First, do no harm…


Primum non nocere is a Latin phrase that translates to “First, do no harm”. It is typically (incorrectly) attributed to the Hippocratic Oath, but works equally well as a standard for IT work. Another would be “If you don’t know what it does – don’t mess with it”.

So, a call comes in early last week from a customer who not only could not check her e-mail, people sending e-mail to her were getting rejections.

That was odd. If her server was down, she wouldn’t be able to get e-mail, but the senders shouldn’t be getting rejections, the messages should just be queuing up. Maybe her domain expired? No, domain was current. Also, having a rejection forwarded to us revealed that the recipient server was bouncing e-mail addressed to her.

Um, wait. That’s not her server. OK, log into her DNS provider. Looks like the zone file is OK. On to the registrar. The registrar is pointing to other DNS servers! The domain has been hijacked (or so we thought).

We call the customer with the results of our research, and she replies, “Oh, that’s OK. My web developer moved DNS.” We asked “What on Earth for?”

Apparently, her web developer was purchasing an SSL certificate for her. The CA required that the purchasing agent reply to an e-mail sent to hostmaster@domain.com to prove domain ownership. Hostmaster@ wasn’t defined on her mail server, so instead of asking her or us to create an alias, he moved DNS to servers he had control over, pointed the MX record to the hosting company, and then created one, and only one mailbox: hostmaster@domain.com.

Now our customer comes to work the next day, e-mail isn’t flowing to her Exchange server, and she’s generally unhappy. The round of calls and e-mails that followed eventually revealed what happened also resulted in the web developer trying to get us to share blame for what happened. Now, I will admit we were a bit forward in our incredulousness. There were some pretty explicit comments along the line of “Why would you mess with DNS when you obviously don’t understand what it does?” DNS touches everything. None of the A records that were defined had been duplicated (except www). DNS had been moved to only do one thing – allow the developer to catch e-mail sent to hostmaster@. Apparently what else was broken in that process was irrelevant.

Anyway, this is yet another cautionary tale. Your customers won’t be able to have faith in you if you break things when you touch them. It’s also never a good idea to point fingers even when the issue isn’t your fault – and you know whose it is. All the customer cares about is for their problem to be solved, and a good round of he said / she said only undermines the customer’s faith in technology professionals in general…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s