Re: Monitoring Zonefiletransfer
Hi Markus, Markus Weber bumpemacve...@googlemail.com writes: Choose sane SOA values. refresh and retry expire I will check these values, i thought they were kind of standard values the default SOA values on a MS DNS Server are well and good for dynamic, internal, AD integrated DNS zones. For use in the Internet, you might want to adjust the values, esp. the expire value should be not too low. This document gives some guidance on SOA values for DNS zones that are used in the Internet http://meetings.ripe.net/ripe-55/presentations/koch-ripe203bis.pdf -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Hey guys, sorry for the delay, i urgently had to take some days off last week. Anyways, thanks for all your help, i appreciate this a lot. I will now try to use only one DC as a master. a last question, Do you also run monitoring software on bind? and if so, what or how do you monitor? Am 19.02.2014, 20:33 Uhr, schrieb Barry S. Finkel bsfin...@att.net: On 2014-02-19 16:06, Barry S. Finkel wrote: See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. And Dave Warren replied: My experience is that it tends to work pretty well if BIND only points to one particular MS DNS server at a time, with a failover script that detects when that DNS server goes down and flips to another master (if you're worried about such things) That being said, even without that script and with multiple MS DNS masters configured in BIND at once, any issues generally work themselves out within 15 minutes or so, once the Active Directory serial number update propagates through the MS DNS infrastructure. As described in the article, the servers self-increment properly when a slave is detected, and occasionally sync up the serial numbers between MS DNS servers (again, only moving update). The only inconsistencies are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic serial is lower than expected warnings, multi-mastering works fine in practice. -- Dave Warren That MS KB article states that if a Domain Controller DNS Server is not used as a master for a slave server, then the zone serial number is irrelevant. But if the Server is used as a master, then the serial number is relevant. Assume one zone that is mastered on two DCs, and the two serial numbers match (and the serial is N). A dynamic update for the zone is sent to DC1, and the serial number there is increased to N+1. At the same time a different dynamic update for the zone is sent to DC2, and DC2 then has serial number N+1. The two copies of the zone are different, but they both have the same serial number. When Active Directory synchronizes the zone, what serial number can it use for the synched zone? It can't use N+1, because that serial has been used, and the zone might have already been transferred to the slave server. It can't be N+2, because, in the meantime, another dynamic update may have come to DC1 or DC2, so serial N+2 might have already been used. Another thing that I hinted in an earlier reply - With AD zones, the serial number can increase unnecessarily. In the past, when a dynamic DNS update was sent to a DC, and that update was already in DNS (e.g., a re-lease of a DHCP address), the Windows DNS Server code treated the update as a no-op, except for updating an internal timestamp in the zone. But sometime later, MS changed the code, so that the dynamic DNS update is no longer treated as a no-op. This causes 1) the DNS update to be initially refused because it does not have TSIG authorization, and the client (or DHCP Server) has to re-send the update. 2) the zone serial number is updated, even when there is no update to the zone; this causes unnecessary zone transfers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Hmmm, so that explains what I'm seeing in my logs of my nameservers getting hammered by AD. Should I be worried? Is there anything that could be done on my end to help reduce the impact? On our campus, we have always allowed delegation of subdomains to department nameservers, with the requirement that we be secondary to them. Some departments also have other domains on their nameservers, again have us as their secondary (and often we're the only published nameservers for these domains.) But, AD was different...they did their own thing. Except there's this problem now with their authoritative servers also being open recursive query resolvers ... exposed to the whole world. Since they won't turn off recursion (and there's no way to limit its scope) So, we've started pushing that they need to use us as secondaries. Right now it has only been tested with Central AD, where I'm seeing one DC sending updates ranging from a few minutes to a few hours. While the other DC is trying at intervals of 2-9 minutes, but its N-1 Though when they were first trying to get it going...they had some trouble, which turned out that it thought the IP space of my nameservers belonged to it and that my nameservers were not part that space. Namely, one of my DNS vlans is 129.130.254.0/28 (ns-1.ksu.edu lives here, ns-2.ksu.edu/ns-3.ksu.edu live in the other one)...where some other portion of the /24 is a vlan that they have servers in. Hmmm, I noticed in the dump of ads.ksu.edu, it has A records for my nameserversis that a problem? On 02/25/14 03:10, Markus Weber wrote: Hey guys, sorry for the delay, i urgently had to take some days off last week. Anyways, thanks for all your help, i appreciate this a lot. I will now try to use only one DC as a master. a last question, Do you also run monitoring software on bind? and if so, what or how do you monitor? Am 19.02.2014, 20:33 Uhr, schrieb Barry S. Finkel bsfin...@att.net: On 2014-02-19 16:06, Barry S. Finkel wrote: See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. And Dave Warren replied: My experience is that it tends to work pretty well if BIND only points to one particular MS DNS server at a time, with a failover script that detects when that DNS server goes down and flips to another master (if you're worried about such things) That being said, even without that script and with multiple MS DNS masters configured in BIND at once, any issues generally work themselves out within 15 minutes or so, once the Active Directory serial number update propagates through the MS DNS infrastructure. As described in the article, the servers self-increment properly when a slave is detected, and occasionally sync up the serial numbers between MS DNS servers (again, only moving update). The only inconsistencies are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic serial is lower than expected warnings, multi-mastering works fine in practice. -- Dave Warren That MS KB article states that if a Domain Controller DNS Server is not used as a master for a slave server, then the zone serial number is irrelevant. But if the Server is used as a master, then the serial number is relevant. Assume one zone that is mastered on two DCs, and the two serial numbers match (and the serial is N). A dynamic update for the zone is sent to DC1, and the serial number there is increased to N+1. At the same time a different dynamic update for the zone is sent to DC2, and DC2 then has serial number N+1. The two copies of the zone are different, but they both have the same serial number. When Active Directory synchronizes the zone, what serial number can it use for the synched zone? It can't use N+1, because that serial has been used, and the zone might have already been transferred to the slave server. It can't be N+2, because, in the meantime, another dynamic update may have come to DC1 or DC2, so serial N+2 might have already been used. Another thing that I hinted in an earlier reply - With AD zones, the serial number can increase unnecessarily. In the past, when a dynamic DNS update was sent to a DC, and that update was already in DNS (e.g., a re-lease of a DHCP address), the Windows DNS Server code treated the update as a no-op, except for updating an internal timestamp in the zone. But sometime later, MS changed the code, so that the dynamic DNS update is no longer treated as a no-op. This causes 1) the DNS update to be initially refused because it does not have TSIG authorization, and the client (or DHCP Server) has to re-send the update. 2) the zone serial number is updated, even when there is no update to the zone; this causes unnecessary zone transfers. --Barry Finkel ___ Please visit
Re: Re: Monitoring Zonefiletransfer
A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. And when I had BIND slaves for AD masters, when patches were being applied to the Domain Controllers (i.e., the ONE DC that I had selected as a master), a zone serial number would decrease. In most (but not all) cases, after the DC patching was finished, the zone serial number would go back to normal. I was not allowed to open a trouble ticket with Microsoft. Every morning at 7AM I ran a cron to capture the zone serial numbers on all of the 44+ AD zones on all my BIND DNS servers. (I just realized that in my post about a half-hour ago on this subject, I had forgotten to change the Subject: line from the digest). --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Oh, i didn't know that. Thats weird behavior isn't it? I will give it definitely a try, I just added 3 of those servers to Masters option because i thought it would increase the reliability in case of an error. See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On Tue, Feb 18, 2014 at 10:34 PM, /dev/rob0 r...@gmx.co.uk wrote: On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote: I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I think the terminology you use shows a part of the confusion. Zone *data* is transferred to slave servers, not zone *files.* Well, yes and no... Yes, the zone data is transferred, not the zone file -- but, isn't this kindaof sorta true of any copy operation? If I copy (or transfer) a file from one machine to another, it's not that I'm actually transferring the file, I'm creating a new file on the destination and copying the contents into it. And if the hard drive architecture of the destination machine is different to the source (or perhaps if the architectures are different endianness) the destination blob of magnetic bits is subtly different. The files still *mean* the same thing, but the encoding is altered... Same thing if I placed a color photo on a black and white photocopier -- I would be able to quite happily say that I transferred the image to a new piece of paper (actually I'd just say that I copied it...), but I didn't really -- I transferred a close enough approximation of the image. So, yes, a zone file itself isn't copied, the contents are -- and the files themselves probably won't be binary identical[0] (especially in the case of bind raw vs text formats!), but semantically will, and that's the important bit. But yes, I know what you means, I'm just feeling a bit pedantic this morning W I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right route. These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial If query is something like dig +short zone.example. soa @slave, right. - query first master and get serial Likewise here, s/slave/master/ - if serial match: get zonefile modification time (not sure if this is significant) It is not. Zone data is kept in memory and is written to the journal. At 15-minute intervals, the zone file is written if it differs from actual zone data. and compare it with localtime and soa-expiretime + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S-expire) - time - if master serial slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Not enough here to know what's going on. i hope you can guide me a bit and tell me if this is what i want xD -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On 2014-02-19 16:06, Barry S. Finkel wrote: See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. My experience is that it tends to work pretty well if BIND only points to one particular MS DNS server at a time, with a failover script that detects when that DNS server goes down and flips to another master (if you're worried about such things) That being said, even without that script and with multiple MS DNS masters configured in BIND at once, any issues generally work themselves out within 15 minutes or so, once the Active Directory serial number update propagates through the MS DNS infrastructure. As described in the article, the servers self-increment properly when a slave is detected, and occasionally sync up the serial numbers between MS DNS servers (again, only moving update). The only inconsistencies are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic serial is lower than expected warnings, multi-mastering works fine in practice. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On 2014-02-19 16:06, Barry S. Finkel wrote: See MS KB article 282826, where MS documents the handling of zone serial numbers in an AD environment. And Dave Warren replied: My experience is that it tends to work pretty well if BIND only points to one particular MS DNS server at a time, with a failover script that detects when that DNS server goes down and flips to another master (if you're worried about such things) That being said, even without that script and with multiple MS DNS masters configured in BIND at once, any issues generally work themselves out within 15 minutes or so, once the Active Directory serial number update propagates through the MS DNS infrastructure. As described in the article, the servers self-increment properly when a slave is detected, and occasionally sync up the serial numbers between MS DNS servers (again, only moving update). The only inconsistencies are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic serial is lower than expected warnings, multi-mastering works fine in practice. -- Dave Warren That MS KB article states that if a Domain Controller DNS Server is not used as a master for a slave server, then the zone serial number is irrelevant. But if the Server is used as a master, then the serial number is relevant. Assume one zone that is mastered on two DCs, and the two serial numbers match (and the serial is N). A dynamic update for the zone is sent to DC1, and the serial number there is increased to N+1. At the same time a different dynamic update for the zone is sent to DC2, and DC2 then has serial number N+1. The two copies of the zone are different, but they both have the same serial number. When Active Directory synchronizes the zone, what serial number can it use for the synched zone? It can't use N+1, because that serial has been used, and the zone might have already been transferred to the slave server. It can't be N+2, because, in the meantime, another dynamic update may have come to DC1 or DC2, so serial N+2 might have already been used. Another thing that I hinted in an earlier reply - With AD zones, the serial number can increase unnecessarily. In the past, when a dynamic DNS update was sent to a DC, and that update was already in DNS (e.g., a re-lease of a DHCP address), the Windows DNS Server code treated the update as a no-op, except for updating an internal timestamp in the zone. But sometime later, MS changed the code, so that the dynamic DNS update is no longer treated as a no-op. This causes 1) the DNS update to be initially refused because it does not have TSIG authorization, and the client (or DHCP Server) has to re-send the update. 2) the zone serial number is updated, even when there is no update to the zone; this causes unnecessary zone transfers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
In message CAFw0=wj2xqqcc69uqetz6sc0oxdkjazt4o+vh0whfvuyia+...@mail.gmail.com , markus weber writes: --===2070182502041634286== Content-Type: multipart/alternative; boundary=001a1134888407910a04f2b6036d --001a1134888407910a04f2b6036d Content-Type: text/plain; charset=UTF-8 Hey Guys, I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zone transfer.pl). But i am curious if i took the right route. These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial - query first master and get serial - if serial match: get zonefile modification time (not sure if this is significant) and compare it with localtime and soa-expiretime + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S-expire) - time - if master serial slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Choose sane SOA values. refresh and retry expire i hope you can guide me a bit and tell me if this is what i want xD many thanks in advance seppovic -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On 02/18/2014 04:39 PM, Mark Andrews wrote: Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Also try to determine what the primary master is for the zone. Windows DNS does have this concept, but they don't emphasize it since they like people to believe in the fantasy that is lazy replication. :) Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote: I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I think the terminology you use shows a part of the confusion. Zone *data* is transferred to slave servers, not zone *files.* I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right route. These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial If query is something like dig +short zone.example. soa @slave, right. - query first master and get serial Likewise here, s/slave/master/ - if serial match: get zonefile modification time (not sure if this is significant) It is not. Zone data is kept in memory and is written to the journal. At 15-minute intervals, the zone file is written if it differs from actual zone data. and compare it with localtime and soa-expiretime + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S-expire) - time - if master serial slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Not enough here to know what's going on. i hope you can guide me a bit and tell me if this is what i want xD -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Am 19.02.2014, 01:39 Uhr, schrieb Mark Andrews ma...@isc.org: In message CAFw0=wj2xqqcc69uqetz6sc0oxdkjazt4o+vh0whfvuyia+...@mail.gmail.com , markus weber writes: --===2070182502041634286== Content-Type: multipart/alternative; boundary=001a1134888407910a04f2b6036d --001a1134888407910a04f2b6036d Content-Type: text/plain; charset=UTF-8 Hey Guys, I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zone transfer.pl). But i am curious if i took the right route. These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial - query first master and get serial - if serial match: get zonefile modification time (not sure if this is significant) and compare it with localtime and soa-expiretime + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S-expire) - time - if master serial slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Oh, i didn't know that. Thats weird behavior isn't it? I will give it definitely a try, I just added 3 of those servers to Masters option because i thought it would increase the reliability in case of an error. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Choose sane SOA values. refresh and retry expire I will check these values, i thought they were kind of standard values i hope you can guide me a bit and tell me if this is what i want xD many thanks in advance seppovic Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Am 19.02.2014, 01:48 Uhr, schrieb Doug Barton do...@dougbarton.us: On 02/18/2014 04:39 PM, Mark Andrews wrote: Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Also try to determine what the primary master is for the zone. Windows DNS does have this concept, but they don't emphasize it since they like people to believe in the fantasy that is lazy replication. :) Doug I will ask them, but they gave me a list of 3 servers and said i could use all of them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Am 19.02.2014, 04:34 Uhr, schrieb /dev/rob0 r...@gmx.co.uk: On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote: I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I think the terminology you use shows a part of the confusion. Zone *data* is transferred to slave servers, not zone *files.* from my understanding the terminology zonefiletransfer is quite common, maybe it is just a german thing and in english its just zone transfer, but i would not fight about this. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right route. These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial If query is something like dig +short zone.example. soa @slave, right. jepp, exactly. i do it with a perlmodule but the outcome is the same - query first master and get serial Likewise here, s/slave/master/ true - if serial match: get zonefile modification time (not sure if this is significant) It is not. Zone data is kept in memory and is written to the journal. At 15-minute intervals, the zone file is written if it differs from actual zone data. I read somewhere that it is enough to look at the modification time. But if you know a way how i can get the time of the last retry i could determine for how long it did not update. and compare it with localtime and soa-expiretime + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S-expire) - time - if master serial slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Not enough here to know what's going on. me neither :( what information could i provide for this? or where can i look for help? I will first look for the refresh and retry values as Mark pointed out and come back then. i hope you can guide me a bit and tell me if this is what i want xD ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users