> On 24 Sep 2025, at 19:36, Alessandro Vesely <ves...@tana.it> wrote: > > On Wed 24/Sep/2025 08:25:40 +0200 Nick Tait wrote: >> On 24/09/2025 05:42, Alessandro Vesely wrote: >>> On Tue 23/Sep/2025 01:55:51 +0200 Mark Andrews wrote: >>>> When checking zone serials for consistency all the above needs to be taken >>>> into account. The scripts work when you query the correct instance of the >>>> zone when using views and when there is not an inline signer on the >>>> secondary. >>> >>> The script I ran just issues a few queries using Python's dns.resolver. I >>> don't see how it could check for consistency (or determine that some >>> resolvers use different views). >> >> The tool you're using might be looking at NS records and then querying the >> authoritative servers directly, possibly in addition to the asking the >> configured resolver? > > > The script is https://github.com/hannob/alwaysdns. It is charmingly simple > in its downloading and comparing all SOA records. I assume signed serials > have definitely disqualified this synchronization checking technique. Are > there any alternatives?
Using inline-signing is a *choice*. Named will happily sign a zone without using it. It is there for those that want to continue to use a text editor for updating the zone content. One can choose not to use it and to use rndc freeze/thaw when updating the zone file (not recommended) or to use nsupdate to update the zone content (recommended). Yes, you have to learn how to use a new tool. It’s not particularly hard. >> (What do the internal zone file NS records point to? And when you "copy the >> (edited) internal zone file to the public one, replacing things like NATted >> addresses", are you also updating those?) > > > This is an old bash script I've been tinkering with for years. Internal and > public zones live in two parallel directories. For each internal zone file > it generates the public copy on a temporary file using sed. If that > temporary is different from the current one, all .jbk, .signed, .signed.jnl > of that zone are marked for deletion. If there are any files so marked at > the end, named is stopped, the files are removed, and named is restarted. > The script doesn't check the serial numbers. > > > Best > Ale > -- > > > > > > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
