Zonemaster.net - Domain check

box · August 13, 2020, 10:06am

I have found this website to check if my domain is set up properly and run the check and it has come up with few issues.

I have run the test on ghandi.net and had only one issue with DS …

1] ADDRESS

2 ADDRESS NOTICE Nameserver ns1.box.domain.name has an IP address (123.123.123.123) with mismatched PTR result (box.domain.name.).
3 ADDRESS NOTICE Nameserver ns1.box.domain.namen has an IP address (2a01:abcd:10:9::99) with mismatched PTR result (box.domain.name.).

When I create a PTR record (3 PTR records for IPv4 and 3 for IPv6) for ns1.box.domain.name etc. then MIAB keeps complaining.

Your box’s reverse DNS is currently ns1.box.domain.name; ns2.box.domain.name; box.domain.name, but it should be box.domain.name. Your ISP or cloud provider will have instructions on setting up reverse DNS for your box.

Here are the PTR records:
box.domain.name. 1H IN IP6 reverse 2a01:abcd:10:9::99
box.domain.name. 1H IN IP4 reverse 123.123.123.123
ns1.box.domain.name. 1H IN IP6 reverse 2a01:abcd:10:9::99
ns1.box.domain.name. 1H IN IP4 reverse 123.123.123.123
ns2.box.domain.name. 1H IN IP6 reverse 2a01:abcd:10:9::99
ns2.box.domain.name. 1H IN IP4 reverse 123.123.123.123

So which setting is right? The one from zonemaster website, or the one from MIAB?

2] DELEGATION

6 DELEGATION ERROR IP 123.123.123.123 in parent refers to multiple nameservers (ns1.box.domain.name; ns2.box.domain.name).
7 DELEGATION ERROR IP 2a01:abcd:10:9::99 in parent refers to multiple nameservers (ns1.box.domain.name; ns2.box.domain.name).
8 DELEGATION ERROR IP 123.123.123.123 in child refers to multiple nameservers (ns1.box.domain.name; ns2.box.domain.name).
9 DELEGATION ERROR IP 2a01:abcd:10:9::99 in child refers to multiple nameservers (ns1.box.domain.name; ns2.box.domain.name).
10 DELEGATION ERROR IP 123.123.123.123 refers to multiple nameservers (ns1.box.domain.name; ns2.box.domain.name).
11 DELEGATION ERROR IP 2a01:abcd:10:9::99 refers to multiple nameservers (ns1.box.domain.name; ns2.box.domain.name).

Thsi is in RED.
Is there any way to fix it?

3] DNSSEC
18 DNSSEC WARNING The DNSKEY with tag 10247 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.
19 DNSSEC WARNING The DNSKEY with tag 41334 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.
20 DNSSEC WARNING The DNSKEY with tag 10247 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.
21 DNSSEC WARNING The DNSKEY with tag 41334 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.
22 DNSSEC WARNING The DNSKEY with tag 10247 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.
23 DNSSEC WARNING The DNSKEY with tag 41334 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.
24 DNSSEC WARNING The DNSKEY with tag 10247 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.
25 DNSSEC WARNING The DNSKEY with tag 41334 uses an algorithm number 7 (RSASHA1-NSEC3-SHA1) which is not recommended to be used.

29 DNSSEC WARNING DNSKEY with tag 10247 and using algorithm 7 (RSASHA1-NSEC3-SHA1) has a size (1024) smaller than the recommended one (2048).
30 DNSSEC WARNING DNSKEY with tag 10247 and using algorithm 7 (RSASHA1-NSEC3-SHA1) has a size (1024) smaller than the recommended one (2048).
31 DNSSEC WARNING DNSKEY with tag 10247 and using algorithm 7 (RSASHA1-NSEC3-SHA1) has a size (1024) smaller than the recommended one (2048).
32 DNSSEC WARNING DNSKEY with tag 10247 and using algorithm 7 (RSASHA1-NSEC3-SHA1) has a size (1024) smaller than the recommended one (2048).

DNSSEC is beoynd me, but it’s coming up with WARNING …

alento · August 13, 2020, 3:14pm

I am completely unimpressed with this ‘tool’ … read on.

PTR is irrelevant for name servers. There is no reason for this to be an issue.

Creating? How, where?

How have you managed to set 3 PTR records on one IP?

MiaB does everything consistently correctly.

Although this behavior is generally frowned upon, as MiaB is using a single IP and a single name server (thus being a single point of failure) there is no problem with this, though I highly encourage you to use secondary DNS. Please refer to the article that I will link at the bottom of this response.

Not recommended by whom?

This may be the sole issue here that the developers may want to look into a bit further, but again I suspect that this is another case of ‘recommended by whom’? @JoshData

To learn more about Secondary DNS and an example of how to set it up, read this article that I have written: