Re: Audit the consistency of zone files on DNS servers

Sat, 15 Mar 2014 06:15:40 -0700 

On 15/03/2014 10:09, Maren S. Leizaola wrote:


Can someone provide an answer that does not refer to zone transfers?


Your original email said:


What I want to be able to detect are serial number errors, where a
zone has been updated but the serial number has not changed


Then you said:


I am paranoid and I don't think zone transfers are a good method. I
want something that looks at the file, intelligently looks at each
record and sends the right types of queries to all the DNS servers.

We are never sure how bug free bind is. As I am using other DNS
servers I am not sure how reliably they interactive with Bind... So
trust I nothing until it has been provent to work time and time
again....



To be blunt, I think you are being unreasonable - sort of a "radical 
skeptic" - about the software.



If you distrust the XFR bit of your DNS servers, why trust *any* of it? 
How do you know the DNS server isn't answering with garbage when it 
should be answering NODATA/NXDOMAIN? Or answering with correct values to 
you, but garbage 0.01% of the time to everyone else?



You don't know that, and you can never know that, so proceeding on this 
basis is futile.



Do you have grounds to *reasonably doubt* the functioning of your DNS 
software?



Anyway - in an attempt to be "helpful", even though I think it's a silly 
thing to do, here's a suggestion which queries every record in a zone 
verus a master file:


https://github.com/joemiller/dns_compare


You could also canonicalise the zone file with "trusted" (ha ha) 
software then transfer it over a "trusted" protocol (ha ha), "freeze" 
the zone at the slaves having "trusted" that they will write to disk 
correctly, then use diff.



None of these solves the NODATA/NXDOMAIN or low-rate error problem, but 
they are, in principle, unsolvable.


Good luck - I doubt you'll find what you want though! ;o)

Cheers,
Phil
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to