[dns-operations] validating zones before distribution to secondaries
Klaus Darilion
klaus.mailinglists at pernau.at
Tue May 4 18:59:41 UTC 2021
Hi Anand!
Am 04.05.2021 um 16:30 schrieb Anand Buddhdev:
>
> You might want to look at Tony Finch's nsnotifyd, which is a custom
> program that can monitor zones for changes, and run custom commands when
> changes are detected. It can also listen for NOTIFY messages and act
> immediately on zone changes. You could use it to run your custom checks
> before distributing your zones.
We already use a self written tool, quite similar to nsnotifyd to catch
NOTIFYs and start the zone validation.
After sucessfull validation, I would like to use standard XFR between
name servers to further distribute the zone. I want to avoid doing
manual zone transfers with tools like dig, or manually copying zone
files, as this is IMO not so reliable.
Hence, a nameserver as secondary which does not perform any SOA-checks
itself, but only performs SOA-checks when triggered externally (ie "rndc
refresh zone") would be nice. Unfurtunately I am not aware of a name
server which can be configured like that*
regards
Klaus
* A hack would be PowerDNS with master=some.non.responding.ip. Then SOA
checks would fail, but incoming transfer could be triggered by
"pdns_control retrieve zone ip.address.of.primary"
More information about the dns-operations
mailing list