
   particular server via the use of a standards-compliant, if somewhat
   unusual, DNS query.  Specifically, a query to a recent BIND server
   for a TXT resource record in class 3 (CHAOS) for the domain name
   "HOSTNAME.BIND." will return a string that can be configured by the
   name server administrator to provide a unique identifier for the
   responding server.  (The value defaults to the result of a
   gethostname() call).  This mechanism, which is an extension of the
   BIND convention of using CHAOS class TXT RR queries to sub-domains of
   the "BIND." domain for version information, has been copied by
   several name server vendors.

Again, very much a fine point, but I see no downside to clearly
declaring the nameserver's hostname both the regular way (NS and A
records in the IN class) and the unusual but standards-compliant way
(hostname.bind in the CHAOS class).

There's also a -third- bstract name entity in CHAOS class, 'id.server',
which you can read about in the RFC but I don't bother with, mostly
because it's redundant to 'hostname.bind' and even more obscure.

-- 
Cheers,                    "A man is his own easiest dupe, for what he wishes
Rick Moen                  to be true he generally believes to be true."
rick at linuxmafia.com        -- Demosthenes, Third Olynthiac, sct. 19 (349 BCE)
McQ! (4x80)


More information about the talk mailing list