DNS Tech Support Training Courses DNSSEC Consulting DNS Monitoring System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools

Top Ten Most Frequent Test Failures (2022-04)

The DNS Institute's DNS Audit checks over a hundred requirements and best practices as defined in IETF RFCs, government mandates, and registry guidelines. (The tests have bibliographic citations and explanations.) These tests are for domain names themselves, nameserver addressing, DNS setup and delegations, and conformance tests on how the domain nameserver responds. This includes checking glue, IPv6, TCP, DNSSEC, and more. It has additional tests for performance and security vulnerabilities with over a hundred additional test cases to consider. We have ran over a third of a million test runs resulting in over fifty-one million individual test results. (You can see summaries of this in our research articles.)

Some of the tests fail so frequently, they can be considered just unimportant noise. But many DNS setups are so clean they have none of the following top ten most frequent warnings.

  1. D102950 SOA EXPIRE should not be less than 2 weeks. (For example, see netflix.film's one minute.)
  2. D106060 Checking Disabled (CD) bit should not be set in response from authoritative server. (This is a BIND9 behavior, at least, reported a few years ago.)
  3. D103500 SOA MINIMUM (negative caching TTL) recommended maximum is 1 hour (Unbound and PowerDNS Recursor default max). (For example, see dplinc.com's 41 days, which is capped by most resolvers.)
  4. D102850 SOA RETRY should be one-tenth of the SOA REFRESH.
  5. D103150 SOA MINIMUM (negative caching TTL) of at least 30 minutes is recommended. (For example, see officemax.com's 0 second.)
  6. D103400 SOA MINIMUM (negative caching TTL) recommended maximum is 3 hours (BIND9 default max).
  7. D103900 TTL is recommended to be within 30 minutes to 1 day. (See mmm.com's SOA TTL which is 30 days. That's why various nameservers have bounded limits which hide this.)
  8. D102700 SOA REFRESH should be within 20 minutes to 12 hours. (For example, see 232.77.41.in-addr.arpa's 10 days — maybe extra 0 was a typo?)
  9. D102400 RRSIG Inception/Expiration validity period recommendation is approximately 3 to 4 times the SOA EXPIRE.
  10. D103000 SOA EXPIRE should not be longer than 4 weeks. (See "ma" TLD's 19 years! But maybe it's using this field for a different purpose?)

There are a few other frequent offenders especially when it forces IPv6 or TCP only tests. By the way, one of our least common outliers is: "D103510 Recursion depth recommended maximum is 5 levels (Unbound default max)." (That's even less frequent that finding security vulnerabilities such as dangling DNS targets.)

How clean is your DNS?

What do you think about any of these pedantic checks? (Old guidelines or requirements just don't matter?)

What do you use for your DNS auditing?

Contact Us | About | Site Map |  Gab |  Twitter