Audit the consistency of zone files on DNS servers

Mark Elkins mje at
Fri Mar 14 20:24:07 UTC 2014

On Fri, 2014-03-14 at 14:54 -0400, Kevin Darcy wrote:
> On 3/14/2014 2:39 PM, Maren S. Leizaola wrote:
> > On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote:
> >> On Fri, Mar 14, 2014 at 12:33:47PM +0000,
> >>   Phil Mayers <p.mayers at> wrote
> >>   a message of 25 lines which said:
> >>
> >>> dig @server zone axfr >file
> >>> diff file file.real
> >> If you're really paranoid, it may not be sufficient since a server may
> >> reply differently to "normal" DNS queries and to zone file transfer
> >> requests (for instance if the server is also authoritative for a
> >> child zone, see RFC 5936, section 3.2).
> >>
> >>
> >
> > Thank you both for your replies.
> >
> > I am paranoid and I don't think zone transfers are a good method.
> >  I want something that looks at the file, intelligently looks at each 
> > record and sends the right types of queries to all the DNS servers.
> >
> > We are never sure how bug free bind is. As I am using other DNS 
> > servers I am not sure how reliably they interactive with Bind...
> > So trust I nothing until it has been provent to work time and time 
> > again....
> >
> > I am surprised that there isn't a standard tool out there to do this, 
> > it seems pretty obvious to me.

> Well, you're only *medium* paranoid, at most. If you were *really* 
> paranoid, you'd crypto-sign your transfers.

Makes me wonder a little....

I use TSig to sign zone transfers. If I check the log file on the
receiving (slave) machine, I get something like...

14-Mar-2014 14:05:02.648 general: info: zone
transferred serial 2014031402: TSIG ......

ie - the Serial Number transferred in.  At this point, I'm pretty darn
sure that the zone transfer with that serial No. has transferred
correctly for that zone at that time.

On the 'master' side, I have a cron driven script that keeps Check-Sum's
of my zone files. If the (md5sum) Check-sum for a zone file is wrong,
increment the SOA Serial, update that Check-sum and fire off an 'rndc
reload'. This allows updating the zone data without
remembering to update the SOA Serial. The script also keeps another file
per zone with just the last SOA-Serial in it - so can detect if the
Serial was incremented. I run each Zone in its own sub-directory to
manage each zones set of files (for managing DNSSEC Keys - etc).

Most zone transfers should be pretty much immediate.

If I were really paranoid:...
One could add code to the 'master' script to then run though the
appropriate 'slave' servers and 'dig' for the new SOA Serial. If a slave
does not report back the new SOA Serial after a minute or so - then
you'd have reason to become paranoid or more sensibly, go hunt down the
reason for the failure. 

Use BIND on the Master. It can, unlike NSD, generate outbound IXFR's.
You could use NSD on the Slaves - which gives you genetic diversity...

  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

More information about the bind-users mailing list