On 22:09 21/06, Shane Kerr wrote: > > Dne 1.6.2018 v 12:51 Shane Kerr napsal(a): > > > > Hmm, can you share some details about your experience? > > Did you find out when the data corruption took place? > > a) network transfer > > b) implementation bugs (e.g. incorrectly received IXFR) > > c) on disk > > d) some other option? > > I don't know. I have seen incorrectly transferred zone files both in > BIND > and NSD slaves. IIRC our solution was to include sentinel records in > the > zone files to spot problems, take the node out of service, and force a > re-transfer. This of course won't work if you are slaving zones that > you do > not control, and it doesn't prevent a small window of time when the > servers > are operating with broken zones. TSIG was being used.
We have also seen broken transfers between secondaries. Our solution is to dump the zone after transfer, calculate a hash and compare. We would benefit from having a ZONEMD record inside the zone. Hugo
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
