On Thu, May 22, 2003 at 11:49:25AM -0400, Edward Lewis wrote:
For educational purposes, I'd like to ask about some of the errors/warnings as listed. I'll try to stay away from tool-specific suggestions, as this isn't the list for your tool.
At 17:37 +0200 5/22/03, Stephane D'Alu wrote:
Here is the list of tests available in the ZoneCheck v2 tool, with the severity (Fatal/Warning) that are used in the configuration file to check domain in .fr before accepting the delegation.
Severity Test Fatal/warning F dash ('-') at start or beginning of domain name
According to 1035, that is legal. Or do you mean a - at the beginning of a hostname?
In fact the test check for a '-' at the beginning or at the end of a label as suggested in the grammar of 1035.
F illegal symbols in domain name (RFC1034)
I don't think there are any - in a 'domain' name. Yes, in a host name.
Test that all characters are in the set [a-z0-9\-]
W ICMP answer
I don't know that this is a concern of DNS - what the other protocols can or can't do.
Agree, this is not directly DNS related (so it is only a warning), but it could sometimes give you a hit on what is wrong.
W nameserver addresses are all on the same subnet (RFC2182)
The problem with this test is the rise of anycast. It's harder to determine remotely if servers are all on the same subnet.
I don't think there are many anycast server for now, but the heuristic used to determine the subnet make it already a policy issue :( And I fear that the rise of anycast server will make it really difficult to check the consistency of the different server for a zone.
W delegated domain is not an openrelay W domain of the hostmaster email is not an openrelay
That's beyond DNS. A real concern, but if I just want to test DNS, then I don't want to do those tests.
That was the point of having a list with different degree of 'completeness', you consider (with a RIR point of view) that a minimal set of test is enough to check the 'reachability of a zone', we consider (with a ccTLD point of view) that these tests should be part of a 'good configuration', but I'm sure that different RIR or ccTLD could have intermediate preferences. We could provide different list of test, where the degree of completeness increase.
W SOA 'minimum' less than 3 hours W SOA 'refresh' at least 6 hours W SOA 'retry' at least 1 hour
I would think that these are policy dependent - sometimes shortened numbers are a good thing - if you are willing to pay the performance price.
These tests are only marked as 'Warning', due to the fact that if you really know what you are doing you could want to go beyond the recommanded values. I would like to say that having some tests with a warning severity, make them serve the purpose of a reminder, and that doesn't hurt as people knowing what they are doing will just considered it as a warning other will be gratefull for the hint.
W serial number of the form YYYYMMDDnn (RFC1912)
With the advent of dynamic update, the last is no longer recommended.
I'll see if there is a way to make an improved test on the serial number (or retire the test otherwise) Sincerly, -- Stephane D'Alu -- AFNIC http://zonecheck.nic.fr/v2/ Check your domain name