Just checking on things, in the wake of the departure from Dreamhost.
1. We have three nameservers. This is in the recommended range, barely: RFC2182 section 5 recommends at least 3. RFC1912 section 2.8 recommends no more than 7.
If we have one or two more friends running auth nameservers, adding them would be gravy.
2. No glue records for one nameserver (ns1.linuxmafia.com), because it is out-of-bailiwick for the .org TLD nameservers. This means queries to it are just a little slower than to the other two for which glue information gets supplied.
If you want to fix that, assign my nameserver IP (198.144.195.186) the name NS2.BALUG.ORG in the domain record, removing the entry for NS1.LINUXMAFIA.COM. That fixes the glue records at the parent (.org) zone. And then don't forget to make the same switch in the in-zone records served at master nameserver NS1.BALUG.ORG.
3. Information leakage. NS1.BALUG.ORG / 198.144.194.238 answers (correctly) CHAOS class queries about its version.
:r! dig version.bind txt chaos @NS1.BALUG.ORG +short "9.9.5-9+deb8u14-Debian"
It'd be a good idea to turn this off. I like to return amusing lies, myself. My stanza in /etc/bind/named.conf.options :
options { directory "/var/cache/bind"; version "Shirley, you're joking"; hostname "ns1.linuxmafia.com"; //server-id is essentially redundant to hostname, default is none //server-id none; auth-nxdomain no; # conform to RFC1035 allow-recursion { [redacted] }; allow-query { [redacted] }; dnssec-validation yes; };
Other than that, it looks good.