selenic.com DNS is broken (with suggestions to fix it)
Anders Bergh
anders1 at gmail.com
Sat Nov 2 10:30:30 CDT 2013
Hi,
I'm unable to resolve anything under selenic.com due to a couple of issues.
Issue #1:
There are two name servers listed: ns.waste.org, ns.urth.org. But only
ns.waste.org is authoritative for selenic.com!
Fix: make ns.urth.org authoritative for selenic.com (atm, it refuses
to respond).
Issue #2:
The NS record doesn't match "ns.urth.org", it must match the parent zone (.com):
$ dig selenic.com ns @ns.waste.org
;; QUESTION SECTION:
;selenic.com. IN NS
;; ANSWER SECTION:
selenic.com. 1500 IN NS ns.waste.org.
selenic.com. 1500 IN NS urth.org.
Fix: update the NS record to point to ns.urth.org.
Issue #3:
ns.waste.org allows AXFR from anywhere (zone transfers).
$ dig selenic.com axfr @ns.waste.org
(outputs the entire selenic.com zone)
Fix: to only allow slaves to request AXFR in BIND, use:
acl slaves {
192.0.2.1;
2001:db8:face::beef;
}
options {
allow-transfer { slaves; };
};
I used DNSCheck[1] to test the selenic.com zone.
[1] http://dnscheck.iis.se/?time=1383405069&id=3714373&view=basic&lang=en&test=standard
(I'm not subscribed to this ML, so please CC me if you reply)
--
Anders Bergh
More information about the Mercurial
mailing list