[dns-operations] DNS zone monitoring

Warren Kumari warren at kumari.net
Mon Jun 14 20:32:10 UTC 2010 

On Jun 14, 2010, at 8:34 AM, Joe Greco wrote:

>> On 6/13/10 9:29 PM, Joe Greco wrote:
>>>> On 2010-06-13, at 22:56, Joe Greco wrote:
>>>>
>>>>> I was just in a discussion elsewhere that brought up an old topic:
>>>>>
>>>>> How do people monitor for secondary servers that are having  
>>>>> trouble
>>>>> updating a zone from the master?
>>>>
>>>> We direct an apex/IN/SOA query to all servers for each zone we are
>>>> checking, and if we see inconsistent serial numbers we sound  
>>>> alarms.
>>>
>>> Yes, but that's only useful if your SOA's are changing.  For many  
>>> zones,
>>> there's no need for the serials to change.  Besides, I already  
>>> indicated
>>> we did that.  :-)
>>
>>
>> One thing I employ is a test zone (something.test) and set all the  
>> SOA
>> values way down, such as a 5 min expire. This way the slaves are
>> actively doing their master-slave thing constantly. If there's a  
>> problem
>> the slaves eventually expire the test zone and that sets off alarms.
>
> That's sufficiently obvious that now I almost feel silly.  It's  
> still not
> quite what I'd prefer, but I think it addresses many of the cases  
> that I
> can think of.

Another case where it doesn't work hugely well is if you are providing  
secondary service for someone else -- explaining why they have to  
configure a specially named zone (that isn't delegated to them, and  
with odd timers) is tricky.

At the moment the best I have found is just running 'dig AXFR blargh'  
from cron and looking for >N failures in M interval, but this is A:  
inelegant and B: doesn't exercise the full path. I knew a guy who  
would fire up a whole separate BIND instance and have to transfer  
into /tmp/something, check that he got the right files and then  
delete /tmp/something... Seemed a little crazy to me, but...

W


> Others, like disk-full-failed-to-transfer, haven't actually
> shown themselves to be likely scenarios...  maybe that could be  
> tested by
> shifting the length of the test zone file around (yes, a crappy/ 
> hacky test,
> obviously).
>
> Thanks for the idea.  If anyone else has any comments, though,  
> please do
> feel free to comment.
>
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance  
> [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e- 
> mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too  
> many apples.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Do not meddle in the affairs of wizards, for they are subtle and quick  
to anger.
     -- J.R.R. Tolkien

More information about the dns-operations mailing list