Testing/verifying production config changes

[David Carmean]

I'm trying to come up with a way to thoroughly pretest changes to be made 
to zonefiles on my production servers.  I see it as a two-part problem, 
at least, one side of which I have a pretty good hold on.

First, I've decided to use CVS and a named.conf.test file with appropriate 
options to run bind on a high-numbered port, in a work directory.  I'm 
logging with print-category and print-severity on, and will use that to 
look for syntax errors, etc.

But once those errors are resolved, I need to check the zones for 
sanity as a resolver client would use them.  This could be "interesting" 
due to this being part of a split DNS system and the zones in question 
being unknown outside the firewall, and the use of RFC1918 address space.

Which of the "contrib" tools might be useful for this purpose?  It would 
have to be able to be told not to look "up" beyond the parent domain, as 
the outside version won't know anything about the delegations, and it 
would also have to be able to deal with the use of the RFC1918 space.

I played with DNSwalk and DOC several years ago, but before I go spending 
a lot of time with them I was wondering if anybody had experience with them 
in this kind of split/firewalled environment.

Thanks.

--                                                         _    .    _    .    _