[dns-wg] lameness and unreachability
- Previous message (by thread): [dns-wg] lameness and unreachability
- Next message (by thread): [dns-wg] lameness and unreachability
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Stephane D'Alu
Stephane.DAlu at nic.fr
Thu May 22 19:02:51 CEST 2003
On Thu, May 22, 2003 at 11:49:25AM -0400, Edward Lewis wrote: > For educational purposes, I'd like to ask about some of the > errors/warnings as listed. I'll try to stay away from tool-specific > suggestions, as this isn't the list for your tool. > > At 17:37 +0200 5/22/03, Stephane D'Alu wrote: > >Here is the list of tests available in the ZoneCheck v2 tool, > >with the severity (Fatal/Warning) that are used in the configuration > >file to check domain in .fr before accepting the delegation. > > > >Severity Test > >Fatal/warning > >F dash ('-') at start or beginning of domain name > > According to 1035, that is legal. Or do you mean a - at the > beginning of a hostname? In fact the test check for a '-' at the beginning or at the end of a label as suggested in the grammar of 1035. > > >F illegal symbols in domain name (RFC1034) > > I don't think there are any - in a 'domain' name. Yes, in a host name. Test that all characters are in the set [a-z0-9\-] > > >W ICMP answer > > I don't know that this is a concern of DNS - what the other protocols > can or can't do. Agree, this is not directly DNS related (so it is only a warning), but it could sometimes give you a hit on what is wrong. > > >W nameserver addresses are all on the same subnet (RFC2182) > > The problem with this test is the rise of anycast. It's harder to > determine remotely if servers are all on the same subnet. > I don't think there are many anycast server for now, but the heuristic used to determine the subnet make it already a policy issue :( And I fear that the rise of anycast server will make it really difficult to check the consistency of the different server for a zone. > >W delegated domain is not an openrelay > >W domain of the hostmaster email is not an openrelay > > That's beyond DNS. A real concern, but if I just want to test DNS, > then I don't want to do those tests. That was the point of having a list with different degree of 'completeness', you consider (with a RIR point of view) that a minimal set of test is enough to check the 'reachability of a zone', we consider (with a ccTLD point of view) that these tests should be part of a 'good configuration', but I'm sure that different RIR or ccTLD could have intermediate preferences. We could provide different list of test, where the degree of completeness increase. > > >W SOA 'minimum' less than 3 hours > >W SOA 'refresh' at least 6 hours > >W SOA 'retry' at least 1 hour > > I would think that these are policy dependent - sometimes shortened > numbers are a good thing - if you are willing to pay the performance > price. > These tests are only marked as 'Warning', due to the fact that if you really know what you are doing you could want to go beyond the recommanded values. I would like to say that having some tests with a warning severity, make them serve the purpose of a reminder, and that doesn't hurt as people knowing what they are doing will just considered it as a warning other will be gratefull for the hint. > >W serial number of the form YYYYMMDDnn (RFC1912) > > With the advent of dynamic update, the last is no longer recommended. I'll see if there is a way to make an improved test on the serial number (or retire the test otherwise) Sincerly, -- Stephane D'Alu -- AFNIC http://zonecheck.nic.fr/v2/ Check your domain name
- Previous message (by thread): [dns-wg] lameness and unreachability
- Next message (by thread): [dns-wg] lameness and unreachability
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]