[conspire] Make DNS functional before sending the public to it

Rick Moen rick at linuxmafia.com
Tue Apr 2 13:40:50 PDT 2013 

Quoting Ruben Safir (ruben at mrbrklyn.com):

> I think it is all fixed...

Checking.

Domain 1 of 6, mrbrklyn.com

rmoen at borgia:~$ whois mrbrklyn.com | grep 'Name Server'
   Name Server: NAMED1.TMM.NET
   Name Server: NS1.LINUXMAFIA.COM
   Name Server: WWW2.MRBRKLYN.COM
rmoen at borgia:~$ dig -t soa mrbrklyn.com. @NAMED1.TMM.NET +short

   Un oh.  Something's amiss.  Let's omit '+shost' to see more detail.

rmoen at borgia:~$ dig -t soa mrbrklyn.com. @NAMED1.TMM.NET 

; <<>> DiG 9.7.3 <<>> -t soa mrbrklyn.com. @NAMED1.TMM.NET
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51561
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mrbrklyn.com.                  IN      SOA

;; Query time: 46 msec
;; SERVER: 184.172.50.89#53(184.172.50.89)
;; WHEN: Tue Apr  2 13:13:40 2013
;; MSG SIZE  rcvd: 30

rmoen at borgia:~$ 

   There you have it:  'status: REFUSED'   That's bad.  It means 
   the nameserver in question doesn't agree that it's supposed to be
   authoritative for domain mrbrklyn.com., and is refusing queries.

Important:  You should _always_ verify that a nameserver is actually
serving up a domain's zone data _before_ making it authoritative at the
registrar.  Always.  Never the other way.

root at borgia:/usr/isos# dig -t soa mrbrklyn.com. @NS1.LINUXMAFIA.COM +short
www2.mrbrklyn.com. ruben.www2.mrbrklyn.com. 2013040202 43200 3600 2419200 86400
root at borgia:/usr/isos# dig -t soa mrbrklyn.com. @WWW2.MRBRKLYN.COM +short
www2.mrbrklyn.com. ruben.www2.mrbrklyn.com. 2013040202 43200 3600 2419200 86400
root at borgia:/usr/isos#

   So, in short, 1/3 of all public queries for that domain are currently
   being _refused_.

Domain 2 of 6, nylxs.com:  Same story
Domain 3 of 6, nylxs.org:  Same story
Domain 4 of 6, brooklyn-living.com:  Same story
Domain 5 of 6, freedom-it.org:  Same story
Domain 6 of 6, coinhangout.com:  Same story.

_Always_ verify that a nameserver is actually serving up a domain's zone
data _before_ making it authoritative at the registrar.  Always.  Never
the other way.

More information about the conspire mailing list