On 5/2/17 8:39 AM, Kevin A. McGrail wrote:
On 5/2/2017 9:31 AM, Dave Jones wrote:
On 5/2/17 8:20 AM, Kevin A. McGrail wrote:
On 5/2/2017 9:14 AM, Dave Jones wrote:
My plan is to setup a script on sa-vm1.apache.org that would run
daily and email if there are record differences since we don't have
control of the public DNS servers.
I seem to remember that they might use cron syncs and not respond to
notifies so expect FPs.
I realize there are some timings involved based on when a change is
made but we shouldn't get FPs two days in a row. They should never
get more than 24 hours behind. If they are running their cron jobs
every 15 minutes per your notes/previous email, then the average is
only going to be 7-8 minutes behind. The odds of an FP in this case
should be pretty low. If this becomes an issue, I can add logic to
the script to detect different serials and do a delayed retry an hour
later or something.
That might not be accurate built on an assumption that they have 15
minute crons. Did I say 15 minutes?
I read some documentation somewhere or an email that said they did a
zone transfer every 15 minutes via cron.
We publish releases every day so the zone changes every day. I do not
know how often they run crons but the lag was not like it is with my
name servers with slaves/public/hiddens with notify and fairly instant
updates.
You are correct. A normal/healthy NOTIFY and zone transfer should be
measured in milliseconds not minutes or hours.
We can work to improve it if Hyperreal and Sonic are game but I'm
worried you are just going to have a script always saying we are out
of sync.
I understand. I will have to see the normal cycle of things and adjust
when to run the DNS check script and he logic in the script. Maybe it
will need to exclude some records from the check that change too
frequently. My intention was to catch things like the test DKIM TXT
record that didn't exist at all.
If the slaves supported normal NOTIFY and zone transfers, then they
would always be identical to the hidden master.
From https://www.fefe.de/djbdns/
My tinydns is running as a secondary for a BIND that sends me NOTIFY
messages. How do I catch those and respond?
tinydns logs NOTIFY queries like this:
HexSourceIP:HexSourcePort:QID I 0006 domain.xy
Set up log/run to single out these lines (multilog can do that) and
act accordingly. Or take a look at this perl script someone posted
to the mailing list once, which is a wrapper for multilog.
If they are still running tinydns, then there are options to monitor the
log and perform the AXFR immediately to eliminate the lag which is
critical for healthy DNS hosting -- especially if there are frequent
updates to records.
--
Dave
