Audit the consistency of zone files on DNS servers
Maren S. Leizaola
leizaola at udr.hk.com
Mon Mar 17 12:44:21 UTC 2014
Thanks for your reply.
Maybe I am a skeptic, but I am not skeptic of just bind, skeptic about
myself and any script that is generating zones, all I know that things
go wrong... including things caused by my own mistakes.
1. I now run a Bind and other DNS servers. I am not sure if inter
operate with each other correctly.
2. I found a bug on my zone generation script that has that at times not
incremented the serial number on the master server and caused the
servers to be out of sync. After being humbled by this and other
problems (probably caused by me), I have decided that it would be best
to have a testing method which is totally external to XFRs and not
dependent on my good judgement.
Thank you for the git script I think it does what I need. 0.01% is
acceptable.
Maren.
> To be blunt, I think you are being unreasonable - sort of a "radical
> skeptic" - about the software.
>
> If you distrust the XFR bit of your DNS servers, why trust *any* of
> it? How do you know the DNS server isn't answering with garbage when
> it should be answering NODATA/NXDOMAIN? Or answering with correct
> values to you, but garbage 0.01% of the time to everyone else?
>
> You don't know that, and you can never know that, so proceeding on
> this basis is futile.
>
> Do you have grounds to *reasonably doubt* the functioning of your DNS
> software?
>
> Anyway - in an attempt to be "helpful", even though I think it's a
> silly thing to do, here's a suggestion which queries every record in a
> zone verus a master file:
>
> https://github.com/joemiller/dns_compare
>
> You could also canonicalise the zone file with "trusted" (ha ha)
> software then transfer it over a "trusted" protocol (ha ha), "freeze"
> the zone at the slaves having "trusted" that they will write to disk
> correctly, then use diff.
>
> None of these solves the NODATA/NXDOMAIN or low-rate error problem,
> but they are, in principle, unsolvable.
>
> Good luck - I doubt you'll find what you want though! ;o)
>
> Cheers,
> Phil
>
More information about the bind-users
mailing list