On 27-Oct-2006, at 01:17, Sam Sargeant wrote:
I'd like to see a tool where a variety of local nameservers were queried for a given domain, so any disagreements are immediately obvious. Does such a tool exist already, or does anyone have a list of common authoritative nameservers for NZ?
If you have access to the *.NZ zones (I seem to remember there's a mechanism for getting access to them so long as you are prepared to declare that you will Do No Evil) then pulling it out of cron and diffing against the previous copy ought to reveal delegation changes. Sending queries to the old servers to see whether they still respond authoritatively is then fairly trivial to script. This could be done for all zones as a public service, or you could check just those zones which have been re-delegated to your own nameservers if you want a summary of problems your own customers are about to have. Checking your own nameservers is straightforward to automate. For example, you could run the following out of cron every night, and fix up any errors that appear in your mail the following morning. If everybody did this (ho ho) there would be no need for any centralised checking. [monster:~]% ./stalezone.sh named.conf a.ns.hopcount.ca 16.21.202.in-addr.arpa may not be delegated to a.ns.hopcount.ca 5.1.1.1.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa may not be delegated to a.ns.hopcount.ca 5.1.1.1.0.0.f.1.0.7.4.0.1.0.0.2.ip6.int may not be delegated to a.ns.hopcount.ca 7.f.f.f.f.f.f.1.8.3.4.0.1.0.0.2.ip6.arpa may not be delegated to a.ns.hopcount.ca 7.f.f.f.f.f.f.1.8.3.4.0.1.0.0.2.ip6.int may not be delegated to a.ns.hopcount.ca automagic.ca may not be delegated to a.ns.hopcount.ca broadlinknz.net may not be delegated to a.ns.hopcount.ca crypto.net may not be delegated to a.ns.hopcount.ca desalis.gen.nz may not be delegated to a.ns.hopcount.ca elyt.com may not be delegated to a.ns.hopcount.ca entropy.co.nz may not be delegated to a.ns.hopcount.ca f00f.org may not be delegated to a.ns.hopcount.ca fx.net.nz may not be delegated to a.ns.hopcount.ca fxeng.net.nz may not be delegated to a.ns.hopcount.ca jackieandsimon.org may not be delegated to a.ns.hopcount.ca linux.org.nz may not be delegated to a.ns.hopcount.ca moronium.org may not be delegated to a.ns.hopcount.ca nlri.ca may not be delegated to a.ns.hopcount.ca nzix.net may not be delegated to a.ns.hopcount.ca prng.net may not be delegated to a.ns.hopcount.ca procurio.net may not be delegated to a.ns.hopcount.ca search.net.nz may not be delegated to a.ns.hopcount.ca stupidest.org may not be delegated to a.ns.hopcount.ca unwired.net.fj may not be delegated to a.ns.hopcount.ca wedgwood.info may not be delegated to a.ns.hopcount.ca [monster:~]% So, I guess I should actually be following my own advice. There will be a brief delay while I do some housekeeping :-) Joe #!/bin/sh # # stalezone.sh fail() { echo $1 >&1 exit 1 } test $# -eq 2 || fail "Syntax: $(basename $0) conf_file name_of_nameserver" conf=$1 test -f "${conf}" || fail "Cannot read ${conf}" ns=$2 host ${ns} >/dev/null 2>&1 || fail "No such nameserver ${ns}" awk '/^zone / { print $2; }' "${conf}" | tr -d \" | \ while read zone; do test -z "$(dig +trace ${zone} NS 2>/dev/null | grep -i ${ns})" && \ echo "${zone} may not be delegated to ${ns}" done