how to check if a slave zone is expired

hugo hugoo hugobxl at hotmail.com
Wed May 4 08:22:26 UTC 2011 

Marc,
 
Thanks for the feedback.
 
I have indeed seen in the logs that the zone is expired on ns2 but my question was more general in order not to have to always try to see the logs (info not available if the zone has expired some weeks ago..).
 
So..no way to check that a zone is expired?
 
 
For info: no "servfail" answer on the query.
 
C:\Data\dig>dig @ns2.skynet.be wwW.omega-pharma.be
; <<>> DiG 9.3.2 <<>> @ns2.skynet.be wwW.omega-pharma.be
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 392
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;wwW.omega-pharma.be.           IN      A
;; AUTHORITY SECTION:
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
;; Query time: 31 msec
;; SERVER: 195.238.3.18#53(195.238.3.18)
;; WHEN: Wed May 04 10:18:37 2011
;; MSG SIZE  rcvd: 248
 


From: marc.lampo at eurid.eu
To: hugobxl at hotmail.com; bind-users at lists.isc.org
Subject: RE: how to check if a slave zone is expired
Date: Wed, 4 May 2011 09:58:22 +0200








Hugo,
 
“zones” don’t “expire”, like DNSSEC RRSIG with their “end of validity time stamp”.
 
At worst, a slave name server is unable to verify the SOA record on the master for “expiry” time.
At that point, the slave name server still “knows” it is authoritative, but has no data it could answer with
à (at least Bind) will reply with a “SERVFAIL”  (not the list of root name servers !)
 
The second worst thing is that the serial number on the master is lower then what the slaves last “zone transferred”.
As already commented in another reaction, check the logs of the slaves, they (should) signal this (Bind does).
 
Hope this helps.

Kind regards,
 
Marc Lampo
Security Officer
EURid vzw/asbl
 
 

  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110504/65f20dd8/attachment.html>

More information about the bind-users mailing list