Re: Audit the consistency of zone files on DNS servers
On 3/15/2014 6:09 AM, Maren S. Leizaola wrote: On 3/15/2014 1:53 AM, Kevin Darcy wrote: On 3/14/2014 8:28 AM, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host the zone file. I want something that I feed the master zone file and then goes to each NS server and ensures that each of the records are identical in all of them. What I want to be able to detect are serial number errors, where a zone has been updated but the serial number has not changed. In this circumstances comparing SOA of all the servers would not report any errors, but the zone file in the different servers are incorrect. Well, you're only *medium* paranoid, at most. If you were *really* paranoid, you'd crypto-sign your transfers. Crypto signed no signed, AXFR what ever etc, if the DNS servers are malfunctioning and sending the wrong replies to queries I would like to be able to audit that.. Or use Dynamic Update exclusively for DNS record maintenance, so that "forgetting to update the serial number after a change" is a thing of the past[1]. - Kevin [1] For the nit-pickers out there, the statement is true _even_for_ SOA record changes, since they don't "take" unless you "increment" the serial number (as per serial-number arithmetic) as part of the change. So Dynamic updates, to a master? then IXFR, accross different type of DNS servers lots of room for malfunction... Can someone provide an answer that does not refer to zone transfers? Whatever tool you use to "audit" is going to have "lots of room for malfunction" as well. I think you're just doubting for the sake of doubting for the sake of doubting. Which makes me regret the time I've already invested in this foolishness... - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Audit the consistency of zone files on DNS servers
On Sat, Mar 15, 2014 at 01:14:39PM +, Phil Mayers wrote: > On 15/03/2014 10:09, Maren S. Leizaola wrote: > >We are never sure how bug free bind is. As I am using other > >DNS servers I am not sure how reliably they interactive with > >Bind... So trust I nothing until it has been provent to work > >time and time again > > To be blunt, I think you are being unreasonable - sort of a > "radical skeptic" - about the software. > > If you distrust the XFR bit of your DNS servers, why trust > *any* of it? ... snip > Do you have grounds to *reasonably doubt* the functioning of > your DNS software? If so, please gather all the evidence and submit a bug report to bind9-b...@isc.org. https://kb.isc.org/article/AA-00341/0/What-to-do-with-a-misbehaving-BIND-server.html > Good luck - I doubt you'll find what you want though! ;o) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Audit the consistency of zone files on DNS servers
On 15/03/2014 10:09, Maren S. Leizaola wrote: Can someone provide an answer that does not refer to zone transfers? Your original email said: What I want to be able to detect are serial number errors, where a zone has been updated but the serial number has not changed Then you said: I am paranoid and I don't think zone transfers are a good method. I want something that looks at the file, intelligently looks at each record and sends the right types of queries to all the DNS servers. We are never sure how bug free bind is. As I am using other DNS servers I am not sure how reliably they interactive with Bind... So trust I nothing until it has been provent to work time and time again To be blunt, I think you are being unreasonable - sort of a "radical skeptic" - about the software. If you distrust the XFR bit of your DNS servers, why trust *any* of it? How do you know the DNS server isn't answering with garbage when it should be answering NODATA/NXDOMAIN? Or answering with correct values to you, but garbage 0.01% of the time to everyone else? You don't know that, and you can never know that, so proceeding on this basis is futile. Do you have grounds to *reasonably doubt* the functioning of your DNS software? Anyway - in an attempt to be "helpful", even though I think it's a silly thing to do, here's a suggestion which queries every record in a zone verus a master file: https://github.com/joemiller/dns_compare You could also canonicalise the zone file with "trusted" (ha ha) software then transfer it over a "trusted" protocol (ha ha), "freeze" the zone at the slaves having "trusted" that they will write to disk correctly, then use diff. None of these solves the NODATA/NXDOMAIN or low-rate error problem, but they are, in principle, unsolvable. Good luck - I doubt you'll find what you want though! ;o) Cheers, Phil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: Audit the consistency of zone files on DNS servers
On 3/15/2014 1:53 AM, Kevin Darcy wrote: On 3/14/2014 8:28 AM, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host the zone file. I want something that I feed the master zone file and then goes to each NS server and ensures that each of the records are identical in all of them. What I want to be able to detect are serial number errors, where a zone has been updated but the serial number has not changed. In this circumstances comparing SOA of all the servers would not report any errors, but the zone file in the different servers are incorrect. Well, you're only *medium* paranoid, at most. If you were *really* paranoid, you'd crypto-sign your transfers. Crypto signed no signed, AXFR what ever etc, if the DNS servers are malfunctioning and sending the wrong replies to queries I would like to be able to audit that.. Or use Dynamic Update exclusively for DNS record maintenance, so that "forgetting to update the serial number after a change" is a thing of the past[1]. - Kevin [1] For the nit-pickers out there, the statement is true _even_for_ SOA record changes, since they don't "take" unless you "increment" the serial number (as per serial-number arithmetic) as part of the change. So Dynamic updates, to a master? then IXFR, accross different type of DNS servers lots of room for malfunction... Can someone provide an answer that does not refer to zone transfers? Maren. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
