[dns-operations] DNS delegation checker
Bernhard Schmidt
berni at birkenwald.de
Fri May 25 09:03:05 UTC 2012
Hi,
I'm running DNS for a larger campus network. We have a few thousand
zones up to six labels deep, which are sourced from our internal
systems, a customer selfservice portal, foreign master servers we slave
or even completely external entities we can't get a copy of the zone from.
We are fighting with keeping NS records in sync in parent and child
zones. This has mostly been a minor problem since most zones are on the
same servers and thus missing delegations are hidden, but becomes a
bigger problem with DNSSEC and NSEC. And of course users often change
things without giving us any heads-up.
Is there any script/framework out there already that tries to find that
mess? I'm thinking about
* getting a list of zones from management system
* check delegation from upstream server
* get zone file from our slave zone repository, walk all delegations,
check them on delegated server or in the zone repository
* warn if delegations are missing or inconsistent
* warn if delegations to non-existing/non-answering servers exist, or
delegations to own servers but zone is not configured
* DS vs. DNSKEY checks
Thanks,
Bernhard
More information about the dns-operations
mailing list