[conspire] (forw) Re: Domain registrars

Rick Moen rick at linuxmafia.com
Thu Dec 24 18:54:46 PST 2015 

Quoting Nick Moffitt (nick at zork.net):

> I stay with Gandi for the simple reason that every organisation I trust
> to make a careful decision when choosing registrars is still with them.
> Most notably the FSF and EFF are both still managed by Gandi.

Seems like sound logic, to me.

It's unfortunate that people like my friends wait until they are in a
crisis situation before asking for basic advice about registrars and
domain administration.  Their waiting until two days before expiration
to think about the matter was particularly ironic, because 'don't let
your domain get close to expiration' would be my top suggestion.



FWIW, I notice these things about zork.net you might consider fixing:

1.  Only two auth nameservers in parent .net zone (shown by WHOIS).
RFC2182 section 5 recommends minimum 3, maximum 7.

$ dig -t ns zork.net @g.gtld-servers.net. +nocmd +noidentify +nocomments +nostats +noqr +noquestion
zork.net.               172800  IN      NS      ns.zork.net.
zork.net.               172800  IN      NS      ns.tastytronic.net.
ns.zork.net.            172800  IN      A       70.85.129.199
ns.tastytronic.net.     172800  IN      A       24.179.234.238
$ whois zork.net | grep -i 'name server'
   Name Server: NS.TASTYTRONIC.NET
   Name Server: NS.ZORK.NET
Name Server: NS.ZORK.NET
Name Server: NS.TASTYTRONIC.NET
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
$ 


2.  The lists of NS hosts published in-zone and at parent zone don't match.
There are four nameservers declared for zork.net at parent zone net.'s
nameservers, vs. two in-zone at your authoritative nameservers.  The two
undefined in the parent zone are what are called 'lame nameservers'.

$ dig -t ns zork.net @NS.ZORK.NET. +nocmd +noidentify +nocomments +nostats +noqr +noquestion
zork.net.               43200   IN      NS      ns.zork.net.
zork.net.               43200   IN      NS      zork.net.
zork.net.               43200   IN      NS      tastytronic.net.
zork.net.               43200   IN      NS      backup.samurai.com.
ns.zork.net.            43200   IN      A       70.85.129.199
zork.net.               43200   IN      A       70.85.129.199
tastytronic.net.        600     IN      A       24.179.234.238
$


However, there are other problems.  zork.net is actually the same as
ns.zork.net, backup.samurai.com doesn't respond to queries.  Both should
be removed, looks to me.

If you want two additional secondaries, I can provide.


3.  Both of your nameservers respond to public queries about their
software versions.  You might want to either cut that off or make them
return something amusingly wrong.

$ dig -t txt -c CHAOS version.bind @ns.zork.net. +short
"9.9.5-3ubuntu0.6-Ubuntu"
$ dig -t txt -c CHAOS version.bind @tastytronic.net. +short
"9.9.5-3ubuntu0.6-Ubuntu"
$

I've always liked Aaron T. Porter's implementation:

$ dig -t txt -c CHAOS version.bind @ns1.thecoop.net. +short
"Puddin Tane, ask me again, I'll tell you the same."
$

But, as a fan of the movie Airplane, I do:

$ dig -t txt -c CHAOS version.bind @ns1.linuxmafia.com +short
"Shirley, you're joking"
$

In BIND, you do that by putting something like this in the Options
stanza:

version     "Shirley, you're joking";


4.  Some of your SOA settings are misadjusted.  You have:

Serial #: 2015072600 
Refresh: 3600 
Retry: 3600 
Expire: 604800 
Minimum: 3600

Retry needs to be less than or equal to half of REFRESH.
RFC1912 suggests expire be between 1209600 and 2419200.


5.  You might consider adding a TXT-type SPF record.

More information about the conspire mailing list