Audit the consistency of zone files on DNS servers
Kevin Darcy
kcd at chrysler.com
Sat Mar 15 18:29:22 UTC 2014
On 3/15/2014 6:09 AM, Maren S. Leizaola wrote:
> On 3/15/2014 1:53 AM, Kevin Darcy wrote:
>> On 3/14/2014 8:28 AM, Maren S. Leizaola wrote:
>>> Hello,
>>> What do you guys recommend to audit every resource
>>> record in a zone file against all the records in all the DNS servers
>>> that host the zone file.
>>>
>>> I want something that I feed the master zone file and then goes to
>>> each
>>> NS server and ensures that each of the records are identical in all of
>>> them.
>>>
>>> What I want to be able to detect are serial number errors, where a zone
>>> has been updated but the serial number has not changed. In this
>>> circumstances comparing SOA of all the servers would not report any
>>> errors, but the zone file in the different servers are incorrect.
>
>> Well, you're only *medium* paranoid, at most. If you were *really*
>> paranoid, you'd crypto-sign your transfers.
>
> Crypto signed no signed, AXFR what ever etc, if the DNS servers are
> malfunctioning and sending the wrong replies to queries I would like
> to be able to audit that..
>
>> Or use Dynamic Update exclusively for DNS record maintenance, so that
>> "forgetting to update the serial number after a change" is a thing of
>> the past[1].
>>
>> - Kevin
>>
>> [1] For the nit-pickers out there, the statement is true _even_for_
>> SOA record changes, since they don't "take" unless you "increment"
>> the serial number (as per serial-number arithmetic) as part of the
>> change.
>>
>>
>
> So Dynamic updates, to a master? then IXFR, accross different type of
> DNS servers.... lots of room for malfunction...
>
> Can someone provide an answer that does not refer to zone transfers?
Whatever tool you use to "audit" is going to have "lots of room for
malfunction" as well.
I think you're just doubting for the sake of doubting for the sake of
doubting. Which makes me regret the time I've already invested in this
foolishness...
- Kevin
More information about the bind-users
mailing list