On 3/15/2014 6:09 AM, Maren S. Leizaola wrote:
On 3/15/2014 1:53 AM, Kevin Darcy wrote:
On 3/14/2014 8:28 AM, Maren S. Leizaola wrote:
Hello,
What do you guys recommend to audit every resource
record in a zone file against all the records in all the DNS servers
that host the zone file.
I want something that I feed the master zone file and then goes to
each
NS server and ensures that each of the records are identical in all of
them.
What I want to be able to detect are serial number errors, where a zone
has been updated but the serial number has not changed. In this
circumstances comparing SOA of all the servers would not report any
errors, but the zone file in the different servers are incorrect.
Well, you're only *medium* paranoid, at most. If you were *really*
paranoid, you'd crypto-sign your transfers.
Crypto signed no signed, AXFR what ever etc, if the DNS servers are
malfunctioning and sending the wrong replies to queries I would like
to be able to audit that..
Or use Dynamic Update exclusively for DNS record maintenance, so that
"forgetting to update the serial number after a change" is a thing of
the past[1].
- Kevin
[1] For the nit-pickers out there, the statement is true _even_for_
SOA record changes, since they don't "take" unless you "increment"
the serial number (as per serial-number arithmetic) as part of the
change.
So Dynamic updates, to a master? then IXFR, accross different type of
DNS servers.... lots of room for malfunction...
Can someone provide an answer that does not refer to zone transfers?
Whatever tool you use to "audit" is going to have "lots of room for
malfunction" as well.
I think you're just doubting for the sake of doubting for the sake of
doubting. Which makes me regret the time I've already invested in this
foolishness...
- Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
