[dns-operations] DNS zone monitoring

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jun 14 06:42:54 UTC 2010


On Sun, Jun 13, 2010 at 11:29:22PM -0500,
 Joe Greco <jgreco at ns.sol.net> wrote 
 a message of 71 lines which said:

> > If you want to test the transfer machinery, then arrange for the
> > SOA serial number to be increased regularly and look for signs
> > that the updated zones are not being served where they should
> > be. [...]

> That strikes me as ugly and dangerous in some ways (though possibly
> offset as an improvement in others) [...] You introduce other
> possible failures into the mix.

If you do DNSSEC (and, sooner or later, I'm afraid everyone will have
to do it), it is necessary, anyway, because you must resign before the
signatures expire.

If you don't do DNSSEC, you're right, it introduces a new process
which may go wrong but, on the other hand, it exercices your entire
DNS publication chain, which can be a good thing. I would be a bit
nervous with a zone which was not updated in the last two years :-)
asking myself "If I try to add just one record, will it break
everything?"




More information about the dns-operations mailing list