[dns-operations] Diffing tools for zones?

[Joe Abley]

On 2010-08-02, at 15:09, Paul Hoffman wrote:

> Greetings. I used to be able to do a reasonably sane check for changed between two versions of the root zone with 'diff'. Now that the root is signed, that all goes to hell.

For what it's worth, I run the following out of cron. The noise is all still there, but it's crudely classified, enough for me to be able to delete-based-on-preview for changes that only involve DNSSEC changes, and look harder if there are other changes (and I feel like it). It seems like a distant but non-zero possibility that works for me in e-mail might work for you in whatever you're trying to do.

The [:space:] regex atom below is a convenient GNU-ism which is not specified by POSIX (I think). The two nameservers xfr.lax.dns.icann.org and xfr.cjr.dns.icann.org serve whatever L-Root is serving, allow zone transfers indiscriminately, and you're welcome to use them.


Joe

#!/bin/sh

HOME=$(dirname $0)
NEW=${HOME}/root.new
OLD=${HOME}/root.current
TMP=${HOME}/root.$$

selectodiff() {
  rm -f "${TMP}"
  pattern="IN[[:space:]]+$3[[:space:]]"
  diff -c0 -u "$1" "$2" | egrep "${pattern}" >"${TMP}"
  if [ $(wc -l <"${TMP}") -gt 0 ]; then
    echo "========= $4 changes"
    echo ""
    egrep "${pattern}" "${TMP}"
    echo ""
  fi
  rm -f "${TMP}"
}

dig @xfr.lax.dns.icann.org . axfr | egrep -v '^;' >"${NEW}"

SOAS=$(egrep -i 'IN[[:space:]]+SOA[[:space:]]+' ${NEW} | wc -l)

if [ ${SOAS} -eq 2 ]; then
  touch "${OLD}"

  selectodiff "${OLD}" "${NEW}" "NS" "Delegation"
  selectodiff "${OLD}" "${NEW}" "DS" "Trust Anchor"
  selectodiff "${OLD}" "${NEW}" "(A|AAAA)" "Glue"
  selectodiff "${OLD}" "${NEW}" "(RRSIG|NSEC|DNSKEY)" "DNSSEC"

  selectodiff "${OLD}" "${NEW}" ".*" "Complete list of"

  mv "${NEW}" "${OLD}"
fi