[conspire] DNS ... data, requirements/recommendations, registrars & requirements, etc.
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Mon Mar 19 06:28:54 PDT 2018
> Date: Tue, 4 Apr 2017 18:15:55 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: conspire at linuxmafia.com
> Subject: Re: [conspire] Internet Privacy: today's vote and measures to
> take
> Message-ID: <20170405011555.GP6577 at linuxmafia.com>
> Content-Type: text/plain; charset=utf-8
> And last, the management of the domains themselves (at the registrars)
> has a bunch of best-practices constraints that closely tie in to the
> DNS. And this isn't well documented in a single place, let alone my
> magazine articles, either.
As for much of the DNS data bits, I have my "cheat sheet" for the bits
I'm most likely to not fully remember ... list probably isn't fully
up-to-date, but probably the most commonly useful bit is towards the end:
$ ls -l RFCs_and_recommendations; cat RFCs_and_recommendations
-rw------- 1 root bind 1184 Oct 29 2016 RFCs_and_recommendations
;RFCs:
1034 http://www.ietf.org/rfc/rfc1034.txt
1035 http://www.ietf.org/rfc/rfc1035.txt
1123 http://www.ietf.org/rfc/rfc1123.txt
1591 http://www.ietf.org/rfc/rfc1591.txt
2181 http://www.ietf.org/rfc/rfc2181.txt
2308 http://www.ietf.org/rfc/rfc2308.txt
2536 http://www.ietf.org/rfc/rfc2536.txt
3110 http://www.ietf.org/rfc/rfc3110.txt
3226 http://www.ietf.org/rfc/rfc3226.txt
3658 http://www.ietf.org/rfc/rfc3658.txt
4034 http://www.ietf.org/rfc/rfc4034.txt
4035 http://www.ietf.org/rfc/rfc4035.txt
4641 http://www.ietf.org/rfc/rfc4641.txt
4648 http://www.ietf.org/rfc/rfc4648.txt
4697 http://www.ietf.org/rfc/rfc4697.txt
5011 http://www.ietf.org/rfc/rfc5011.txt
5933 http://www.ietf.org/rfc/rfc5933.txt
6605 http://www.ietf.org/rfc/rfc6605.txt
Recommendations (requirements for some):
NS matched between glue/authority and zone
NS TTL - recommended same as authority TTL
SOA TTL match to NS TTL
MNAME - master
RNAME - working email
SERIAL YYYYMMDDnn (recommended) or unsigned 32-bit int (requierd)
REFRESH 3600 - 86400 (1h - 1d)
RETRY 900 - 28800 (3m - 8h) between 1/8 and 1/3 of REFRESH
EXPIRY 604800 - 3600000 (1w - 1000h (5w6d16h))
MINIMUM Negative Cache TTL 180 - 86400 (3m-1d)
Also, among all the registrars I've ever dealt with, the one
that seemed to have the most persnickety of requirements was
the de registrar. Meet all their requirements (notwithstanding
any de geographic location requirements), and one is probably in
good shape DNS-wise for most any registrar:
https://www.denic.de/fileadmin/public/documentation/DENIC-23p_EN.pdf
... and in peeking over it presently, looks like they've updated and
added a pretty good section on DNSSEC too.
Anyway, yeah, ... with the de registrar, they won't put in the DNS
records to delegate until your to-be-delegated-to DNS is up to snuff
with their requirements and testing. Many/most other registrars are
much more lax on that - e.g. one puts in the names/IPs for DNS servers,
and much of anything beyond that they mostly consider to be *your*
problem, not theirs ... but does vary quite a bit from registrar
to registrar. E.g. many won't accept into configuration if the
TTLs for the NS records for your domain are too low.
Don't know if it's still the case, but I recall from much earlier,
in DE, if you bought a new bicycle, it came equipped with buit-in
light, and fenders attached ... as required by law.
More information about the conspire
mailing list