Audit the consistency of zone files on DNS servers

Kevin Darcy kcd at chrysler.com
Sat Mar 15 18:29:22 UTC 2014 

On 3/15/2014 6:09 AM, Maren S. Leizaola wrote:
> On 3/15/2014 1:53 AM, Kevin Darcy wrote:
>> On 3/14/2014 8:28 AM, Maren S. Leizaola wrote:
>>> Hello,
>>>                  What do you guys recommend to audit every resource
>>> record in a zone file against all the records in all the DNS servers
>>> that host the zone file.
>>>
>>> I want  something that I feed the master zone file and then goes to 
>>> each
>>> NS server and ensures that each of the records are identical in all of
>>> them.
>>>
>>> What I want to be able to detect are serial number errors, where a zone
>>> has been updated but the serial number has not changed. In this
>>> circumstances comparing SOA of all the servers would not report any
>>> errors, but the zone file in the different servers are incorrect.
>
>> Well, you're only *medium* paranoid, at most. If you were *really* 
>> paranoid, you'd crypto-sign your transfers.
>
> Crypto signed no signed, AXFR what ever etc, if the DNS servers are 
> malfunctioning and sending the wrong replies to queries I would like 
> to be able to audit that..
>
>> Or use Dynamic Update exclusively for DNS record maintenance, so that 
>> "forgetting to update the serial number after a change" is a thing of 
>> the past[1].
>>
>>                                     - Kevin
>>
>> [1] For the nit-pickers out there, the statement is true _even_for_ 
>> SOA record changes, since they don't "take" unless you "increment" 
>> the serial number (as per serial-number arithmetic) as part of the 
>> change.
>>
>>
>
> So Dynamic updates, to a master? then IXFR, accross different type of 
> DNS servers.... lots of room for malfunction...
>
> Can someone provide an answer that does not refer to zone transfers?

Whatever tool you use to "audit" is going to have "lots of room for 
malfunction" as well.

I think you're just doubting for the sake of doubting for the sake of 
doubting. Which makes me regret the time I've already invested in this 
foolishness...

                                         - Kevin

More information about the bind-users mailing list