Warning Messages - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

The following contains warning messages that might be displayed in the Address Manager user interface.

W-01: CNAME Record Chaining
Description: CNAME records shouldn't be chained together.
Severity: Warning
Effect DNS resolvers may return an error when attempting to resolve a CNAME chain. CNAME (alias) records should only be linked to A (host records).
Association: A CNAME Record that points to another CNAME.
How to Detect: Examine CNAME records that link to other CNAME records. Any CNAME that points to another should be flagged.
Fix Link the CNAME record to an existing host record or external host record. If the record doesn't exist, create it.

 

W-03: DNS View not visible
Description: DNS View might be hidden because another view might encompass its range.
Severity: Warning
Effect One or more of the views are hidden. Resolvers and applications won't be able to access records from hidden views.
Association: View
How to Detect: Examine the match-clients and deny-clients options (or lack thereof) from all views to determine if the settings from one view might be hiding another. For example, if two views have been configured to match addresses from the 10.0.0.0/8 IP block, then the first view listed in the named.conf.active file receives the traffic, and the others won't. Flag the hidden view.
This warning is displayed in the following scenarios:
  • Two or more views without a Match Clients or Deny Clients deployment option set.
  • Match Clients option values (overlap or same) match clients option values in different views.
  • Deny Clients option values (overlap or same) deny clients options values in different views.
Fix If the configuration has two views, configure only one view without Match Client or Deny Client deployment options. If the configuration has more than two views, configure each view so that they have unique values in the Match Client or Deny Client deployment options.

 

W-06: IPv4 Address space is reserved
Description: Certain blocks of IPv4 space are reserved.
Severity: Warning
Effect Assign addresses that might not be routable on the Internet..
Association: IPv4 Networks or IPv4 Blocks
How to Detect: Match against reserved address space:
  • 0/8 (reserved)
  • 1/8 and 2/8 (unallocated)
  • 5/8 (unallocated)
  • 7/8 (administered by ARIN)
  • 23/8 (unallocated)
  • 27/8 (unallocated)
  • 31/8 (unallocated)
  • 36/8 and 37/8 (unallocated)
  • 39/8 (unallocated)
  • 42/8 (unallocated)
  • 46/8 (IANA)
  • 49/8 and 50/8 (unallocated)
  • 100/8 through 111/8 (unallocated)
  • 112/8 through 115/8
  • 127/8 (loop back)
  • 173/8 through 185/8 (unallocated)
  • 186/8 and 187/8
  • 197/8 (AfriNIC)
  • 223/8 (unallocated)
  • 224/8 through 239/8 (multicast)
  • 240/8 through 255/8 (future use)
Blocks in these ranges should be flagged. For more information refer to: http:// www.iana.org/assignments/ipv4-address-space)

 

W-07: Record name might create compatibility problems
Description: Users can legally use the space character and other ASCII values for record names.
Severity: Warning
Effect Some applications might not process the name properly.
Association: Resource Record
How to Detect: Examine resource records that contain characters that are atypical, yet valid in domain names. For example:
  • space character
  • brackets ( ), [ ], { }
  • quote characters (single and double)
  • Symbols (@ # $ % ^ & ! ~)
Any record name that contains one or more of the above characters should be flagged.
Fix If necessary, remove the character that generated the warning.

 

W-08: ENUM Numbers exceed the maximum of 15 digits
Description: Users can create ENUM numbers that exceed the maximum of 15 digits as set by the Telecommunication Standardization Sector (ITU-T).
Severity: Warning
Effect Might not get used by application.
Association: ENUM zone or number
How to Detect: Search the database for NAPTR Group or E164 Zone types that have an absolute name containing more than 15 digits.
Fix Limit the ENUM number to a maximum of 15 digits.

 

W-09: DNS deployable without deployment roles
Description: Zone is deployable, but there are no roles to make sure it gets deployed.
Severity: Warning
Effect Zone isn't deployed.
Association: Zone
How to Detect: Search for deployable zones that have no deployment roles (zone with deployable check box selected and no DNS roles).
Fix Add the deployment role to either the zone’s parent view or the zone itself. At least one of the deployment roles must be primary or hidden primary.

 

W-10: SOA values are too short/long
Description: The refresh, retry, expire, and minimum values are above or below recommended settings.
Severity: Warning
Effect Zone is deployed, but strange behavior with BIND and caching might occur.
Association: Entity where SOA option is defined.
How to Detect: Examine SOA option values against acceptable values:
  • Refresh Value—RFC 1912 recommends a value between 1200 to 7200 seconds(20 minutes to 2 hours if you are not worried about a small increase in bandwidth use, or longer (2 to 12 hours) if Internet connection is slow or is started on demand).
  • Retry Value—should be 120 to 7200 seconds (2 minutes to 2 hours).
  • Expire Value—RFC 1912 recommends a value between 1209600 to 2419200 seconds (2 to 4 weeks).
  • Minimum Value—RFC 2308 recommends 3600 to 10800 seconds (1 to 3 hours).
Any SOA record that fails to meet any of the above criteria is flagged.
Fix Adjust SOA values to be within suggested ranges.

 

W-11: DHCP lease time is too short/long
Description: Lease times might be too short or too long.
Severity: Warning
Effect Short lease times create an extra load on a DHCP server and longer times might cause lease to be unavailable for use when the DHCP client is removed from the network.
Association: Entity where option is defined
How to Detect: Examine DHCP lease time option and flag if a lease time has been set to one of following:
  • Lease time less than 1 hour (RFC 1541/2131).
  • Lease time longer than 7 days.
Fix Adjust lease times to longer than values.

 

W-12: DHCP max lease time is too short/long
Description: Max lease times might be too short or too long.
Severity: Warning
Effect Short lease times create an extra load on a DHCP server and longer times might cause lease to be unavailable for use when the DHCP client is removed from the network.
Association: Entity where option is defined
How to Detect: Examine DHCP maximum lease time options and flag the owning entity if:
  • Lease time less than 1 hour (RFC 1541/2131).
  • Lease time longer than 7 days.
  • Max lease time is less than DHCP lease time
Fix Adjust lease times.
Note: The "DHCP max lease time is too short/long" warning message will also appear when the minimum, default, and maximum DHCP lease times are set to the same value. This configuration is considered normal for users who do not wish to configure variable lease times, in which case the warning message can be ignored. Users who wish to clear the warning message in this scenario can do so by configuring each DHCP lease time value to be distinct. The minimum lease time must configured as the lowest value, and the default lease time must be set lower than the maximum lease time.

 

W-15: ENUM zone deployable without deployment roles
Description: ENUM Zone is deployable but there are no roles to make sure it gets deployed.
Severity: Warning
Effect ENUM Zone isn't deployed
Association: ENUM Zone
How to Detect: Search for deployable ENUM zones that have no deployment roles.
Fix Add a deployment role to view or to the ENUM zone.

 

 

 

W-19: FQDN and label length validation for Zone
Description: Invalid Fully Qualified Domain Name.
Severity: Warning
Effect Zone not deployed.
Association: DNS Zone
How to Detect: Examine that the zone name length is more than 63 characters or that the zone FQDN length is more than 253 characters.
Fix Reduce zone name length to 63 characters or fewer; reduce the zone FQDN length to 253 characters or fewer.