[dns-operations] differ
cstamas+dns at cstamas.hu
cstamas+dns at cstamas.hu
Mon Nov 13 11:35:41 UTC 2023
hi,
Nov 13, 2023 11:26:15 Matthew Richardson <matthew-l at itconsult.co.uk>:
> Randy Bush <randy at psg.com> wrote:-
>
>> it occurred to me that it migh tme wise to have a rancid like
>> (https://shrubbery.net/rancid/) equivalent for critical domains.
>> i.e. to git record changes and warn of radical diffs.
>>
>> is there any foss tooling in this space?
>
> For the recording, I do something similar within our systems which is
> really simple, and roughly:-
>
> cd $repodir
> foreach $zone {
> dig +nocmd +nostats +onesoa @$master $zone axfr > $zone.zone
> }
> git add -A
> git commit -m "cron script"
>
> which runs as a daily job via cron. Obviously, this only does the
> recording into a git repo, but does not do any alerting
For alerting and stopping a zone before XFR to secondaries nsd verifier functionality can be used. A script can store a previous value and allow new zones only if the tests (supplied by you) are met e.g. the size of the zone should change x% at max, not more.
Bump in the wire verifier.
Regards,
Tamás
More information about the dns-operations
mailing list