Monitoring Zonefiletransfer

Warren Kumari warren at kumari.net
Wed Feb 19 15:22:07 UTC 2014 

On Tue, Feb 18, 2014 at 10:34 PM, /dev/rob0 <rob0 at gmx.co.uk> wrote:
> On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote:
>> I am new to administer a Bind server and after a few problems i ran
>> into i need to monitor the zonefile transfers of my slave server.
>
> I think the terminology you use shows a part of the confusion. Zone
> *data* is transferred to slave servers, not zone *files.*

Well, yes and no...

Yes, the zone data is transferred, not the zone file -- but, isn't
this kindaof sorta true of any copy operation?

If I copy (or transfer) a file from one machine to another, it's not
that I'm actually transferring the file, I'm creating a new file on
the destination and copying the contents into it. And if the hard
drive architecture of the destination machine is different to the
source (or perhaps if the architectures are different endianness) the
destination blob of magnetic bits is subtly different. The files still
*mean* the same thing, but the encoding is altered...

Same thing if I placed a color photo on a black and white photocopier
-- I would be able to quite happily say that I transferred the image
to a new piece of paper (actually I'd just say that I copied it...),
but I didn't really -- I transferred a close enough approximation of
the image.

So, yes, a zone file itself isn't copied, the contents are -- and the
files themselves probably won't be binary identical[0] (especially in
the case of bind raw vs text formats!), but semantically will, and
that's the important bit.

But yes, I know what you means, I'm just feeling a bit pedantic this morning....

W


>
>> I have searched on google and nagios plugin sites but could not
>> find anything that fits my needs entirely.
>>
>> Here is the Setup:
>> - MS ActiveDirectory as primary Nameservers (not under my control)
>> - 2 Bind server as slave for various zones (behind a loadbalancer)
>>
>> The problem i ran into, was that the zone transfer didn't work for
>> some reason and the zone we hold expired causing our mailgateway to
>> stop relaying mails :/
>>
>> As i sayed i googled around and as i could not find anything i
>> hacked a nagios plugin myself ( you can find the code here
>> https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl).
>> But i am curious if i took the right "route". These are my
>> assumptions and a first approach:
>>
>> - read named.conf and get master servers
>> - query soa of slave and get serial
>
> If "query" is something like "dig +short zone.example. soa @slave",
> right.
>
>> - query first master and get serial
>
> Likewise here, s/slave/master/
>
>> - if serial match:
>>    get zonefile modification time (not sure if this is significant)
>
> It is not. Zone data is kept in memory and is written to the journal.
> At 15-minute intervals, the zone file is written if it differs from
> actual zone data.
>
>> and compare it with localtime and "soa-expiretime"
>>         + warn or crit on threshold
>>         (stat($zoneFile)[9] + $SOA_S->expire) - time
>> - if master serial > slave serial
>>         create tempfile and check for how long it stays lower
>> then masters serial
>>         + warn or crit on threshold
>> - else
>>         test next master
>>         on last master exit with error ( this should not become
>> true ever, right?)
>>
>>
>> A few problems i discovered:
>> - sometimes have a higher serial then all masters have, is this
>> normal on an AD DNS? or am I doing something wrong i thought this
>> could not happen.
>> - Some Zones nearly always reach expireation time. and i get a lot
>> of critical messages and a few hours/minutes before expireation it
>> does the update.
>
> Not enough here to know what's going on.
>
>> i hope you can guide me a bit and tell me if this is what i want xD
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list