Audit the consistency of zone files on DNS servers
kcd at chrysler.com
Fri Mar 14 18:54:50 UTC 2014
On 3/14/2014 2:39 PM, Maren S. Leizaola wrote:
> On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote:
>> On Fri, Mar 14, 2014 at 12:33:47PM +0000,
>> Phil Mayers <p.mayers at imperial.ac.uk> wrote
>> a message of 25 lines which said:
>>> dig @server zone axfr >file
>>> diff file file.real
>> If you're really paranoid, it may not be sufficient since a server may
>> reply differently to "normal" DNS queries and to zone file transfer
>> requests (for instance if the server is also authoritative for a
>> child zone, see RFC 5936, section 3.2).
> Thank you both for your replies.
> I am paranoid and I don't think zone transfers are a good method.
> I want something that looks at the file, intelligently looks at each
> record and sends the right types of queries to all the DNS servers.
> We are never sure how bug free bind is. As I am using other DNS
> servers I am not sure how reliably they interactive with Bind...
> So trust I nothing until it has been provent to work time and time
> I am surprised that there isn't a standard tool out there to do this,
> it seems pretty obvious to me.
Well, you're only *medium* paranoid, at most. If you were *really*
paranoid, you'd crypto-sign your transfers.
More information about the bind-users