Re: how to check if a slave zone is expired
And I finally gotten enough cycles to write a script to do this and released it on Google Code ( https://code.google.com/p/dns-slave-expire-checker/ ). It is very simple, but if folk find it useful I can add additional functionality... It is a simple Python program: ./dns_expire_checker.py -r -d /data/dns/zones/slaves/ NOTICE: example.com failed more then once to transfer (679683 (86407 + 10) ERROR: example.net has expired! (679683 (604800 + 10)) NOTICE: example.org failed more then once to transfer (679683 (86407 + 10) 0 Errors: 1 Expire: example.net 2 Retry:example.com, example.org 0 Refresh: 0 Healthy: Anyway, share and enjoy. W On May 6, 2011, at 11:16 AM, John Wobus wrote: I try to catch zones that are not updating on the slaves to which I have access. I compare the modtime of the zone file with the current time and the refresh interval for the zone. Typically I allow a failure or two before alerting, e.g. wait 1 refresh + 2 retry intervals. If the expire interval is very short, this could be too late. Depending upon the expire interval and refresh interval, the window in which you can be alerted and troubleshoot a problem might be short. If you're slaving zones for another site, you might not have control of that. If you find out refreshes aren't happening long before the expiration, and if the zone is pretty static (e.g. a single www.example.com address), you don't have to jump very fast to address things if the expire interval is weeks. If folks are depending upon records that are dynamic, you want to respond pretty quickly. John Wobus ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
I review the BIND syslogs on my servers daily. The syslog will tell me if any slave is having problems loading a zone. I expect that the hostmasters at my off-site slaves do the same. If I slave a zone for someone else, and I see problems, I contact the owner of that zone. -- -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
I try to catch zones that are not updating on the slaves to which I have access. I compare the modtime of the zone file with the current time and the refresh interval for the zone. Typically I allow a failure or two before alerting, e.g. wait 1 refresh + 2 retry intervals. If the expire interval is very short, this could be too late. Depending upon the expire interval and refresh interval, the window in which you can be alerted and troubleshoot a problem might be short. If you're slaving zones for another site, you might not have control of that. If you find out refreshes aren't happening long before the expiration, and if the zone is pretty static (e.g. a single www.example.com address), you don't have to jump very fast to address things if the expire interval is weeks. If folks are depending upon records that are dynamic, you want to respond pretty quickly. John Wobus ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
On 5/4/11 10:22 AM, hugo hugoo wrote:
So..no way to check that a zone is expired?
Hello Hugo,
I recently wrote a small script which mails me about any zones that is due to
expire within the next 24 hours. This works by using the last change time of
the file on disk and the SOA expiry time. It is a bit hackish but produces a
report telling you when a zone will expire, including zones that will expire in
the past. If anyone has any improvements on this i would welcome comments
==
#!/bin/sh
ZONEDIR=/var/named/zones/
EMAIL=em...@example.com
TOMORROW=$(/bin/date --date=tomorrow +%s)
cd ${ZONEDIR}
for zone in $(/bin/ls -1 | /bin/grep -v \.jnl$);
do
zone_lastupdated=$(/usr/bin/stat -c %Z ${zone});
expiry=$(/usr/bin/dig +short SOA ${zone} @localhost 2/dev/null|
/usr/bin/awk '{print $6}') ;
zone_expires=$((zone_lastupdated + expiry));
if [ ${zone_expires} -le ${TOMORROW} ]; then
echo ${zone} Expires on $(/bin/date --date $[$(/bin/date
+%s)-${zone_expires}] seconds ago);
fi
done | /bin/mail -s Zones which expire in the next 24 hours ${EMAIL}
==
Regards
John
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
On May 4 2011, Doug Barton wrote: On 05/04/2011 01:22, hugo hugoo wrote: So..no way to check that a zone is expired? You're asking the wrong question. The correct question is, How can I make sure that a zone is up to date on all of the slaves? You do that by querying the SOA record for the zone on each slave and compare the serial number to the master. This isn't necessarily the right question. It is perfectly possible for a slave's copy of a zone to be up to date, but still be about to expire, because the slave has been unable to *confirm* that it is up to date for the expiry period (due to network problems, configuration errors, or whatever). If Mark Andrews' EDNS Expire Option I-D had taken off, one would be able to use that to test time-to-expiry for a zone from outside the server, rather than messing about with the modification times of the master files. But sadly, it didn't ... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
On 05/05/2011 04:35, Chris Thompson wrote: On May 4 2011, Doug Barton wrote: On 05/04/2011 01:22, hugo hugoo wrote: So..no way to check that a zone is expired? You're asking the wrong question. The correct question is, How can I make sure that a zone is up to date on all of the slaves? You do that by querying the SOA record for the zone on each slave and compare the serial number to the master. This isn't necessarily the right question. It is perfectly possible for a slave's copy of a zone to be up to date, but still be about to expire, because the slave has been unable to *confirm* that it is up to date for the expiry period (due to network problems, configuration errors, or whatever). Sorry, I should have said, Given the precondition you've established that you don't want to look at the logs ... There is no way to tell if a zone is about to expire on the slave without looking at the logs, so querying for the SOA is the only option available. If the query fails, you know that the zone has expired. :) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to check if a slave zone is expired
Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; DiG 9.3.4 @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
Method 1: Compare the timestamp on the slave zone file with the system's current date. Compare that difference with the expire timer in the SOA record in the same zone file. If the difference is greater than the expire timer, then the zone is expired. Method 2: Check the logs. Chris Buxton BlueCat Networks On May 3, 2011, at 11:53 PM, hugo hugoo wrote: Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; DiG 9.3.4 @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Hugo, This must be a configuration error on ns2.skynet.be. The other 3 authoritative name servers answer fine, for omega-pharma.be; ns2.skynet.be. returns the list of root name servers, meaning it isn't configured to be slave for that domain. Contact Skynet/Belgacom helpdesk to get this corrected. Kind regards, Marc Lampo EURid vzw/asbl Security Officer From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 08:53 AM To: bind-users@lists.isc.org Subject: how to check if a slave zone is expired Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; DiG 9.3.4 @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Marc, This example was maybe not the best one. My questions remains as other zones are well unavailable on all name servers. Regards, Hugo, From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:18:56 +0200 Hugo, This must be a configuration error on “ns2.skynet.be.” The other 3 authoritative name servers answer fine, for omega-pharma.be; ns2.skynet.be. returns the list of root name servers, meaning it isn’t configured to be slave for that domain. Contact Skynet/Belgacom helpdesk to get this corrected. Kind regards, Marc Lampo EURid vzw/asbl Security Officer From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 08:53 AM To: bind-users@lists.isc.org Subject: how to check if a slave zone is expired Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; DiG 9.3.4 @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Hugo, zones dont expire, like DNSSEC RRSIG with their end of validity time stamp. At worst, a slave name server is unable to verify the SOA record on the master for expiry time. At that point, the slave name server still knows it is authoritative, but has no data it could answer with à (at least Bind) will reply with a SERVFAIL (not the list of root name servers !) The second worst thing is that the serial number on the master is lower then what the slaves last zone transferred. As already commented in another reaction, check the logs of the slaves, they (should) signal this (Bind does). Hope this helps. Kind regards, Marc Lampo Security Officer EURid vzw/asbl From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 09:56 AM To: marc.la...@eurid.eu; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Marc, This example was maybe not the best one. My questions remains as other zones are well unavailable on all name servers. Regards, Hugo, _ From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:18:56 +0200 Hugo, This must be a configuration error on ns2.skynet.be. The other 3 authoritative name servers answer fine, for omega-pharma.be; ns2.skynet.be. returns the list of root name servers, meaning it isnt configured to be slave for that domain. Contact Skynet/Belgacom helpdesk to get this corrected. Kind regards, Marc Lampo EURid vzw/asbl Security Officer From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 08:53 AM To: bind-users@lists.isc.org Subject: how to check if a slave zone is expired Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; DiG 9.3.4 @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Marc, Thanks for the feedback. I have indeed seen in the logs that the zone is expired on ns2 but my question was more general in order not to have to always try to see the logs (info not available if the zone has expired some weeks ago..). So..no way to check that a zone is expired? For info: no servfail answer on the query. C:\Data\digdig @ns2.skynet.be wwW.omega-pharma.be ; DiG 9.3.2 @ns2.skynet.be wwW.omega-pharma.be ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 392 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;wwW.omega-pharma.be. IN A ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. ;; Query time: 31 msec ;; SERVER: 195.238.3.18#53(195.238.3.18) ;; WHEN: Wed May 04 10:18:37 2011 ;; MSG SIZE rcvd: 248 From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:58:22 +0200 Hugo, “zones” don’t “expire”, like DNSSEC RRSIG with their “end of validity time stamp”. At worst, a slave name server is unable to verify the SOA record on the master for “expiry” time. At that point, the slave name server still “knows” it is authoritative, but has no data it could answer with à (at least Bind) will reply with a “SERVFAIL” (not the list of root name servers !) The second worst thing is that the serial number on the master is lower then what the slaves last “zone transferred”. As already commented in another reaction, check the logs of the slaves, they (should) signal this (Bind does). Hope this helps. Kind regards, Marc Lampo Security Officer EURid vzw/asbl ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
On 05/04/2011 01:22, hugo hugoo wrote: So..no way to check that a zone is expired? You're asking the wrong question. The correct question is, How can I make sure that a zone is up to date on all of the slaves? You do that by querying the SOA record for the zone on each slave and compare the serial number to the master. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
2011/5/5 Doug Barton do...@dougbarton.us:
On 05/04/2011 01:22, hugo hugoo wrote:
So..no way to check that a zone is expired?
You're asking the wrong question. The correct question is, How can I make
sure that a zone is up to date on all of the slaves? You do that by
querying the SOA record for the zone on each slave and compare the serial
number to the master.
And I do have a script for that, can be used as a nagios plugin below.
#!/usr/bin/perl
use strict;
use Net::DNS;
use Getopt::Std;
my %opts;
getopts('hm:s:z:', \%opts);
if ($opts{'h'}) {
usage();
}
my $master = $opts{'m'} || usage();
my $slave = $opts{'s'} || usage();
my $zone = $opts{'z'} || usage();
my $s1 = qrsoa($master,$zone);
my $s2 = qrsoa($slave,$zone);
if ($s1 != -1 $s1 == $s2) {
print OK\n;
exit 0;
} else {
print CRITICAL: zone $zone sync error\n;
exit 2;
}
sub qrsoa {
my $host = shift;
my $zone = shift;
my $res = Net::DNS::Resolver-new(nameservers = [$host]);
my $query = $res-query($zone, SOA);
return $query ? ($query-answer)[0]-serial : -1;
}
sub usage {
print EOF;
Usage: $0 -m 8.8.8.8 -s 8.8.4.4 -z example.com
-m master DNS ip or name
-s slave DNS ip or name
-z zone name
-h show this help page
EOF
exit 0;
}
--
Jeff Pang
www.DNSbed.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
