RE: how to check if a slave zone is expired

[Marc Lampo]

Hugo,



“zones” don’t “expire”, like DNSSEC RRSIG with their “end of validity time
stamp”.



At worst, a slave name server is unable to verify the SOA record on the
master for “expiry” time.
At that point, the slave name server still “knows” it is authoritative,
but has no data it could answer with

à (at least Bind) will reply with a “SERVFAIL”  (not the list of root name
servers !)



The second worst thing is that the serial number on the master is lower
then what the slaves last “zone transferred”.

As already commented in another reaction, check the logs of the slaves,
they (should) signal this (Bind does).



Hope this helps.

Kind regards,



Marc Lampo

Security Officer

EURid vzw/asbl





From: hugo hugoo [mailto:hugo...@hotmail.com]
Sent: 04 May 2011 09:56 AM
To: marc.la...@eurid.eu; bind-users@lists.isc.org
Subject: RE: how to check if a slave zone is expired



Marc,

This example was maybe not the best one.
My questions remains as other zones are well unavailable on all name
servers.

Regards,

Hugo,



  _____

From: marc.la...@eurid.eu
To: hugo...@hotmail.com; bind-users@lists.isc.org
Subject: RE: how to check if a slave zone is expired
Date: Wed, 4 May 2011 09:18:56 +0200

Hugo,



This must be a configuration error on “ns2.skynet.be.”

The other 3 authoritative name servers answer fine, for omega-pharma.be;

ns2.skynet.be. returns the list of root name servers, meaning it isn’t
configured to be slave for that domain.



Contact Skynet/Belgacom helpdesk to get this corrected.

Kind regards,



Marc Lampo

EURid vzw/asbl

Security Officer



From: hugo hugoo [mailto:hugo...@hotmail.com]
Sent: 04 May 2011 08:53 AM
To: bind-users@lists.isc.org
Subject: how to check if a slave zone is expired



Dear all,

Is there a way to check that a slave zone is expired?
I use dig in the following way to see that the zone is not responding on
my server...but is this due to the fact that the zone is expired or
another problem?

dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa

; <<>> DiG 9.3.4 <<>> @localhost omega-pharma.be soa
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26868
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;omega-pharma.be.               IN      SOA
;; AUTHORITY SECTION:
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.


- How can I see that it is because the zone is expired?

- Is there a way to visualise all the zones that are expired (to make a
cleanup of the configuration)


Thanks for your feedback,

Hugo,



_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users