10 posts / 0 new
Last post
#1 Thu, 05/17/2018 - 10:24
livewin

dns warning

Hi, I have tried virtualmin for about a month and it is very good I've been able to solve all the setup problems I've had. My server is now working without any problem; only i have 4 errors 1- Local NS list does not match Parent NS list 2- Name Servers are on the Same Subnet 3- SOA Serial Number Format is Invalid 4- SOA Expire Value out of recommended range

please help me to fix all above warning

Thanks

Thu, 05/17/2018 - 11:31
noisemarine

1 - I've never seen that error. I'm not sure what it means.

2 - It means what it says. If you have both (or more) of your nameservers on the same subnet (ie. IP addresses are 10.0.0.1 and 10.0.0.2), it complains. It is best practice to have your nameservers geographically separated. Unless you can move one or more of your nameservers to another location, the only thing you can do is ignore it.

3 and 4 - can you please post the top section of one of your zone files so we can see what is causing the error? Please use code tags (see the 'More information about text formats' link below the comment box).

Thu, 05/17/2018 - 12:11
scotwnw

1- Local NS list does not match Parent NS list

Means your name server list in bind(local) for that domain does not match the name server list glue records at your domain(parent). Which is the registrar. The name servers listed with your registrar should also have dns listings in that domain's bind config.

So if your registrar has ns1.blah.com and ns2.blah.com You need both of those listed in bind under 'name servers' section for that domain. Then create A records to go with ns1.blah.com and ns2.blah.com.

Thu, 05/17/2018 - 19:04
livewin

Hello thank you very much noisemarine and scotwnw 1 and 2 fixed after reconfiguring dns zone dns. now only 3 nad 4 not fixed 3-SOA Serial Number Format is Invalid 4-SOA Expire Value out of recommended range this my soa config

$ttl 38400
@ IN SOA ns1.myname.com. root.ns1.myname.com. (
1525605284
10800
3600
604800
38400 )
Fri, 05/18/2018 - 02:46
noisemarine

There isn't much wrong with that. Is it complaining about a specific zone?

Sat, 05/19/2018 - 08:54
Diabolico
Diabolico's picture

SOA Serial Number Format is Invalid

Based on this

The serial number contains the date of the last change (in ISO 8601 basic format) followed by a two-digit counter (e.g. 2017031405 = the fifth change dated March 14, 2017). This method is recommended in RFC 1912.

the SOA serial number should be 2018051900, where 2018=year, 05=month, 19=day, 00=counter.

SOA Expire Value out of recommended range

We have again:

RFC 1912 recommends 1209600 - 2419200 seconds (14-28 days). How long a secondary will still treat its copy of the zone data as valid if it can't contact the primary.This value should be greater than how long a major outage would typically last, and must be greater than the minimum and retry intervals, to avoid having a secondary expire the data before it gets a chance to get a new copy.After a zone is expired a secondary will still continue to try to contact the primary, but it will no longer provide nameservice for the zone.2-4 weeks are suggested values. [RFC1912]

so your SOA expire value should be between 1209600 - 2419200 (seconds).

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 05/19/2018 - 18:16
noisemarine

Neither of those two things is mandatory. The serial number only needs to be between 1 and 4294967295(*). Expire only needs to be greater than the sum of Refresh and Retry (604800 > 10800 + 3600). In which case, there's nothing wrong with the OPs SOA header as posted. I suspect there's a different zone that has been altered that is causing the error.

  • I agree, however. I personally prefer Serials based on dates as they are easier to manage. :)
Sun, 05/20/2018 - 19:16
Diabolico
Diabolico's picture

Recommendations contained within RFC publications are there for a reason, so doesnt matter what anyone prefer or not - they are there to be followed. Most if not all scanning or checking tools will base their report on this very same rules and notify for any values outside of the ones suggested. Plus dont forget there are many rules what if not followed correctly will result in some sort of obstruction, like not applying DKIM, SPF, rDNS... etc.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 05/21/2018 - 04:03
noisemarine

Exactly, which is why there is nothing wrong with the OPs header as posted. Remember, 'recommended' and 'suggested' is not the same as 'must' or 'required'. If it's a DNS scanning site that is reporting those errors, I'd 'suggest' using a better tool. :)

Edit: I should add, those values are the default in Virtualmin. Are you having any trouble with DNS? :)

Tue, 05/29/2018 - 04:46
livewin

Hi, Thank you very much to all members for helping me. After following all reply I was able to solve the problem

Topic locked