Monitoring Zonefiletransfer

/dev/rob0 rob0 at gmx.co.uk
Wed Feb 19 03:34:24 UTC 2014 

On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote:
> I am new to administer a Bind server and after a few problems i ran 
> into i need to monitor the zonefile transfers of my slave server.

I think the terminology you use shows a part of the confusion. Zone 
*data* is transferred to slave servers, not zone *files.*

> I have searched on google and nagios plugin sites but could not 
> find anything that fits my needs entirely.
> 
> Here is the Setup:
> - MS ActiveDirectory as primary Nameservers (not under my control)
> - 2 Bind server as slave for various zones (behind a loadbalancer)
> 
> The problem i ran into, was that the zone transfer didn't work for 
> some reason and the zone we hold expired causing our mailgateway to 
> stop relaying mails :/
> 
> As i sayed i googled around and as i could not find anything i 
> hacked a nagios plugin myself ( you can find the code here
> https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl).
> But i am curious if i took the right "route". These are my 
> assumptions and a first approach:
> 
> - read named.conf and get master servers
> - query soa of slave and get serial

If "query" is something like "dig +short zone.example. soa @slave", 
right.

> - query first master and get serial

Likewise here, s/slave/master/

> - if serial match:
>    get zonefile modification time (not sure if this is significant)

It is not. Zone data is kept in memory and is written to the journal. 
At 15-minute intervals, the zone file is written if it differs from 
actual zone data.

> and compare it with localtime and "soa-expiretime"
>         + warn or crit on threshold
>         (stat($zoneFile)[9] + $SOA_S->expire) - time
> - if master serial > slave serial
>         create tempfile and check for how long it stays lower
> then masters serial
>         + warn or crit on threshold
> - else
>         test next master
>         on last master exit with error ( this should not become
> true ever, right?)
> 
> 
> A few problems i discovered:
> - sometimes have a higher serial then all masters have, is this 
> normal on an AD DNS? or am I doing something wrong i thought this 
> could not happen.
> - Some Zones nearly always reach expireation time. and i get a lot 
> of critical messages and a few hours/minutes before expireation it 
> does the update.

Not enough here to know what's going on.

> i hope you can guide me a bit and tell me if this is what i want xD
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list