Re: [dns-wg] lameness and unreachability
"Ed" == Edward Lewis <edlewis@arin.net> writes:
>> W ICMP answer Ed> I don't know that this is a concern of DNS - what the other Ed> protocols can or can't do. Indeed. In fact checking for ICMP responses may give false positives. It's likely some good name servers will be behind firewalls or routers that don't allow ICMP through. >> W nameserver addresses are all on the same subnet (RFC2182) Ed> The problem with this test is the rise of anycast. It's Ed> harder to determine remotely if servers are all on the same Ed> subnet. True, but it's easy to accommodate the relatively small number of anycast servers and operators. >> W delegated domain is not an openrelay >> W domain of the hostmaster email is not an openrelay Ed> That's beyond DNS. A real concern, but if I just want to test Ed> DNS, then I don't want to do those tests. I agree. Checking and suppressing open relays is a Noble Thing. But it's orthogonal to whether some domain has been set up correctly on decent DNS infrastructure.
On lördag, maj 24, 2003, at 12:25 Europe/Stockholm, Jim Reid wrote:
W domain of the hostmaster email is not an openrelay
Ed> That's beyond DNS. A real concern, but if I just want to test Ed> DNS, then I don't want to do those tests.
I agree. Checking and suppressing open relays is a Noble Thing. But it's orthogonal to whether some domain has been set up correctly on decent DNS infrastructure.
What I do is to check that the email address "works": - Look up all MX for the domain in SOA email (or all A for SOA email) - Look up all A records for each MX - Look up all IP addresses for each A - Try to connect to port 25 for every A (every A must respond, but only one IP address per A) - Try EHLO and email address -> Warning if this doesn't work, fall back to HELO - Send empty envelope from address -> Warning if this doesn't wor, fall back to use some email address (the one in the settings) - Send rcpt to: email address in SOA -> ERROR if this is not resulting in a 2xx response I personally find this being part of "correct DNS configuration", i.e. I only see "ERRORS" being needed to be fixed. paf
At 5:52 PM +0200 2003/05/24, Patrik Fältström wrote:
- Look up all A records for each MX - Look up all IP addresses for each A - Try to connect to port 25 for every A (every A must respond, but only one IP address per A)
A records *are* IP addresses. Do you mean reverse lookups? -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On lördag, maj 24, 2003, at 22:21 Europe/Stockholm, Brad Knowles wrote:
At 5:52 PM +0200 2003/05/24, Patrik Fältström wrote:
- Look up all A records for each MX - Look up all IP addresses for each A - Try to connect to port 25 for every A (every A must respond, but only one IP address per A)
A records *are* IP addresses. Do you mean reverse lookups?
Grrr....it was very much evening when I wrote it. The above doesn't make sense. What I do is: (1) Query for all MX records, and get back domain names (2) Query for all A records for every domain name (3) Try to connect to port 25 for every domain name one have I.e. "look up all A records for each MX" means "gather all domain names from all MX records". Yes, I know it didn't make any sense. Sorry. The code is available at http://dnscheck.paf.se/ paf
participants (3)
-
Brad Knowles -
Jim Reid -
Patrik Fältström