Re: How to check slave zone freshness

[Klaus Darilion]

On 08.02.2016 14:58, Tony Finch wrote:
> Klaus Darilion  wrote:
>>
>> I want to monitor the freshness of my slaves zones. Is it somehow
>> possible to extract the status of slave-zones from bind?
> 
> If you are running 9.10 or later you can use `rndc zonestatus`.
> 
> I have an older script which just looks at the timestamp of the zone
> files; BIND bumps the timestamp whenever it successfully refreshes the
> zone, even if it didn't need to transfer any changes.

This does not work as expected. When bind checks the SOA on the master
and detects a bigger serial, it tries to transfer the zone. Although the
zone transfer fails, the timestamp gets updated. Thus, the zone looks
fresh, but it isn't.

regards
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Klaus Darilion]

On 10.02.2016 09:27, Klaus Darilion wrote:
> 
> 
> On 08.02.2016 14:58, Tony Finch wrote:
>> Klaus Darilion  wrote:
>>>
>>> I want to monitor the freshness of my slaves zones. Is it somehow
>>> possible to extract the status of slave-zones from bind?
>>
>> If you are running 9.10 or later you can use `rndc zonestatus`.
>>
>> I have an older script which just looks at the timestamp of the zone
>> files; BIND bumps the timestamp whenever it successfully refreshes the
>> zone, even if it didn't need to transfer any changes.
> 
> This does not work as expected. When bind checks the SOA on the master
> and detects a bigger serial, it tries to transfer the zone. Although the
> zone transfer fails, the timestamp gets updated. Thus, the zone looks
> fresh, but it isn't.

Another test: I changed the master IP on the slave to 1.1.1.1. Thus,
every SOA check and zone transfer will fail. Nevertheless bind updates
the zone file's timestamp every time it tries to transfer the zone.
Tested with 9.9.8-P3.


Thus, any other options with bind 9.9.8? (I have not managed to build
Debian packages for bind 9.10)

Thanks
Klaus

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Tony Finch]

Mark Andrews  wrote:
>
> With a modern nameserver that supports the expire edns option you can
> also do "dig +expire soa zone @server" which will tell you how long
> until the zone will expire on this server.

By "modern", Mark means BIND 9.10 or later :-)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Thames, Dover: Southwest 6 to gale 8, veering west 5 to 7, perhaps gale 8
later. Moderate or rough. Rain or showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Barry Margolin]

In article ,
 Klaus Darilion  wrote:

> On 08.02.2016 20:49, Mark Andrews wrote:
> > With a modern nameserver that supports the expire edns option you can
> > also do "dig +expire soa zone @server" which will tell you how long
> > until the zone will expire on this server.
> 
> Aha, but isn't this a different kind of information? A zone which is not
> fresh anymore (refresh interval expired and checks to the master failed)
> may still be valid (not expired yet).

Subtract the time until expiry from the SOA Expire field, and that tells 
you how long it has been since it last refreshed.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Klaus Darilion]

On 08.02.2016 20:49, Mark Andrews wrote:
> With a modern nameserver that supports the expire edns option you can
> also do "dig +expire soa zone @server" which will tell you how long
> until the zone will expire on this server.

Aha, but isn't this a different kind of information? A zone which is not
fresh anymore (refresh interval expired and checks to the master failed)
may still be valid (not expired yet).

regards
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Mark Andrews]

In message , Barry 
Margolin writes:
> In article ,
>  Klaus Darilion  wrote:
> 
> > On 08.02.2016 20:49, Mark Andrews wrote:
> > > With a modern nameserver that supports the expire edns option you can
> > > also do "dig +expire soa zone @server" which will tell you how long
> > > until the zone will expire on this server.
> > 
> > Aha, but isn't this a different kind of information? A zone which is not
> > fresh anymore (refresh interval expired and checks to the master failed)
> > may still be valid (not expired yet).
> 
> Subtract the time until expiry from the SOA Expire field, and that tells 
> you how long it has been since it last refreshed.

No.  EXPIRE is designed to handle xfr transfer graphs with loops.
While I haven't yet adjusted the expire timer based on the expire
option value in named it is something that is planned to be done.

With "master -> slave -> slave" both slaves will end up with the
same expire option value as the slaves will use min(soa expire,
max(current expire, edns expire option)) as the value to update the
expire timer with.  With this graph they will both get the same
value

 /- slave1 -\
master < > slave3
 \- slave2 -/

The slave3 will be max of slave1 and slave2.

 /- slave1 -\
master <  |  > slave3
 \- slave2 -/

All three slaves will have a expire based on the most recent refresh
of slave1 and slave2 against master.

> -- 
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to check slave zone freshness

[Klaus Darilion]

Hi!

I want to monitor the freshness of my slaves zones. Is it somehow
possible to extract the status of slave-zones from bind?

Thanks
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Tony Finch]

Klaus Darilion  wrote:
>
> I want to monitor the freshness of my slaves zones. Is it somehow
> possible to extract the status of slave-zones from bind?

If you are running 9.10 or later you can use `rndc zonestatus`.

I have an older script which just looks at the timestamp of the zone
files; BIND bumps the timestamp whenever it successfully refreshes the
zone, even if it didn't need to transfer any changes.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Irish Sea: Southwesterly veering northwesterly later, 6 to gale 8,
occasionally severe gale 9 or storm 10 at first in south. Rough or very rough,
occasionally high at first in south. Showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Warren Kumari]

The standard, compatible way to do this is simply to do a lookup for the
SOA record and make sure that the serial number matches what you expect it
to be / what is on the master. I'm not sure what monitoring tool you are
using (or if you are writing your own), but most standard monitoring tools
have such a script already written - e.g:
https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/checkexpire/details

I believe that BIND also updates the mtime on the zone file when it does
the check (not only when something changes):
root@eric:/etc/namedb/slave# date
Mon Feb  8 08:36:58 EST 2016
root@eric:/etc/namedb/slave# ls -al superficialinjurymonkey.com*
-rw-r--r-- 1 named named  714 Feb  8 03:51 superficialinjurymonkey.com
-rw-r--r-- 1 named named 1236 Feb  8 03:51 superficialinjurymonkey.com.jnl
root@eric:/etc/namedb/slave#

So, you should be able to just run 'ls' and see if the 'mtime' is larger
than you expect...

W


On Mon, Feb 8, 2016 at 5:40 AM Klaus Darilion 
wrote:

> Hi!
>
> I want to monitor the freshness of my slaves zones. Is it somehow
> possible to extract the status of slave-zones from bind?
>
> Thanks
> Klaus
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Warren Kumari]

There is also transfer logs -- you could watch those and see if you are
getting any failures, but this seem, um, more brittle..

W

On Mon, Feb 8, 2016 at 6:22 AM Klaus Darilion 
wrote:

>
>
> Am 08.02.2016 um 14:59 schrieb Warren Kumari:
> > The standard, compatible way to do this is simply to do a lookup for the
> > SOA record and make sure that the serial number matches what you expect
> > it to be / what is on the master. I'm not sure what monitoring tool you
> > are using (or if you are writing your own), but most standard monitoring
> > tools have such a script already written -
> > e.g:
> https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/checkexpire/details
>
> This does not detect problems between the master and slave as long as
> the master is not updated.
>
> Further I can not fetch the serial easily from the slave as our slave is
> a "bump in the wire" signer, so the SOA is the internal increased
> "DNSSEC serial". So I would need to extract it from the local zone
> files/journal.
>
> > I believe that BIND also updates the mtime on the zone file when it does
> > the check (not only when something changes):
> > root@eric:/etc/namedb/slave# date
> > Mon Feb  8 08:36:58 EST 2016
> > root@eric:/etc/namedb/slave# ls -al superficialinjurymonkey.com
> > *
> > -rw-r--r-- 1 named named  714 Feb  8 03:51 superficialinjurymonkey.com
> > 
> > -rw-r--r-- 1 named named 1236 Feb  8 03:51 superficialinjurymonkey.com
> .jnl
> > root@eric:/etc/namedb/slave#
> >
> > So, you should be able to just run 'ls' and see if the 'mtime' is larger
> > than you expect...
>
> This is an interesting hint and good starting point. Thanks.
>
> Nevertheless, additionally I would to need to extract the SOA refresh
> value for every zone to find out if a zone is not fresh any more.
>
> Thanks
> Klaus
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Klaus Darilion]

Am 08.02.2016 um 14:58 schrieb Tony Finch:
> Klaus Darilion  wrote:
>>
>> I want to monitor the freshness of my slaves zones. Is it somehow
>> possible to extract the status of slave-zones from bind?
> 
> If you are running 9.10 or later you can use `rndc zonestatus`.

Ah. Nice, as updating to 9.10 is on my plan.

I guess I need to iterate over all configured zones, may be a bit slow
for several thousand zones. I will seee ...

> I have an older script which just looks at the timestamp of the zone
> files; BIND bumps the timestamp whenever it successfully refreshes the
> zone, even if it didn't need to transfer any changes.

Thanks for the info
Klaus


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Klaus Darilion]

Am 08.02.2016 um 14:59 schrieb Warren Kumari:
> The standard, compatible way to do this is simply to do a lookup for the
> SOA record and make sure that the serial number matches what you expect
> it to be / what is on the master. I'm not sure what monitoring tool you
> are using (or if you are writing your own), but most standard monitoring
> tools have such a script already written -
> e.g: 
> https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/checkexpire/details

This does not detect problems between the master and slave as long as
the master is not updated.

Further I can not fetch the serial easily from the slave as our slave is
a "bump in the wire" signer, so the SOA is the internal increased
"DNSSEC serial". So I would need to extract it from the local zone
files/journal.

> I believe that BIND also updates the mtime on the zone file when it does
> the check (not only when something changes):
> root@eric:/etc/namedb/slave# date
> Mon Feb  8 08:36:58 EST 2016
> root@eric:/etc/namedb/slave# ls -al superficialinjurymonkey.com
> *
> -rw-r--r-- 1 named named  714 Feb  8 03:51 superficialinjurymonkey.com
> 
> -rw-r--r-- 1 named named 1236 Feb  8 03:51 superficialinjurymonkey.com.jnl
> root@eric:/etc/namedb/slave#
> 
> So, you should be able to just run 'ls' and see if the 'mtime' is larger
> than you expect...

This is an interesting hint and good starting point. Thanks.

Nevertheless, additionally I would to need to extract the SOA refresh
value for every zone to find out if a zone is not fresh any more.

Thanks
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to check slave zone freshness

[Mark Andrews]

With a modern nameserver that supports the expire edns option you can
also do "dig +expire soa zone @server" which will tell you how long
until the zone will expire on this server.

e.g.

;; BADCOOKIE, retrying.

; <<>> DiG 9.11.0pre-alpha <<>> +expire soa . +norec +noauth
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 11fa29d809bed1e5bad33ed956b8efad9c6914524fd2730f (good)
; EXPIRE: 577179 (6 days 16 hours 19 minutes 39 seconds)
;; QUESTION SECTION:
;.  IN  SOA

;; ANSWER SECTION:
.   86400   IN  SOA a.root-servers.net. 
nstld.verisign-grs.com. 2016020800 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 09 06:42:37 EST 2016
;; MSG SIZE  rcvd: 332

Mark

In message <56b8a65a.9030...@pernau.at>, Klaus Darilion writes:
> 
> 
> Am 08.02.2016 um 14:58 schrieb Tony Finch:
> > Klaus Darilion  wrote:
> >>
> >> I want to monitor the freshness of my slaves zones. Is it somehow
> >> possible to extract the status of slave-zones from bind?
> > 
> > If you are running 9.10 or later you can use `rndc zonestatus`.
> 
> Ah. Nice, as updating to 9.10 is on my plan.
> 
> I guess I need to iterate over all configured zones, may be a bit slow
> for several thousand zones. I will seee ...
> 
> > I have an older script which just looks at the timestamp of the zone
> > files; BIND bumps the timestamp whenever it successfully refreshes the
> > zone, even if it didn't need to transfer any changes.
> 
> Thanks for the info
> Klaus
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users