<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 26-Jul-18 19:46, Victoria Risk wrote:<br>
<blockquote type="cite"
cite="mid:%3C6B0A7B31-DC4F-4E06-947B-C4A47A0E2904@isc.org%3E">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">I have been told
this is a very poor description of the problem.
<div class=""><br class="">
</div>
<div class="">What I am concerned about is, how people with a
sort of lazy zone file can assess the potential impact of
QNAME minimization on their ability to answer for all of their
zones.</div>
<div class=""><br class="">
</div>
<div class="">I have gotten two suggestions off list:</div>
<div class=""><span style="color: rgb(61, 60, 64); font-variant-ligatures: normal; orphans: 2; white-space: pre-wrap; widows: 2; background-color: rgb(255, 255, 255);" class="">- I would use named-checkzone to print the zone with all owner names printed out and then use text processing tools</span></div>
<div class=""><span style="color: rgb(61, 60, 64); font-variant-ligatures: normal; orphans: 2; white-space: pre-wrap; widows: 2; background-color: rgb(255, 255, 255);" class="">- </span><span
style="caret-color: rgb(64, 64, 64); color: rgb(64, 64,
64);" class="">“dig ds -f list-of-zones”, </span><span
style="caret-color: rgb(64, 64, 64); color: rgb(64, 64,
64);" class="">Those that return NXDOMAIN are likely missing
NS records.</span></div>
<div class=""><br class="">
<div>Any other ideas?</div>
<div>Has anyone done this kind of housekeeping on their own
zones?</div>
<div><br class="">
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Jul 26, 2018, at 11:41 AM, Victoria Risk
<<a href="mailto:vicky@isc.org" class=""
moz-do-not-send="true">vicky@isc.org</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">Does
anyone know of a good tool that you can run on your
DNS records to find parent + child pairs where there
is no NS record for the child in the parent?
<div class=""><br class="">
</div>
<div class="">Someone must have a perl script for
that, right?</div>
<div class=""><br class="">
</div>
<div class="">Thank you for any suggestions.</div>
<div class=""><br class="">
<div class="">
<div style="letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;" class="">
<div style="letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;" class="">
<div class="">Vicky</div>
<div class=""><br class="">
</div>
</div>
<br class="Apple-interchange-newline">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
If you want to do this validation with zone files, then text tools
(e.g. a Perl, awk, etc) are a reasonable approach. It would not be
particularly difficult - though you do have to handle include
files. Rather than working from zone files, the easiest approach is
to do a dig axfr to get the actual zone...<br>
<br>
I tend to use <a href="http://dnsviz.net/">dnsviz </a>(<a class="moz-txt-link-freetext" href="http://dnsviz.net">http://dnsviz.net</a>)
and <a href="https://www.zonemaster.net/domain_check">zonemaster </a>(<a class="moz-txt-link-freetext" href="https://www.zonemaster.net/domain_check">https://www.zonemaster.net/domain_check</a>)
for consistency checking. <br>
<br>
I don't tend to have issues with internal views because of the tools
that I use to update my zones (they pretty<br>
much ensure that mistakes made there will also show up externally
:-(). So the web checkers are my tools of choice.<br>
<br>
But both <a href="https://github.com/dnsviz/dnsviz">dnsviz </a>and
<a href="https://github.com/zonemaster/zonemaster">zonemaster </a>are
on GitHub & can be run internally. Zonemaster is Perl; dnsviz
is Python. Zonemaster requires a database
(MySQL/MariaDB/PostgresSQL). The web version of dnsviz is graphic,
and has accessibility issued. Zonemaster is standard HTML &
more suitable if you use a screen reader.<br>
<br>
dnsviz run locally has command line options that will do the
analysis - see the GitHub readme.<br>
<br>
Both tools do extensive checks (dnsviz is oriented around DNSSEC,
but does many other checks).<br>
<br>
It's a good idea to run one or the other regardless of this point
issue. Actually - I run both.<br>
<br>
Of course the usual caveats about stealth (unlisted) servers apply.<br>
<br>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
</body>
</html>