Monitoring Zonefiletransfer

[Markus Weber]

Am 19.02.2014, 04:34 Uhr, schrieb /dev/rob0 <rob0 at gmx.co.uk>:

> On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote:
>> I am new to administer a Bind server and after a few problems i ran
>> into i need to monitor the zonefile transfers of my slave server.
>
> I think the terminology you use shows a part of the confusion. Zone
> *data* is transferred to slave servers, not zone *files.*

 from my understanding the terminology zonefiletransfer is quite common,  
maybe it is just a german thing and in english its just zone transfer, but  
i would not fight about this.

>
>> I have searched on google and nagios plugin sites but could not
>> find anything that fits my needs entirely.
>>
>> Here is the Setup:
>> - MS ActiveDirectory as primary Nameservers (not under my control)
>> - 2 Bind server as slave for various zones (behind a loadbalancer)
>>
>> The problem i ran into, was that the zone transfer didn't work for
>> some reason and the zone we hold expired causing our mailgateway to
>> stop relaying mails :/
>>
>> As i sayed i googled around and as i could not find anything i
>> hacked a nagios plugin myself ( you can find the code here
>> https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl).
>> But i am curious if i took the right "route". These are my
>> assumptions and a first approach:
>>
>> - read named.conf and get master servers
>> - query soa of slave and get serial
>
> If "query" is something like "dig +short zone.example. soa @slave",
> right.

jepp, exactly. i do it with a perlmodule but the outcome is the same

>
>> - query first master and get serial
>
> Likewise here, s/slave/master/

true

>
>> - if serial match:
>>    get zonefile modification time (not sure if this is significant)
>
> It is not. Zone data is kept in memory and is written to the journal.
> At 15-minute intervals, the zone file is written if it differs from
> actual zone data.

I read somewhere that it is enough to look at the modification time. But  
if you know a way how i can get the time of the last retry i could  
determine for how long it did not update.

>
>> and compare it with localtime and "soa-expiretime"
>>         + warn or crit on threshold
>>         (stat($zoneFile)[9] + $SOA_S->expire) - time
>> - if master serial > slave serial
>>         create tempfile and check for how long it stays lower
>> then masters serial
>>         + warn or crit on threshold
>> - else
>>         test next master
>>         on last master exit with error ( this should not become
>> true ever, right?)
>>
>>
>> A few problems i discovered:
>> - sometimes have a higher serial then all masters have, is this
>> normal on an AD DNS? or am I doing something wrong i thought this
>> could not happen.
>> - Some Zones nearly always reach expireation time. and i get a lot
>> of critical messages and a few hours/minutes before expireation it
>> does the update.
>
> Not enough here to know what's going on.
>

me neither :( what information could i provide for this? or where can i  
look for help?
I will first look for the refresh and retry values as Mark pointed out and  
come back then.

>> i hope you can guide me a bit and tell me if this is what i want xD