Checking on DNS secondaries

• Previous message: Checking on DNS secondaries
• Next message: Checking on DNS secondaries
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Louis Kowolowski (louisk at cryptomonkeys.org):

> I would think there would be at least 1 log watching script/pkg
> available for Linux that would be able to roll this up in a daily or
> weekly general status email.  Something that would show you zone
> transfer errors.  Doing a quick google for 'logwatch zone transfer
> error' indicates that logwatch would likely do what you need.

Logcheck's the first thing I thought of.  It catches two failure modes,
one if run by admin of a domain's DNS master (primary), one if run by
the domain of a DNS slave (secondary) -- in each case, attempted but
failed zone transfer.  

Unfortunately, it fails to catch any _other_ of the common screwups.

Thus, run on the master, logcheck can report any IP trying to pull down
AXFR/IXFR who's not on the allowed-transfer ACL, and thus getting
refused.  This is arguably sometimes useful (if not overwhelmed by
meaningless entries about attempts from random unrelated IPs), but
completely fails to tell you 'Hey, secondary nameserver IP NN.NN.NN.NN
for domain foo has stopped querying entirely' or 'secondary nameserver
IP NN.NN.NN.NN for domain foo' is serving the wrong zonefile S/N'.

The secondary could be pulling down AXFR/IXFR properly but failing to
serve the zone.  Logcheck's reporting of failed AXFR/IXFR tells you
nothing about that.  So, monitoring the secondary should logically include
making sure the secondary is _serving the desired data_; hence my hacked
cronjob's resort to 'dig -t soa'.

Run on the slave (secondary) end, logcheck can notify the admin when the
local nameserver gets refused on any outgoing AXFR/IXFR request, which 
would be certainly very useful if the master removes you from the
allowed-transfer ACL and fails to tell you.  I'm unsure whether it would
give you useful data if the master reIPs and fails to tell you or shuts
down and fails to tell you.

The master might have removed your secondary from the authoritative list
and failed to tell you, making my secondary a 'lame nameserver'.  I've
had this happen repeatedly:  I set up secondary service for a friend's
domain, and a year or two later check and find that my service has been
silently dropped from the domain's authoritative list, i.e., my
nameserver has for years been serving up the domain pointlessly.  I
bring this to the friend's attention, and he/she says 'Oh, I guess I
forgot to tell you.'

Logcheck doesn't report that at all.

I'm surprised that I'm not hearing about people's solutions.  It's not
like these are new problems.  

My main idea is:  'management by exception' is a big mistake where DNS
screwups are concerned, else you can suddenly find yourself missing all
four DNS secondaries as I was with scruz.org, where the problem
doubtless crept up gradually over several years and could have been
noticed programmatically.  I'm tired of hearing 'Oh, I guess I forgot to
tell you' and want cron (or something) to notice for me.

Separately, I helped a friend work out a nice perl cronjob for checking
on pending domain expirations, to get warned of them in plenty of time
and not have to rely on autorenew working.  See:  
http://linuxmafia.com/~rick/preventing-expiration.html

• Previous message: Checking on DNS secondaries
• Next message: Checking on DNS secondaries
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]