Re: tool for finding undelegated children in your DNS

[Chris Thompson]

On Jul 27 2018, Timothe Litt wrote:

[...]

If you want to do this validation with zone files, then text tools (e.g.
a Perl, awk, etc) are a reasonable approach.  It would not be
particularly difficult - though you do have to handle include files. 
Rather than working from zone files, the easiest approach is to do a dig

axfr to get the actual zone...


If you do need to work from the zone files, I would strongly recommend
normalising them with "name-checkzone -o outfile zonename infile" or
an equivalent, before trying to unpick them with "Perl, awk, etc".

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tool for finding undelegated children in your DNS

[Timothe Litt]

On 26-Jul-18 19:46, Victoria Risk wrote:
> I have been told this is a very poor description of the problem.
>
> What I am concerned about is, how people with a sort of lazy zone file
> can assess the potential impact of QNAME minimization on their ability
> to answer for all of their zones.
>
> I have gotten two suggestions off list:
> - I would use named-checkzone to print the zone with all owner names
> printed out and then use text processing tools
> - “dig ds -f list-of-zones”, Those that return NXDOMAIN are likely
> missing NS records.
>
> Any other ideas?
> Has anyone done this kind of housekeeping on their own zones?
>
>
>> On Jul 26, 2018, at 11:41 AM, Victoria Risk > > wrote:
>>
>> Does anyone know of a good tool that you can run on your DNS records
>> to find parent + child pairs where there is no NS record for the
>> child in the parent?
>>
>> Someone must have a perl script for that, right?
>>
>> Thank you for any suggestions.
>>
>> Vicky
>>
>>
If you want to do this validation with zone files, then text tools (e.g.
a Perl, awk, etc) are a reasonable approach.  It would not be
particularly difficult - though you do have to handle include files. 
Rather than working from zone files, the easiest approach is to do a dig
axfr to get the actual zone...

I tend to use dnsviz (http://dnsviz.net) and
zonemaster
(https://www.zonemaster.net/domain_check)
for consistency checking. 

I don't tend to have issues with internal views because of the tools
that I use to update my zones (they pretty
much ensure that mistakes made there will also show up externally :-(). 
So the web checkers are my tools of choice.

But both dnsviz and zonemaster
are on GitHub & can be run
internally.  Zonemaster is Perl; dnsviz is Python.  Zonemaster requires
a database (MySQL/MariaDB/PostgresSQL).  The web version of dnsviz is
graphic, and has accessibility issued.  Zonemaster is standard HTML &
more suitable if you use a screen reader.

dnsviz run locally has command line options that will do the analysis -
see the GitHub readme.

Both tools do extensive checks (dnsviz is oriented around DNSSEC, but
does many other checks).

It's a good idea to run one or the other regardless of this point
issue.  Actually - I run both.

Of course the usual caveats about stealth (unlisted) servers apply.

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tool for finding undelegated children in your DNS

[Victoria Risk]

I have been told this is a very poor description of the problem.

What I am concerned about is, how people with a sort of lazy zone file can 
assess the potential impact of QNAME minimization on their ability to answer 
for all of their zones.

I have gotten two suggestions off list:
- I would use named-checkzone to print the zone with all owner names printed 
out and then use text processing tools
- “dig ds -f list-of-zones”, Those that return NXDOMAIN are likely missing NS 
records.

Any other ideas?
Has anyone done this kind of housekeeping on their own zones?


> On Jul 26, 2018, at 11:41 AM, Victoria Risk  wrote:
> 
> Does anyone know of a good tool that you can run on your DNS records to find 
> parent + child pairs where there is no NS record for the child in the parent?
> 
> Someone must have a perl script for that, right?
> 
> Thank you for any suggestions.
> 
> Vicky
> 
> 
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Victoria Risk
Product Manager
Internet Systems Consortium
vi...@isc.org





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

tool for finding undelegated children in your DNS

[Victoria Risk]

Does anyone know of a good tool that you can run on your DNS records to find 
parent + child pairs where there is no NS record for the child in the parent?

Someone must have a perl script for that, right?

Thank you for any suggestions.

Vicky





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users