[dns-operations] validating zones before distribution to secondaries

Anand Buddhdev anandb at ripe.net
Tue May 4 14:30:28 UTC 2021

On 04/05/2021 15:59, Klaus Darilion wrote:

Hi Klaus,

> In my setup I receive zones from various hidden primaries to my
> "incoming" nameserver. Before my "distribution" nameserver fetches the
> zone from the "incoming" nameserver (and hence sends NOTIFYs to the
> public secondaries) I I want to perform various checks on the zone
> loaded on the incoming nameserver.
> Currently I use a freaky Bind9 setup with several perl scripts. Do you
> know if there exists any software tool that were written for such
> setups? For example a Secondary which fetches a zone not automatically
> but only on request? Or a nameserver which fetches a zone but only
> "loads" it if an external tool validates the zone?

I don't think any of the existing name servers have that facility. I
know that the latest Knot DNS can do DNSSEC validation of incoming XFRs,
and I guess this implies general DNS correctness checks. However, if you
want to do custom checks, you'll have to do this yourself.

You might want to look at Tony Finch's nsnotifyd, which is a custom
program that can monitor zones for changes, and run custom commands when
changes are detected. It can also listen for NOTIFY messages and act
immediately on zone changes. You could use it to run your custom checks
before distributing your zones.


Anand Buddhdev

More information about the dns-operations mailing list