[dns-operations] DNS zone monitoring
Joe Abley
jabley at hopcount.ca
Mon Jun 14 03:29:28 UTC 2010
On 2010-06-13, at 22:56, Joe Greco wrote:
> I was just in a discussion elsewhere that brought up an old topic:
>
> How do people monitor for secondary servers that are having trouble
> updating a zone from the master?
We direct an apex/IN/SOA query to all servers for each zone we are checking, and if we see inconsistent serial numbers we sound alarms.
> Obviously, we do all the normal sanity checks (SOA's match, etc) but
> other than monitoring the log file and watching for errors such as
If SOA serials match then no zone transfers will happen and you have no errors to look for.
If you want to test the transfer machinery, then arrange for the SOA serial number to be increased regularly and look for signs that the updated zones are not being served where they should be. Depending on the signature validity periods and re-signing intervals you choose, simply signing your zones might be enough to provide SOA serial increases sufficient to do useful monitoring.
Joe
More information about the dns-operations
mailing list