[NCLUG] ns errors

Michael Milligan milli at acmeps.com
Fri Jul 6 17:44:57 MDT 2007


It is not a problem.  Your "parent" can have a subset of what your  
authoritative servers have for a NS record set.  Other name servers  
will then take what your servers say over the parents.  The only  
possible issue is if there are only two (or perhaps more) registered  
and they become unreachable at the same time (e.g., they are all on  
the same subnet).  Then nobody can resolve your domain if they don't  
have your full NS record set (and A records) in their cache.

One thing I do want to point out is their description of this as what  
"stealth" name servers are is incorrect.  A stealth name server is one  
that is authoritative for a zone but is not listed in the NS record set.

dnsreport.com is more accurate in tests and problem descriptions.

Regards,
Mike

--
Michael Milligan                              -> milli at acmeps.com
Acme Professional Services                       970-581-9948

On Jul 6, 2007, at 11:29 AM, Matt <rosing at peakfive.com> wrote:

> Hi,
>
> I found a site to check my server (www.dnsstuff.com) and it offers a
> free check for things like open relays and what not. A couple of
> NS errors it found are shown below. I'm using no-ip.com to point to my
> machine (I have a dynamic IP). Are these really problems and is there
> a way to get more info about them? Also, are these problems something
> I'm doing wrong or do I need to talk to no-ip?
>
> Thanks,
>
> Matt
>
>
> 1) FAIL: You have one or more missing (stealth) nameservers.
>
>  The following nameserver(s) are listed (at your nameservers) as
>  nameservers for your domain, but are not listed at the parent
>  nameservers (therefore, they may or may not get used, depending on
>  whether your DNS servers return them in the authority section for
>  other requests, per RFC2181 5.4.1). You need to make sure that these
>  stealth nameservers are working; if they are not responding, you may
>  have serious problems! The DNSreport will not query these servers, so
>  you need to be very careful that they are working properly.
>
>  ns4.no-ip.com.
>  ns5.no-ip.com.
>  This is listed as an ERROR because there are some cases where nasty
>  problems can occur (if the TTLs vary from the NS records at the root
>  servers and the NS records point to your own domain, for example).
>
> 2) WARNING: Although you have at least 2 NS records, they may both  
> point
>  to the same server (one of our two tests shows them being the same,
>  the other does not), which would result in a single point of
>  failure. You are required to have at least 2 nameservers per RFC 1035
>  section 2.2.
>
> 3) Your DNS servers leak stealth information in non-NS requests:
>
>  Stealth nameservers are leaked [ns4.no-ip.com.]!
>  Stealth nameservers are leaked [ns5.no-ip.com.]!
>
>  This can cause some serious problems (especially if there is a TTL
>  discrepancy). If you must have stealth NS records (NS records listed
>  at the authoritative DNS servers, but not the parent DNS servers),  
> you
>  should make sure that your DNS server does not leak the stealth NS
>
>
>
>
>
> records in response to other queries.
>
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify
> your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug



More information about the NCLUG mailing list