Re: how to check if a slave zone is expired
2011/5/5 Doug Barton :
> On 05/04/2011 01:22, hugo hugoo wrote:
>>
>> So..no way to check that a zone is expired?
>
> You're asking the wrong question. The correct question is, "How can I make
> sure that a zone is up to date on all of the slaves?" You do that by
> querying the SOA record for the zone on each slave and compare the serial
> number to the master.
>
And I do have a script for that, can be used as a nagios plugin below.
#!/usr/bin/perl
use strict;
use Net::DNS;
use Getopt::Std;
my %opts;
getopts('hm:s:z:', \%opts);
if ($opts{'h'}) {
usage();
}
my $master = $opts{'m'} || usage();
my $slave = $opts{'s'} || usage();
my $zone = $opts{'z'} || usage();
my $s1 = qrsoa($master,$zone);
my $s2 = qrsoa($slave,$zone);
if ($s1 != -1 && $s1 == $s2) {
print "OK\n";
exit 0;
} else {
print "CRITICAL: zone $zone sync error\n";
exit 2;
}
sub qrsoa {
my $host = shift;
my $zone = shift;
my $res = Net::DNS::Resolver->new(nameservers => [$host]);
my $query = $res->query($zone, "SOA");
return $query ? ($query->answer)[0]->serial : -1;
}
sub usage {
print
Re: how to check if a slave zone is expired
On 05/04/2011 01:22, hugo hugoo wrote: So..no way to check that a zone is expired? You're asking the wrong question. The correct question is, "How can I make sure that a zone is up to date on all of the slaves?" You do that by querying the SOA record for the zone on each slave and compare the serial number to the master. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.8 for Slackware (was: ... for openSUSE / SLES)
Slightly off the subject, and I hereby offer my apologies for hijacking the thread ... I upgraded Slackwares with BIND 9.4 and 9.7 to 9.8.0, using a slightly-modified version of the official build script, which is located here (and at other mirror sites): http://slackware.org.uk/slackware/slackware-13.37/source/n/bind/ (the script itself is "bind.SlackBuild".) With change of $VERSION and removal of the patch, this script seems fine to me (I'm running the resulting package in two locations.) But I had a couple of questions. First, what about that SO_BSDCOMPAT patch? Is there any need for it? It seems harmless, is that right? (Keep in mind, this is for a GNU/Linux with recent 2.6.x kernels usually, although one of my 9.8.0 packages is in fact running on a 2.4 kernel.) Second, the NUMJOBS=-j7 runs make(1) with -j7, i.e., with 7 jobs in parallel. According to what I saw in the 9.8.0 source, this is not recommended: README:178: "Do not use a parallel 'make'." Should this be removed from the script? I left it in on the more recent machine, but the old 2.4 machine didn't have enough CPU power for multiple jobs anyway, so it ran with a plain "make". (The script falls back to plain "make" if the "make -j7" fails, of course. I don't know if mine did or not, because I didn't watch it, and now the evidence is gone.) -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.8 for openSUSE / SLES
2011/5/4 Flex Banana : > hello list, > > Anyone have the link or the software for obtaining (if exist) the rpm x86_64 > compiled for openSUSE-11.4 / SLES-11 of bind-9.8.0 ? > > The last release offered by the community is 9.7.3 as of this writing. > You can compile one from the source. I have been using Debian 6, the default apt-source for this release is also BIND 9.7 But I can get the newer BIND 9.8 compiled from the source. -- Jeff Pang www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Error with dynamic update
hello list, I have the following message via the syslog of my system: May 4 14:51:10 vl005000 dhcpd: DHCPREQUEST for 10.28.25.200 (10.28.25.50) from 00:1b:63:37:98:c2 (lm000961) via eth0 May 4 14:51:10 vl005000 dhcpd: DHCPACK on 10.28.25.200 to 00:1b:63:37:98:c2 (lm000961) via eth0 May 4 14:51:10 vl005000 named[15432]: client 10.88.94.50#47193: view ETH1: signer "vl005000" approved May 4 14:51:10 vl005000 named[15432]: client 10.88.94.50#47193: view ETH1: updating zone 'lausanne.edu-vd/IN': deleting rrset at 'lm000961.lausanne.edu-vd' A May 4 14:51:10 vl005000 named[15432]: client 10.88.94.50#47193: view ETH1: updating zone 'lausanne.edu-vd/IN': adding an RR at 'lm000961.lausanne.edu-vd' A May 4 14:51:10 vl005000 dhcpd: Added new forward map from lm000961.lausanne.edu-vd to 10.28.25.200 May 4 14:51:10 vl005000 named[15432]: client 10.28.25.50#47193: view ETH0: signer "vl005000" approved May 4 14:51:10 vl005000 named[15432]: client 10.28.25.50#47193: view ETH0: updating zone '25.28.10.in-addr.arpa/IN': deleting rrset at '200.25.28.10.in-addr.arpa' PTR May 4 14:51:10 vl005000 named[15432]: client 10.28.25.50#47193: view ETH0: updating zone '25.28.10.in-addr.arpa/IN': adding an RR at '200.25.28.10.in-addr.arpa' PTR May 4 14:51:10 vl005000 dhcpd: Added reverse map from 200.25.28.10.in-addr.arpa. to lm000961.lausanne.edu-vd The server has two nic: 10.28.25.50 and 10.88.94.50. When i plug a client on the 10.28.25 network, this will receive an ip address (10.28.25.200 in the example) and update the zone lausanne.edu-vd, this is the first part of the message The problem is that is update the zone with the second nic 10.88.94.50 and update really the zone lausanne.edu-vd from the other view on the 10.88.94 network The second part of the message update the correct in-addr.arpa zone from the 10.28.25 network, all is perfect. Anyone can help me understand what is the problem ? Thank you list Banana ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind-9.8 for openSUSE / SLES
hello list, Anyone have the link or the software for obtaining (if exist) the rpm x86_64 compiled for openSUSE-11.4 / SLES-11 of bind-9.8.0 ? The last release offered by the community is 9.7.3 as of this writing. Thank you Banana ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Marc, Thanks for the feedback. I have indeed seen in the logs that the zone is expired on ns2 but my question was more general in order not to have to always try to see the logs (info not available if the zone has expired some weeks ago..). So..no way to check that a zone is expired? For info: no "servfail" answer on the query. C:\Data\dig>dig @ns2.skynet.be wwW.omega-pharma.be ; <<>> DiG 9.3.2 <<>> @ns2.skynet.be wwW.omega-pharma.be ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 392 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;wwW.omega-pharma.be. IN A ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. ;; Query time: 31 msec ;; SERVER: 195.238.3.18#53(195.238.3.18) ;; WHEN: Wed May 04 10:18:37 2011 ;; MSG SIZE rcvd: 248 From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:58:22 +0200 Hugo, “zones” don’t “expire”, like DNSSEC RRSIG with their “end of validity time stamp”. At worst, a slave name server is unable to verify the SOA record on the master for “expiry” time. At that point, the slave name server still “knows” it is authoritative, but has no data it could answer with à (at least Bind) will reply with a “SERVFAIL” (not the list of root name servers !) The second worst thing is that the serial number on the master is lower then what the slaves last “zone transferred”. As already commented in another reaction, check the logs of the slaves, they (should) signal this (Bind does). Hope this helps. Kind regards, Marc Lampo Security Officer EURid vzw/asbl ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Hugo, zones dont expire, like DNSSEC RRSIG with their end of validity time stamp. At worst, a slave name server is unable to verify the SOA record on the master for expiry time. At that point, the slave name server still knows it is authoritative, but has no data it could answer with à (at least Bind) will reply with a SERVFAIL (not the list of root name servers !) The second worst thing is that the serial number on the master is lower then what the slaves last zone transferred. As already commented in another reaction, check the logs of the slaves, they (should) signal this (Bind does). Hope this helps. Kind regards, Marc Lampo Security Officer EURid vzw/asbl From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 09:56 AM To: marc.la...@eurid.eu; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Marc, This example was maybe not the best one. My questions remains as other zones are well unavailable on all name servers. Regards, Hugo, _ From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:18:56 +0200 Hugo, This must be a configuration error on ns2.skynet.be. The other 3 authoritative name servers answer fine, for omega-pharma.be; ns2.skynet.be. returns the list of root name servers, meaning it isnt configured to be slave for that domain. Contact Skynet/Belgacom helpdesk to get this corrected. Kind regards, Marc Lampo EURid vzw/asbl Security Officer From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 08:53 AM To: bind-users@lists.isc.org Subject: how to check if a slave zone is expired Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; <<>> DiG 9.3.4 <<>> @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Marc, This example was maybe not the best one. My questions remains as other zones are well unavailable on all name servers. Regards, Hugo, From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:18:56 +0200 Hugo, This must be a configuration error on “ns2.skynet.be.” The other 3 authoritative name servers answer fine, for omega-pharma.be; ns2.skynet.be. returns the list of root name servers, meaning it isn’t configured to be slave for that domain. Contact Skynet/Belgacom helpdesk to get this corrected. Kind regards, Marc Lampo EURid vzw/asbl Security Officer From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 08:53 AM To: bind-users@lists.isc.org Subject: how to check if a slave zone is expired Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; <<>> DiG 9.3.4 <<>> @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Hugo, This must be a configuration error on "ns2.skynet.be." The other 3 authoritative name servers answer fine, for omega-pharma.be; ns2.skynet.be. returns the list of root name servers, meaning it isn't configured to be slave for that domain. Contact Skynet/Belgacom helpdesk to get this corrected. Kind regards, Marc Lampo EURid vzw/asbl Security Officer From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 08:53 AM To: bind-users@lists.isc.org Subject: how to check if a slave zone is expired Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; <<>> DiG 9.3.4 <<>> @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to check if a slave zone is expired
Method 1: Compare the timestamp on the slave zone file with the system's current date. Compare that difference with the expire timer in the SOA record in the same zone file. If the difference is greater than the expire timer, then the zone is expired. Method 2: Check the logs. Chris Buxton BlueCat Networks On May 3, 2011, at 11:53 PM, hugo hugoo wrote: > Dear all, > > Is there a way to check that a slave zone is expired? > I use dig in the following way to see that the zone is not responding on my > server...but is this due to the fact that the zone is expired or another > problem? > > dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa > > ; <<>> DiG 9.3.4 <<>> @localhost omega-pharma.be soa > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26868 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;omega-pharma.be. IN SOA > ;; AUTHORITY SECTION: > . 518400 IN NS A.ROOT-SERVERS.NET. > . 518400 IN NS B.ROOT-SERVERS.NET. > . 518400 IN NS C.ROOT-SERVERS.NET. > . 518400 IN NS D.ROOT-SERVERS.NET. > . 518400 IN NS E.ROOT-SERVERS.NET. > . 518400 IN NS F.ROOT-SERVERS.NET. > . 518400 IN NS G.ROOT-SERVERS.NET. > . 518400 IN NS H.ROOT-SERVERS.NET. > . 518400 IN NS I.ROOT-SERVERS.NET. > . 518400 IN NS J.ROOT-SERVERS.NET. > . 518400 IN NS K.ROOT-SERVERS.NET. > . 518400 IN NS L.ROOT-SERVERS.NET. > . 518400 IN NS M.ROOT-SERVERS.NET. > > > - How can I see that it is because the zone is expired? > > - Is there a way to visualise all the zones that are expired (to make a > cleanup of the configuration) > > > Thanks for your feedback, > > Hugo, > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
