Checking on DNS secondaries

Mon May 23 09:34:55 PDT 2011

Quoting Robert Hajime Lanning (robert.lanning at gmail.com):

> ps. I run my lanning.cc email server from home on my comcast business
> cablemodem.
> and I get this "(reason: 550 5.0.0 <baylisa at baylisa.org>...
> comcastbusiness.net needs a working abuse contact to send mail)"
> for both baylisa and svlug.

I'll see if I can whitelist your address at the SVLUG mailing list host:
That sounds like it must be part of Marc Merlin's antispam setup, and
I'm sorry about the Comcast-induced collateral damage.  As I'm sure you
appreciate, refusing mail to sites that ignore the RFC madates for
postmaster[1] and abuse [2] cuts out an overwhelming percentage of
spambot mail at SMTP time.  The pity of it is, Comcast must have gone
out of their way to disable that function, as MTAs have
default-supported incoming mail to both postmaster@ and abuse@ for some
time, now.

(I assume you're talking about sending address lanning at lanning.cc .
If not, please advise.  I have, I believe, now exempted that sender from
callback checks.)

> I run the script below (that I originally created to monitor slave
> replication.)  It can be run via cron to give you a daily/weekly report.
> http://lanning.cc/pub/dnscheckserial
>
> And this was to check DNS GTM consistency:
> http://lanning.cc/pub/dnscheck

Nice work, Robert.  FYI, the latter script breaks if the FQDN used as
argument is an unqualified second-level domain.  E.g., it yields
false-positive 'NXDOMAIN'results on linuxmafia.com, but correct-IP ones
if one uses the equivalent FQDN www.linuxmafia.com.

You will probably find that your script breaks if it encounters some of
the 'dig' results other than success or NXDOMAIN.  In particular, I
noticed that, if the tested nameserver is returning 'status: REFUSED' in
the options section, then any dig query with the '+short' flag retnrns a
null result (with, IIRC, value = 9).

[1] http://www.rfc-ignorant.org/rfcs/rfc5321.php
[2] http://www.rfc-ignorant.org/policy-abuse.php