From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E99071381F3 for ; Sun, 1 Sep 2013 08:24:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BA588E0DE0; Sun, 1 Sep 2013 08:24:37 +0000 (UTC) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9E328E0D8D for ; Sun, 1 Sep 2013 08:24:36 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id j13so1029393wgh.29 for ; Sun, 01 Sep 2013 01:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=WLYheixj5Wa+j5u5Ud++vhMGU1apnBpEkRU2XvWMdZo=; b=y1jIbglwLVnpL0CtyLgVh9N/oM4t5R7nVNgDTuCmZvxZagrDyZtHnlkkQ5l1b2p8Ak IOwjxsIF2t6FcH1FFTL4YnfHdXl1j1uVD31JDAlrqMkKigGhPTsvZJw32dQqqH4UODGf N4fkOAiVapTCbfpCTQPkcrRjbRS41WSWMV314odq+2LMORZ97oD3grf17e0aJ30ea8DJ ijCjFPr39Gwq/JWzAkpBzIBYYfEEPLtyLgPW8XFsu1umL3bkX4WQn4NwNSY1+GLmwzG/ sH4PjQo246mPyGldCjSkC04EmUE8/BUKZ/x7GHA03S0uw3keEPZ5ejQQ34ceMhO/YQZu /KaA== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.194.89.38 with SMTP id bl6mr46615wjb.50.1378023875233; Sun, 01 Sep 2013 01:24:35 -0700 (PDT) Received: by 10.194.93.199 with HTTP; Sun, 1 Sep 2013 01:24:35 -0700 (PDT) In-Reply-To: <521C9323.1080007@gmail.com> References: <521C9323.1080007@gmail.com> Date: Sun, 1 Sep 2013 01:24:35 -0700 Message-ID: Subject: Re: [gentoo-user] {OT} DNS: no SOA record or DNSSEC From: Grant To: Gentoo mailing list Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: 4390bb77-b20f-49a4-86f4-8de7c6def042 X-Archives-Hash: 3554ca833c06bddb6954c1d7ffb7a56f >> I use a fairly well-known (free) DNS provider. I just checked my DNS >> settings at dnscheck.pingdom.com and I got: >> >> 1. No SOA record was found when querying the name server. This is most >> probably due to a misconfiguration at the name server - a zone must >> have a SOA record. >> >> 2. Nameserver * does not do DNSSEC extra processing. >> >> Are either of these something to worry about? > > Yes. Without an SOA record you don't actually have a zone. > > You should stop using those crappy dns checker sites, they tend to be > full of shit, unreliable and operate off someone's idea of how DNS > should be instead of reading the actual RFCs on the matter. Our abuse > team has long ticket lists from people trusting those sites and now > think there's something with how we do glue. Hint: Our glue is right and > proper :-) > > Instead just use dig, using google.com as an example get the NS records > first: > > $ dig ns google.com +short > ns3.google.com. > ns2.google.com. > ns1.google.com. > ns4.google.com. > > Then query each of those name server in turn directly for the SOA: > > $ dig soa google.com +short @ns3.google.com > ns1.google.com. dns-admin.google.com. 2013081400 7200 1800 1209600 300 > > That's a correct SOA record. Does this look OK? $ dig soa MASKED.com +short @MASKED1.MASKED.com MASKED1.MASKED.com. MASKED.MASKED.com. YYYYMMDD00 3600 1801 604800 3601 > What could have happened with that test site is the query timed out and > the site assumed the universe was therefore about to explode. Use such > if you want but always verify the results yourself using dig. Will do. > The DNSSEC message is not a problem. It means your provider does not use > DNSSEC. Again, the universe will not explode from this, we all got along > just fine with plain unsigned DNS transfers for 30 years. DNSSEC is a > way to digitally sign zone transfers and updates. Nothing to do with > zone resolution. Got it, thanks. - Grant