Monitoring Zonefiletransfer

Markus Weber bumpemacvettn at googlemail.com
Wed Feb 19 07:15:25 UTC 2014 

Am 19.02.2014, 01:39 Uhr, schrieb Mark Andrews <marka at isc.org>:

>
> In message  
> <CAFw0=Wj2XQQcC69uqEtZ6SC0OXDKJAZT4O+Vh0WhfvuyiA+fCQ at mail.gmail.com>
> , markus weber writes:
>> --===============2070182502041634286==
>> Content-Type: multipart/alternative;  
>> boundary=001a1134888407910a04f2b6036d
>>
>> --001a1134888407910a04f2b6036d
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hey Guys,
>>
>> I am new to administer a Bind server and after a few problems i ran  
>> into i
>> need to monitor the zonefile transfers of my slave server.
>> I have searched on google and nagios plugin sites but could not find
>> anything that fits my needs entirely.
>>
>> Here is the Setup:
>> - MS ActiveDirectory as primary Nameservers (not under my control)
>> - 2 Bind server as slave for various zones (behind a loadbalancer)
>>
>> The problem i ran into, was that the zone transfer didn't work for some
>> reason and the zone we hold expired causing our mailgateway to stop
>> relaying mails :/
>>
>> As i sayed i googled around and as i could not find anything i hacked a
>> nagios plugin myself ( you can find the code here
>> https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zone
>> transfer.pl).
>> But i am curious if i took the right "route". These are my assumptions  
>> and
>> a first approach:
>>
>> - read named.conf and get master servers
>> - query soa of slave and get serial
>> - query first master and get serial
>> - if serial match:
>>         get zonefile modification time (not sure if this is significant)
>> and compare it with localtime and "soa-expiretime"
>>         + warn or crit on threshold
>>         (stat($zoneFile)[9] + $SOA_S->expire) - time
>> - if master serial > slave serial
>>         create tempfile and check for how long it stays lower then  
>> masters
>> serial
>>         + warn or crit on threshold
>> - else
>>         test next master
>>         on last master exit with error ( this should not become true  
>> ever,
>> right?)
>>
>>
>> A few problems i discovered:
>> - sometimes have a higher serial then all masters have, is this normal  
>> on
>> an AD DNS? or am I doing something wrong i thought this could not  
>> happen.
>
> 	Only transfer from one AD master.  Microsoft AD doesn't maintain
> 	consistent serials across the servers.  The serials should be
> 	monotonically increasing from a individual server.

Oh, i didn't know that. Thats weird behavior isn't it? I will give it  
definitely a try, I just added 3 of those servers to Masters option  
because i thought it would increase the reliability in case of an error.

>
>> - Some Zones nearly always reach expireation time. and i get a lot of
>> critical messages and a few hours/minutes before expireation it does the
>> update.
>
> 	Choose sane SOA values.  refresh and retry << expire

I will check these values, i thought they were kind of standard values

>
>> i hope you can guide me a bit and tell me if this is what i want xD
>>
>> many thanks in advance
>> seppovic


Thanks.

More information about the bind-users mailing list