On Fri, 2014-03-14 at 14:54 -0400, Kevin Darcy wrote: > On 3/14/2014 2:39 PM, Maren S. Leizaola wrote: > > On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote: > >> On Fri, Mar 14, 2014 at 12:33:47PM +0000, > >> Phil Mayers <p.may...@imperial.ac.uk> wrote > >> a message of 25 lines which said: > >> > >>> dig @server zone axfr >file > >>> diff file file.real > >> If you're really paranoid, it may not be sufficient since a server may > >> reply differently to "normal" DNS queries and to zone file transfer > >> requests (for instance if the server is also authoritative for a > >> child zone, see RFC 5936, section 3.2). > >> > >> > > > > Thank you both for your replies. > > > > I am paranoid and I don't think zone transfers are a good method. > > I want something that looks at the file, intelligently looks at each > > record and sends the right types of queries to all the DNS servers. > > > > We are never sure how bug free bind is. As I am using other DNS > > servers I am not sure how reliably they interactive with Bind... > > So trust I nothing until it has been provent to work time and time > > again.... > > > > I am surprised that there isn't a standard tool out there to do this, > > it seems pretty obvious to me.
> Well, you're only *medium* paranoid, at most. If you were *really* > paranoid, you'd crypto-sign your transfers. Makes me wonder a little.... I use TSig to sign zone transfers. If I check the log file on the receiving (slave) machine, I get something like... 14-Mar-2014 14:05:02.648 general: info: zone olpcsa.co.za/IN: transferred serial 2014031402: TSIG ...... ie - the Serial Number transferred in. At this point, I'm pretty darn sure that the zone transfer with that serial No. has transferred correctly for that zone at that time. On the 'master' side, I have a cron driven script that keeps Check-Sum's of my zone files. If the (md5sum) Check-sum for a zone file is wrong, increment the SOA Serial, update that Check-sum and fire off an 'rndc reload zone.name'. This allows updating the zone data without remembering to update the SOA Serial. The script also keeps another file per zone with just the last SOA-Serial in it - so can detect if the Serial was incremented. I run each Zone in its own sub-directory to manage each zones set of files (for managing DNSSEC Keys - etc). Most zone transfers should be pretty much immediate. If I were really paranoid:... One could add code to the 'master' script to then run though the appropriate 'slave' servers and 'dig' for the new SOA Serial. If a slave does not report back the new SOA Serial after a minute or so - then you'd have reason to become paranoid or more sensibly, go hunt down the reason for the failure. Use BIND on the Master. It can, unlike NSD, generate outbound IXFR's. You could use NSD on the Slaves - which gives you genetic diversity... -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
