Warning Messages - BlueCat Address Manager - 8.3.1

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.1

The following contains warning messages that might be displayed in the Address Manager user interface.

W-01: CNAME Record Chaining
Description: CNAME records should not be chained together.
Severity: Warning
Effect DNS resolvers may return an error when attempting to resolve a CNAME chain. CNAME (alias) records should only be linked to A (host records).
Association: A CNAME Record that points to another CNAME.
How to Detect: Examine CNAME records that link to other CNAME records. Any CNAME that points to another should be flagged.
Fix Link the CNAME record to an existing host record or external host record. If the record does not exist, create it.

W-03: DNS View not visible
Description: DNS View might be hidden because another view might encompasses its range.
Severity: Warning
Effect One or more of the views are hidden. Resolvers and applications will not be able to access records from hidden views.
Association: View
How to Detect: Examine the match-clients and deny-clients options (or lack thereof) from all views to determine if the settings from one view might be hiding another. For example, if two views have been configured to match addresses from the 10.0.0.0/8 IP block, then the first view listed in the named.conf.active file receives the traffic, and the others will not. Flag the hidden view.
This warning is displayed in the following scenarios:
  • Two or more views without a Match Clients or Deny Clients deployment option set.
  • Match Clients option values (overlap or same) match clients option values in different views.
  • Deny Clients option values (overlap or same) deny clients options values in different views.
Fix If the configuration has two views, configure only one view without Match Client and/or Deny Client deployment options. If the configuration has more than two views, configure each view so that they have unique values in the Match Client and/or Deny Client deployment options.

W-06: IPv4 Address space is reserved
Description: Certain blocks of IPv4 space are reserved.
Severity: Warning
Effect Assign addresses that might not be routable on the Internet..
Association: IPv4 Networks or IPv4 Blocks
How to Detect: Match against reserved address space:
  • 0/8 (reserved)
  • 1/8 and 2/8 (unallocated)
  • 5/8 (unallocated)
  • 7/8 (administered by ARIN)
  • 23/8 (unallocated)
  • 27/8 (unallocated)
  • 31/8 (unallocated)
  • 36/8 and 37/8 (unallocated)
  • 39/8 (unallocated)
  • 42/8 (unallocated)
  • 46/8 (IANA)
  • 49/8 and 50/8 (unallocated)
  • 100/8 through 111/8 (unallocated)
  • 112/8 through 115/8
  • 127/8 (loop back)
  • 173/8 through 185/8 (unallocated)
  • 186/8 and 187/8
  • 197/8 (AfriNIC)
  • 223/8 (unallocated)
  • 224/8 through 239/8 (multicast)
  • 240/8 through 255/8 (future use)
Blocks in these ranges should be flagged. For more information refer to: http:// www.iana.org/assignments/ipv4-address-space)

W-07: Record name might create compatibility problems
Description: Users can legally use the space character and other ASCII values for record names.
Severity: Warning
Effect Some applications might not process the name properly.
Association: Resource Record
How to Detect: Examine resource records that contain characters that are not typical, yet valid in domain names. For example:
  • space character
  • brackets ( ), [ ], { }
  • quote characters (single and double)
  • Symbols (@ # $ % ^ & ! ~)
Any record name that contains one or more of the above characters should be flagged.
Fix If necessary, remove the character that generated the warning.

W-08: ENUM Numbers exceed the maximum of 15 digits
Description: Users can create ENUM numbers that exceed the maximum of 15 digits as set by the Telecommunication Standardization Sector (ITU-T).
Severity: Warning
Effect Might not get used by application.
Association: ENUM zone or number
How to Detect: Search the database for NAPTR Group or E164 Zone types that have an absolute name containing more than 15 digits.
Fix Limit the ENUM number to a maximum of 15 digits.

W-09: DNS deployable without deployment roles
Description: Zone is deployable, but there are no roles to make sure it gets deployed.
Severity: Warning
Effect Zone is not deployed.
Association: Zone
How to Detect: Search for deployable zones that have no deployment roles (zone with deployable checkbox selected and no DNS roles).
Fix Add the deployment role to either the zone’s parent view or the zone itself. At least one of the deployment roles must be master or hidden master.

W-10: SOA values are too short/long
Description: The refresh, retry, expire, and minimum values are above or below recommended settings.
Severity: Warning
Effect Zone is deployed, but strange behavior with BIND and caching might occur.
Association: Entity where SOA option is defined.
How to Detect: Examine SOA option values against acceptable values:
  • Refresh Value—RFC 1912 recommends a value between 1200 to 7200 seconds(20 minutes to 2 hours if you are not worried about a small increase in bandwidth use, or longer (2 to 12 hours) if Internet connection is slow or is started on demand).
  • Retry Value—should be 120 to 7200 seconds (2 minutes to 2 hours).
  • Expire Value—RFC 1912 recommends a value between 1209600 to 2419200 seconds (2 to 4 weeks).
  • Minimum Value—RFC 2308 recommends 3600 to 10800 seconds (1 to 3 hours).
Any SOA record that fails to meet any of the above criteria is flagged.
Fix Adjust SOA values to be within suggested ranges.

W-11: DHCP lease time is too short/long
Description: Lease times might be too short or too long.
Severity: Warning
Effect Short lease times create an extra load on a DHCP server and longer times might cause lease to be unavailable for use when the DHCP client is removed from the network.
Association: Entity where option is defined
How to Detect: Examine DHCP lease time option and flag if a lease time has been set to one of following:
  • Lease time less than 1 hour (RFC 1541/2131).
  • Lease time longer than 7 days.
Fix Adjust lease times to longer than values.

W-12: DHCP max lease time is too short/long
Description: Max lease times might be too short or too long.
Severity: Warning
Effect Short lease times create an extra load on a DHCP server and longer times might cause lease to be unavailable for use when the DHCP client is removed from the network.
Association: Entity where option is defined
How to Detect: Examine DHCP maximum lease time options and flag the owning entity if:
  • Lease time less than 1 hour (RFC 1541/2131).
  • Lease time longer than 7 days.
  • Max lease time is less than DHCP lease time
Fix Adjust lease times.

W-15: ENUM zone deployable without deployment roles
Description: ENUM Zone is deployable but there are no roles to make sure it gets deployed.
Severity: Warning
Effect ENUM Zone is not deployed
Association: ENUM Zone
How to Detect: Search for deployable ENUM zones that have no deployment roles.
Fix Add a deployment role to view or to the ENUM zone.

W-16: DHCP Deployable to one Windows server with scope splitting
Description: The network contains a DHCP role with a primary Windows server, and the DHCP range contains a scope-split address.
Severity: Warning
Effect DHCP deployment role contains only a primary Windows server.
Association: Network
How to Detect: On the network, if the DHCP role contains only a primary windows server, and the DHCP range contains a scope-split address, then flag it.
Fix Add a second DHCP deployment role for a second Windows DHCP server.

W-17: DNS/DHCP Server dynamic updates option with Windows servers only
Description: DNS/DHCP Server (Adonis) dynamic updates option with Windows servers only.
Severity: Warning
Effect Windows servers do not need an ACL. Address Manager (Proteus) Management Agent considers the option values “Nonsecure and secure”.
Association: Configuration
How to Detect: Configuration contains Windows servers only. DNS option Allow Dynamic Updates contains ACL only and is set to be deployed to all servers. As this option for Windows does not require ACL but Windows updates flag, this option’s parent will be flagged.

W-19: FQDN and label length validation for Zone
Description: Invalid Fully Qualified Domain Name.
Severity: Warning
Effect Zone not deployed.
Association: DNS Zone
How to Detect: Examine that the zone name length is more than 63 characters or that the zone FQDN length is more than 253 characters.
Fix Reduce zone name length to 63 characters or less; reduce the zone FQDN length to 253 characters or less.