[sf-lug] SF-LUG DNS

Rick Moen rick at linuxmafia.com
Sat Nov 14 01:22:51 PST 2009


I wrote:

> Hey, attention, guys:  You need to closely coordinate with your DNS
> secondaries' sysadmins whenever you move your domain's master DNS to a
> different IP.

Let me elaborate on that, for a moment.

I'm guessing you guys moved the master nameserver for domain sf-lug.com
without bothering to coordinate with your secondary.  Of the two IPs in
your authoritative nameservers list (what "whois" returns and is in the
parent zone's glue records), one (the master) doesn't respond at all to
queries:

$ dig -t soa sf-lug.com @208.96.15.252 +short
;; connection timed out; no servers could be reached
$

One authoritative nameserver (the secondary) does respond, but has been
unable to get updates since Wednesday:

$ dig -t soa sf-lug.com @198.144.195.186 +short
ns1.sf-lug.com. jim.well.com. 2007102904 3600 3600 1209600 10800
$

So, your domain's entire DNS nameservice is currently degraded to the
point where it's totally dependent on ONE MACHINE, which is among the
reasons why you should always have minimum three, maximum seven in
service.  

That secondary nameserver's data are going to expire on Wednesday,
November 25, 6:29 PM, unless you fix the currently broken situation, at
which point you will have no nameservice at all, in place of the current
perilously fragile nameservice.


So, NEVER move a domain's master nameserver to a new IP without
coordinating closely with all of your secondaries IN ADVANCE.  

It is also an extremely bad idea to list the same telephone number and
the same e-mail address for all contacts in a domain's whois record.
At bare minimum, you should make sure that the Administrative Contact
and the Technical Contact are different (and that neither's e-mail goes
through the domain in question -- SPoF risk).

You guys really should fix that, too.





More information about the sf-lug mailing list