[BALUG-Admin] balug.org DNS review

Rick Moen rick@linuxmafia.com
Wed Sep 27 09:25:12 PDT 2017

Just checking on things, in the wake of the departure from Dreamhost.

1.  We have three nameservers.  This is in the recommended range,
barely:  RFC2182 section 5 recommends at least 3.  RFC1912 section 2.8
recommends no more than 7.

If we have one or two more friends running auth nameservers, adding them
would be gravy.

2.  No glue records for one nameserver (ns1.linuxmafia.com), because it
is out-of-bailiwick for the .org TLD nameservers.  This means queries to
it are just a little slower than to the other two for which glue
information gets supplied.

If you want to fix that, assign my nameserver IP ( the
name NS2.BALUG.ORG in the domain record, removing the entry for
NS1.LINUXMAFIA.COM.  That fixes the glue records at the parent (.org) zone.  
And then don't forget to make the same switch in the in-zone records 
served at master nameserver NS1.BALUG.ORG.

3.  Information leakage.  NS1.BALUG.ORG / answers
(correctly) CHAOS class queries about its version.

:r! dig version.bind txt chaos @NS1.BALUG.ORG +short

It'd be a good idea to turn this off.  I like to return amusing lies,
myself.  My stanza in /etc/bind/named.conf.options :

options {
        directory "/var/cache/bind";
        version     "Shirley, you're joking";
        hostname    "ns1.linuxmafia.com";
        //server-id is essentially redundant to hostname, default is none
        //server-id  none;
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion {
        allow-query {
        dnssec-validation yes;

Other than that, it looks good.

More information about the BALUG-Admin mailing list