Accuracy of DNSStuff reports

Kevin Darcy kcd at
Wed Nov 29 22:32:38 UTC 2006

Barry Margolin wrote:
> In article <ekgq85$2dbm$1 at>, Res <res at> wrote:
>> On Mon, 27 Nov 2006, Barry Margolin wrote:
>>> My personal bugaboo with DNSReport is the red FAIL it reports for open
>>> recursive servers.  While it's certainly a bad idea for authoritative
>> Actually I think it;s good idea, it alerts the admin who set it up they
>> are open to exploitation and abuse.
> So make it a warning.
> The problem is that it confuses OTHER people who are trying to 
> troubleshoot problems accessing the domain.  They see the big red FAIL 
> and think that it's due to the DNS misconfiguration.
I have to agree with Barry here. A site that is serving DNS flawlessly 
to its clients shouldn't get any FAILs on its "health check". If 
DNSStuff or any other "checker" wants to highlight a *security* problem, 
as opposed to a *functional* problem, such that it gets a high fix 
priority, then perhaps it should use a different term and/or different 
color, like INSECURE or EXPLOITABLE in purple or something like that. Or 
the format of the report could have a separate column for 
security-related factors. But showing a FAIL on a working site is just 
an open invitation to misunderstanding and confusion.

                                    - Kevin

More information about the bind-users mailing list