[dns-operations] Diffing tools for zones?

Duane Wessels wessels at dns-oarc.net
Wed Aug 4 21:01:53 UTC 2010

On Aug 2, 2010, at 12:09 PM, Paul Hoffman wrote:

> Are there any reasonable tools that know how to look for differences in two versions of a modern zone? By "reasonable" I mean "ignores changes in NSEC and NSEC3 records and other things that are normal in the daily operation of a signed zone".

I'm pleased to be able to share some of the tools that we use at VeriSign.  

At http://yazvs.verisignlabs.com/ you'll find two perl scripts.  One takes a
candidate signed zone file, performs some crypto checks, and then compares
it to the production zone data.  Another produces a straight diff output
after excluding any record types that you specify.

Duane W.

More information about the dns-operations mailing list