Audit the consistency of zone files on DNS servers

Phil Mayers p.mayers at
Sat Mar 15 13:14:39 UTC 2014

On 15/03/2014 10:09, Maren S. Leizaola wrote:

> Can someone provide an answer that does not refer to zone transfers?

Your original email said:

> What I want to be able to detect are serial number errors, where a
> zone has been updated but the serial number has not changed

Then you said:

> I am paranoid and I don't think zone transfers are a good method. I
> want something that looks at the file, intelligently looks at each
> record and sends the right types of queries to all the DNS servers.
> We are never sure how bug free bind is. As I am using other DNS
> servers I am not sure how reliably they interactive with Bind... So
> trust I nothing until it has been provent to work time and time
> again....

To be blunt, I think you are being unreasonable - sort of a "radical 
skeptic" - about the software.

If you distrust the XFR bit of your DNS servers, why trust *any* of it? 
How do you know the DNS server isn't answering with garbage when it 
should be answering NODATA/NXDOMAIN? Or answering with correct values to 
you, but garbage 0.01% of the time to everyone else?

You don't know that, and you can never know that, so proceeding on this 
basis is futile.

Do you have grounds to *reasonably doubt* the functioning of your DNS 

Anyway - in an attempt to be "helpful", even though I think it's a silly 
thing to do, here's a suggestion which queries every record in a zone 
verus a master file:

You could also canonicalise the zone file with "trusted" (ha ha) 
software then transfer it over a "trusted" protocol (ha ha), "freeze" 
the zone at the slaves having "trusted" that they will write to disk 
correctly, then use diff.

None of these solves the NODATA/NXDOMAIN or low-rate error problem, but 
they are, in principle, unsolvable.

Good luck - I doubt you'll find what you want though! ;o)


More information about the bind-users mailing list