Stale MX Records

Kevin Darcy kcd at daimlerchrysler.com
Fri Jun 15 21:25:41 UTC 2001 

Kris Haight wrote:

> > >>  - ns.mindsprung.net (208.176.94.126)
> > >>    does not answer authorativly for firespout.com
> >
> >       In addition, it appears that this machine is running
> > recursively
> > and caching, so there is the chance of cache pollution problems.
> > Worse, it appears that this machine is running BIND 8.2.2-P7, which
> > would mean that it is vulnerable to known attacks to gain root
> > privileges.  I would strongly encourage you to at least upgrade to
> > BIND 8.2.4-REL, if not 9.1.2-REL or the latest release candidate for
> > 9.1.3.
>
> I am aware of this exploit. I thought I fixed this. I guess I didnt. Will Do
> it this weekend.
>
> As far as the cacheing... How do I fix this?

See my previous message. I don't think this has anything whatsoever to do with
caching or even bad delegations (although you have one of those). I think it's
just a simple case of braindead mailers sending to your domain's A record
instead of to the MX targets. Have you had a chance to verify whether this is
the case?

> > >  And how can I make it authorative? I followed The O'Reilly
> > Book DNS & BIND
> > >  to a T so now I am totally lost.
> >
> >       It's hard to say.  What is in the log files for this machine
> > about this zone?
>
> See my log cut and pastes below.
>
> > >>  - Default TTL in firespout.com'a SOA is 1 hour, way to low
> > >
> > >  Recommendation? I am relatively new to DNS and I am
> > learning as I go along.
> > >  I've had a home server setup for a while, but havent had
> > issues with it, so
> > >  this is a first for me.
> >
> >       Default TTLs for things like this should almost always be at
> > least a day, and possibly as large as a week.  You should only exceed
> > these values on one side or the other if you have a known reason that
> > you need/want to do so.
>
> Okay. Will Change This.
>
> > >>  Your REAL problem seems to be that chhost.com still thinks they
> > >>  are auth for firespout.com, thus givin out faulty records :
> > >>  > dig firespout.com mx @NS2.cihost.com.
> >
> >       From what I see, dns1.nhvt.net is a lame delegation
> > from the gTLD servers:
>
> Will Fix This.
>
>
> >
> >       This would also be a problem that needs to be fixed.  In
> > particular, the delegation records should be fixed at the
> > InterNIC/Network Solutions, so that only the appropriate nameservers
> > within mindsprung.net are referenced.
>
> firespout.com is registered with Register.Com (I didnt do this).
> Unfortunately their interface sucks and doesnt correctly list the primary
> and secondary servers in order.

Don't blame register.com: there is no meaningful order to be observed here.

More information about the bind-users mailing list