RE: how to check if a slave zone is expired

Wed, 04 May 2011 01:24:54 -0700 

Marc,
 
Thanks for the feedback.
 
I have indeed seen in the logs that the zone is expired on ns2 but my question 
was more general in order not to have to always try to see the logs (info not 
available if the zone has expired some weeks ago..).
 
So..no way to check that a zone is expired?
 
 
For info: no "servfail" answer on the query.
 
C:\Data\dig>dig @ns2.skynet.be wwW.omega-pharma.be
; <<>> DiG 9.3.2 <<>> @ns2.skynet.be wwW.omega-pharma.be
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 392
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;wwW.omega-pharma.be.           IN      A
;; AUTHORITY SECTION:
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
;; Query time: 31 msec
;; SERVER: 195.238.3.18#53(195.238.3.18)
;; WHEN: Wed May 04 10:18:37 2011
;; MSG SIZE  rcvd: 248
 


From: marc.la...@eurid.eu
To: hugo...@hotmail.com; bind-users@lists.isc.org
Subject: RE: how to check if a slave zone is expired
Date: Wed, 4 May 2011 09:58:22 +0200








Hugo,
 
“zones” don’t “expire”, like DNSSEC RRSIG with their “end of validity time 
stamp”.
 
At worst, a slave name server is unable to verify the SOA record on the master 
for “expiry” time.
At that point, the slave name server still “knows” it is authoritative, but has 
no data it could answer with
à (at least Bind) will reply with a “SERVFAIL”  (not the list of root name 
servers !)
 
The second worst thing is that the serial number on the master is lower then 
what the slaves last “zone transferred”.
As already commented in another reaction, check the logs of the slaves, they 
(should) signal this (Bind does).
 
Hope this helps.

Kind regards,
 
Marc Lampo
Security Officer
EURid vzw/asbl
 
 

                                          
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to