Audit the consistency of zone files on DNS servers

Maren S. Leizaola leizaola at udr.hk.com
Sat Mar 15 10:09:43 UTC 2014


On 3/15/2014 1:53 AM, Kevin Darcy wrote:
> On 3/14/2014 8:28 AM, Maren S. Leizaola wrote:
>> Hello,
>>                  What do you guys recommend to audit every resource
>> record in a zone file against all the records in all the DNS servers
>> that host the zone file.
>>
>> I want  something that I feed the master zone file and then goes to each
>> NS server and ensures that each of the records are identical in all of
>> them.
>>
>> What I want to be able to detect are serial number errors, where a zone
>> has been updated but the serial number has not changed. In this
>> circumstances comparing SOA of all the servers would not report any
>> errors, but the zone file in the different servers are incorrect.

> Well, you're only *medium* paranoid, at most. If you were *really* 
> paranoid, you'd crypto-sign your transfers.

Crypto signed no signed, AXFR what ever etc, if the DNS servers are 
malfunctioning and sending the wrong replies to queries I would like to 
be able to audit that..

> Or use Dynamic Update exclusively for DNS record maintenance, so that 
> "forgetting to update the serial number after a change" is a thing of 
> the past[1].
>
>                                     - Kevin
>
> [1] For the nit-pickers out there, the statement is true _even_for_ 
> SOA record changes, since they don't "take" unless you "increment" the 
> serial number (as per serial-number arithmetic) as part of the change.
>
>

So Dynamic updates, to a master? then IXFR, accross different type of 
DNS servers.... lots of room for malfunction...

Can someone provide an answer that does not refer to zone transfers?

Maren.


More information about the bind-users mailing list