Audit the consistency of zone files on DNS servers

Maren S. Leizaola leizaola at
Sat Mar 15 10:09:43 UTC 2014

On 3/15/2014 1:53 AM, Kevin Darcy wrote:
> On 3/14/2014 8:28 AM, Maren S. Leizaola wrote:
>> Hello,
>>                  What do you guys recommend to audit every resource
>> record in a zone file against all the records in all the DNS servers
>> that host the zone file.
>> I want  something that I feed the master zone file and then goes to each
>> NS server and ensures that each of the records are identical in all of
>> them.
>> What I want to be able to detect are serial number errors, where a zone
>> has been updated but the serial number has not changed. In this
>> circumstances comparing SOA of all the servers would not report any
>> errors, but the zone file in the different servers are incorrect.

> Well, you're only *medium* paranoid, at most. If you were *really* 
> paranoid, you'd crypto-sign your transfers.

Crypto signed no signed, AXFR what ever etc, if the DNS servers are 
malfunctioning and sending the wrong replies to queries I would like to 
be able to audit that..

> Or use Dynamic Update exclusively for DNS record maintenance, so that 
> "forgetting to update the serial number after a change" is a thing of 
> the past[1].
>                                     - Kevin
> [1] For the nit-pickers out there, the statement is true _even_for_ 
> SOA record changes, since they don't "take" unless you "increment" the 
> serial number (as per serial-number arithmetic) as part of the change.

So Dynamic updates, to a master? then IXFR, accross different type of 
DNS servers.... lots of room for malfunction...

Can someone provide an answer that does not refer to zone transfers?


