On 26-Jul-18 19:46, Victoria Risk wrote: > I have been told this is a very poor description of the problem. > > What I am concerned about is, how people with a sort of lazy zone file > can assess the potential impact of QNAME minimization on their ability > to answer for all of their zones. > > I have gotten two suggestions off list: > - I would use named-checkzone to print the zone with all owner names > printed out and then use text processing tools > - “dig ds -f list-of-zones”, Those that return NXDOMAIN are likely > missing NS records. > > Any other ideas? > Has anyone done this kind of housekeeping on their own zones? > > >> On Jul 26, 2018, at 11:41 AM, Victoria Risk <vi...@isc.org >> <mailto:vi...@isc.org>> wrote: >> >> Does anyone know of a good tool that you can run on your DNS records >> to find parent + child pairs where there is no NS record for the >> child in the parent? >> >> Someone must have a perl script for that, right? >> >> Thank you for any suggestions. >> >> Vicky >> >> If you want to do this validation with zone files, then text tools (e.g. a Perl, awk, etc) are a reasonable approach. It would not be particularly difficult - though you do have to handle include files. Rather than working from zone files, the easiest approach is to do a dig axfr to get the actual zone...
I tend to use dnsviz <http://dnsviz.net/>(http://dnsviz.net) and zonemaster <https://www.zonemaster.net/domain_check>(https://www.zonemaster.net/domain_check) for consistency checking. I don't tend to have issues with internal views because of the tools that I use to update my zones (they pretty much ensure that mistakes made there will also show up externally :-(). So the web checkers are my tools of choice. But both dnsviz <https://github.com/dnsviz/dnsviz>and zonemaster <https://github.com/zonemaster/zonemaster>are on GitHub & can be run internally. Zonemaster is Perl; dnsviz is Python. Zonemaster requires a database (MySQL/MariaDB/PostgresSQL). The web version of dnsviz is graphic, and has accessibility issued. Zonemaster is standard HTML & more suitable if you use a screen reader. dnsviz run locally has command line options that will do the analysis - see the GitHub readme. Both tools do extensive checks (dnsviz is oriented around DNSSEC, but does many other checks). It's a good idea to run one or the other regardless of this point issue. Actually - I run both. Of course the usual caveats about stealth (unlisted) servers apply. Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users