[NCLUG] ns errors

[Stephen Warren]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt wrote:
> Hi,
> 
> I found a site to check my server (www.dnsstuff.com) and it offers a
> free check for things like open relays and what not. A couple of
> NS errors it found are shown below. I'm using no-ip.com to point to my
> machine (I have a dynamic IP). Are these really problems and is there
> a way to get more info about them? Also, are these problems something
> I'm doing wrong or do I need to talk to no-ip?

Where is your domain registered? Do you control registration, or no-ip?

If you control it, then if you can, you probably want to add
ns4.no-ip.com and ns5.no-ip.com into the list of NS servers for your
domain. That should clear up most of the issues. Note that if you do
this, you should check with no-ip.com that they want those other servers
listed there; for example, dyndns.org provides something like 5 servers
total for me, but requires a specific subset be listed if I can't list
all of them.

However, my guess is that you can't do that - If I Recall Correctly, my
registrar only allows me to list 3 of the 5 name-servers for my domain,
so I'm probably in the same situation as you.

Otherwise, assuming no-ip.com is clueful and keeps the data on all those
servers nicely in sync, I suspect you can just ignore all these
"problems"; they mostly indicate that bad things can happen *if* the
multiple servers are out-of-sync, which should never happen, since
no-ip.com should manage them all as one, and keep them in sync.

The only thing I might want to track down is item 2; why dnsstuff.com
thinks some of your multiple servers might be the same machine. Maybe
the tests are flawed. Maybe no-ip.com failed over one of their NS
machines' records for another temporarily due to maintenance. Maybe
there's a real issue...


> 
> Thanks,
> 
> Matt
> 
> 
> 1) FAIL: You have one or more missing (stealth) nameservers. 
> 
>   The following nameserver(s) are listed (at your nameservers) as
>   nameservers for your domain, but are not listed at the parent
>   nameservers (therefore, they may or may not get used, depending on
>   whether your DNS servers return them in the authority section for
>   other requests, per RFC2181 5.4.1). You need to make sure that these
>   stealth nameservers are working; if they are not responding, you may
>   have serious problems! The DNSreport will not query these servers, so
>   you need to be very careful that they are working properly. 
>   
>   ns4.no-ip.com.
>   ns5.no-ip.com.
>   This is listed as an ERROR because there are some cases where nasty
>   problems can occur (if the TTLs vary from the NS records at the root
>   servers and the NS records point to your own domain, for example). 
> 
> 2) WARNING: Although you have at least 2 NS records, they may both point
>   to the same server (one of our two tests shows them being the same,
>   the other does not), which would result in a single point of
>   failure. You are required to have at least 2 nameservers per RFC 1035
>   section 2.2. 
> 
> 3) Your DNS servers leak stealth information in non-NS requests:
> 
>   Stealth nameservers are leaked [ns4.no-ip.com.]!
>   Stealth nameservers are leaked [ns5.no-ip.com.]!
>   
>   This can cause some serious problems (especially if there is a TTL
>   discrepancy). If you must have stealth NS records (NS records listed
>   at the authoritative DNS servers, but not the parent DNS servers), you
>   should make sure that your DNS server does not leak the stealth NS
> 
> 
> 
> 
> 
> records in response to other queries. 
> 
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify 
> your settings, go to: 
> http://www.nclug.org/mailman/listinfo/nclug
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjoMdhk3bo0lNTrURAh7BAJ4vd0B+3z7z+vqpSF2JjduBnMW3mwCgzFqd
Cx2zb7vsrFjRlm0dGRDvZDw=
=YbLO
-----END PGP SIGNATURE-----