[dns-operations] DNS delegation checker
Einar Lönn
einar.lonn at iis.se
Fri May 25 09:29:39 UTC 2012
On May 25, 2012, at 11:03 AM, Bernhard Schmidt wrote:
> Hi,
>
> I'm running DNS for a larger campus network. We have a few thousand
> zones up to six labels deep, which are sourced from our internal
> systems, a customer selfservice portal, foreign master servers we slave
> or even completely external entities we can't get a copy of the zone from.
>
> We are fighting with keeping NS records in sync in parent and child
> zones. This has mostly been a minor problem since most zones are on the
> same servers and thus missing delegations are hidden, but becomes a
> bigger problem with DNSSEC and NSEC. And of course users often change
> things without giving us any heads-up.
>
> Is there any script/framework out there already that tries to find that
> mess? I'm thinking about
>
> * getting a list of zones from management system
> * check delegation from upstream server
> * get zone file from our slave zone repository, walk all delegations,
> check them on delegated server or in the zone repository
> * warn if delegations are missing or inconsistent
> * warn if delegations to non-existing/non-answering servers exist, or
> delegations to own servers but zone is not configured
> * DS vs. DNSKEY checks
>
> Thanks,
> Bernhard
Hi Bernhard,
You could try our tool DNSCheck ("https://github.com/dotse/dnscheck"), it's pretty much made for bulk checking domain delegations, especially if you use the database backend, and ensuring their quality etc. It's modular, BSD-licensed and quite adaptable for specific needs.
We also host a public instance of it at ("http://dnscheck.iis.se") also if you want to try it out without installing anything; but go for the Advanced view straight away so the Basic view doesnt scare you away. ;)
/Regards, Einar
More information about the dns-operations
mailing list