Test fails because it may be improperly testing an SOA that is unreachable. #73
Comments
|
|
The SOA is firewalled and only replies to our public caching DNS servers. The NS records for the domain are these public servers. This is to limit any load on the SOA nameserver. I agree with you that SOA is required and maybe a SERVFAIL type response is a good idea, but I'm not aware of a requirement that it -must- be available to the public. |
|
If you don't want the server to be queried do not list it in the NS records that you advertise to the public. The tool make a query for the NS records for the zone. Then the address records for each of the listed servers (A and AAAA). It then tests each of them. [beetle:~/git/bind9] marka% dig ns hueber-breuer.com ; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> ns hueber-breuer.com ;; OPT PSEUDOSECTION: ;; ANSWER SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec [beetle:~/git/bind9] marka% |
|
@marka63 You are totally right. We completely missed that it was in fact an NS record. Removed that NS record and the test passes. Thanks for your explanation. It's been a long day. |
Per test, https://ednscomp.isc.org/ednscomp/7cf253642c
We have an SOA that is not reachable publicly due to how we structure our DNS servers.
The SOA is not listed as an NS server, however this tool tests it anyways and reports it as a failure.
We are otherwise fully in compliance, yet we have one customer so far complaining about this thinking they will go offline tomorrow.
Any thoughts on this? Should the tool be modified to not test the SOA?
Matt
The text was updated successfully, but these errors were encountered: