On May 25, 2012, at 11:03 AM, Bernhard Schmidt wrote:
> Hi,
>
> I'm running DNS for a larger campus network. We have a few thousand
> zones up to six labels deep, which are sourced from our internal
> systems, a customer selfservice portal, foreign master servers we slave
> or even completely external entities we can't get a copy of the zone from.
>
> We are fighting with keeping NS records in sync in parent and child
> zones. This has mostly been a minor problem since most zones are on the
> same servers and thus missing delegations are hidden, but becomes a
> bigger problem with DNSSEC and NSEC. And of course users often change
> things without giving us any heads-up.
>
> Is there any script/framework out there already that tries to find that
> mess? I'm thinking about
>
> * getting a list of zones from management system
> * check delegation from upstream server
> * get zone file from our slave zone repository, walk all delegations,
> check them on delegated server or in the zone repository
> * warn if delegations are missing or inconsistent
> * warn if delegations to non-existing/non-answering servers exist, or
> delegations to own servers but zone is not configured
> * DS vs. DNSKEY checks
>
> Thanks,
> Bernhard
Hi Bernhard,
You could try our tool DNSCheck ("https://github.com/dotse/dnscheck";), it's
pretty much made for bulk checking domain delegations, especially if you use
the database backend, and ensuring their quality etc. It's modular,
BSD-licensed and quite adaptable for specific needs.
We also host a public instance of it at ("http://dnscheck.iis.se";) also if you
want to try it out without installing anything; but go for the Advanced view
straight away so the Basic view doesnt scare you away. ;)
/Regards, Einar
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
