3 Apr
2011
3 Apr
'11
12:56 a.m.
Hello,
As you may be aware, BitFolk offers free authoritative DNS services
to VPS customers. This is provided by means of the BitFolk DNS
servers taking a zone transfer (AXFR) from the customer's name
server.
As part of this service we monitor the customer's name server as a
matter of course. That's because it saves everyone's time to know
where any problems lie.
What we currently monitor:
- Customer's server responds on TCP/53
- Query of server for SOA record of the customer's domain produces
a positive, authoritative response
That's pretty good but it misses one class of misconfiguration:
where a customer's name server is misconfigured to refuse zone
transfer from BitFolk's servers.
That's pretty obvious the first time the zone slaving is set up, but
if it happens afterwards then it relies on customers spotting
anomalies in their log files.
If it isn't fixed, then once the "expire" setting of the SOA record is
reached (generally 1-2 weeks for most domains) our name servers
will no longer respond to queries for the customer's domain. This
may come as a shock to the customer. At this point alerts will start
firing for us and we'll probably have to open a ticket.
I would really rather not have to open a ticket either when I spot
the refused AXFRs in my logs, or when I start getting alerts. I
would rather the customer got alerts as soon as AXFRs start failing.
The problem is I can't think of a way to check that AXFR works
without doing an AXFR. :) Can anyone else?
Alternatively, if BitFolk's Nagios tried an AXFR say once a day for
each of your zones would you consider that excessive?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"I am the permanent milk monitor of all hobbies!" -- Simon Quinlank