[conspire] (forw) [BALUG-Admin] Weekly cron job to check on my domains' nameservers

Rick Moen rick at linuxmafia.com
Fri Sep 8 11:38:26 PDT 2023


Behind the scenes.

Thee's often a "boiling frog" problem with the authoritative DNS for
one's domains.  You set everything up with secondaries ("slaves")
serving up your master nameserver's DNS data (following its lead), and
then _most_ domain owners just never check that everything's still OK.
The problem is, of course, that if one of your secondaries goes wonky or
disappears, the problem's invisible.  One LUG in Santa Cruz had its 
zone ("scruz.org") served by one master nameserver (mine) and six
secondaries.  Over several years, each of the six secondaries flaked off
in sundry ways, and none of the LUG members noticed (nor did I) as their
DNS redundancy got thinner and thinner.  One night during a lightning
storm, my house lost electric power overnight, and, during my downtime, 
the LUG members _finally_ noticed that their domain didn't resolve --
and _complained_ about my DNS(!).  

Which was ironic, because the master nameserver (mine) was literally the
only one that hadn't flaked out, and was offline only because of absence
of electricity.

Anyway, that incident reminded me that "Everything must be fine if you
aren't noticing symptoms" is always a bad idea, and I wrote the
referenced perfunctory weekly domain-DNS-checking script for my own two
domains.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Fri, 8 Sep 2023 11:23:05 -0700
From: Rick Moen <rick at linuxmafia.com>
To: balug-admin at lists.balug.org
Subject: [BALUG-Admin] Weekly cron job to check on my domains' nameservers
Organization: If you lived here, you'd be $HOME already.

Last night, I tidied up my perfunctory weekly cron job that
checks on master & all slave nameserver for my two domains, making the
script itself more terse and easier to read, along with eliminating some
undesired junk report output.  The revised Bourne script and its current
output follow, below.

And, if anyone feels like helping improve it more, that'd be cool.

As you'll see, I was lazy in my design & implementation, for which I
make no apology: A good-enough implementation you complete beats a
better one you never quite get to, every time.  And yet, it could be a
lot better.

One obvious misfeature is that the script output says (figuratively)
"Here's the five nameservers you ought to see; if any are missing,
something is wrong", but a _better_ script would simply use shell logic
to report, for each of the five, _either_ its returned zonefile S/N _or_
the fact that it doesn't respond.  For extra credit, disagreement about
the S/N could be somehow highlighted rather than left for the reader to
vgrep.

Maybe, I dunno, state the master nameserver's S/N first, and then
for each of the slaves say either "$FOO: agrees", "$FOO: no response",
or "$FOO: is a rebel and says $BAR".  Or, _even better_, if (as should
be the case routinely) all nameservers are in agreement, say "All
$N nameservers report $BAR", and cite details only in the exceptional case
needing attention, where there are nonresponses or disagreements.

In general, my sense is that one wants to have much terser output when 
results are normal and expected:  Ideally, the report's substance
should be either "Everything's cool this week" or "Some things are off
this week, details below."

E.g., a well-tuned logcheck report deliberately doesn't tell you
anything about the many things going on that are routine, so that
non-routine and possibly worrying things will stand out better.


I'm also dissatisfied with the results of parsing out "Name Server" 
lines from /usr/bin/whois output:  Notice the auth. nameserver roster 
is reported twice, once in all-caps, once in lower case.  Why?  Because
"whois linuxmafia.com" (or same for unixmercenary.net) _itself_ reports
the output from registrar whois server whois.1api.net twice in a row,
in two stanzas, first without domain stakeholder contacts, the second
time with them.  I really have no idea why the latter is the case.
Maybe the registrar whois servers are just unfixably funky:  I know from
messing around with Perl script d-check and its predecessor domain-check 
that the registrars mess around with whois output at unpredictable
intervals.  Maybe I should just be happy that the service exists, at
all:  A lot of Internet money people keep wanting to kill public whois,
because of course it's not a profit centre (despite newer Web-mediated
whois that can clot you down with ads).


And last, notice that each of the four reported "dig" output sections
is prefaced by three lines of comments declaring the dig version,
the command line dig is processing, then "(1 server found)", then 
"global options:  printcmd".  I kept playing last night with "+no$FOO"
options, trying to eliminate those from what dig reported, and didn't 
find the answer.  One perversity "dig" has is that it appears to answer
a bit differently when run at the command line vs. in a shell script.

Of course, I could just pipe the output through a GNU sed filter that 
strips out lines starting with ";", but I keep feeling sheepish about
not knowing the magic for tersifying "dig" output more, in scripts.

Oh, and also, my "+no$FOO" experiment gave different results from
queries of the parent-zone NS records vs. queries of in-zone NS records, 
as to how much undesired junk output got eliminated.  That's why the
current script use different sets of flags for the two "dig" use-cases.
I don't entirely understand why this is the case; I don't think I was
hallucinating, but obviously there are complexities to taming "dig"'s
output verbosity that I haven't yet mastered.


---<begin /etc/cron.weekly/mydomains contents>---


#!/bin/sh

# mydomains     Cron script to sanity-check my domains' SOA records at
#               all of their authoritative nameservers, as a quick and 
#               dirty way of making sure (1) they're all online and
#               (2) they're all serving up the same data (or at least
#               data with the same zonefile serial number).
#  
#               The script queries all nameservers for their current
#               SOA value, and then uses awk to parse out of that 
#               verbose record just the S/N field, which is field #3.  
#               The point is that you can visually spot offline or 
#               aberrant nameservers by their S/Ns being (respectively) 
#               missing or an out-of-step value.
#
#		Written by Rick Moen (rick at linuxmafia.com)
#		$Id: cron.weekly,v 1.07 2023/09/08 00:23:00 rick
# Copyright (C) Rick Moen, 2011-2023.  Do anything you want with this work.

set -o errexit  #aka "set -e": exit if any line returns non-true value
set -o nounset  #aka "set -u": exit upon finding an uninitialised variable

test -x /usr/bin/mail || exit 0
test -x /usr/bin/whois || exit 0
test -x /usr/bin/awk || exit 0
test -x /bin/grep || exit 0
test -x /usr/bin/dig || exit 0


{
echo "As of 2023-09-08, linuxmafia.com should show five authoritative nameservers:"
echo ""
echo "ns.primate.net. 198.144.194.12, (Aaron T. Porter)"
echo "ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)"
echo "ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)"
echo "ns0.sunnyside.com. 192.147.248.10 (Al Whaley)"
echo "ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)"
echo ""
echo "As of 2023-09-08, unixmercenary.net should show five authoritative nameservers:"
echo ""
echo "ns.primate.net. 198.144.194.12, (Aaron T. Porter)"
echo "ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)"
echo "ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)"
echo "ns0.sunnyside.com. 192.147.248.10 (Al Whaley)"
echo "ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)"
echo ""
echo "If any is missing from reports below, or produces odd data, something is wrong."
echo ""
echo "Zonefile S/Ns, linuxmafia.com:"
echo ""
for i in $(dig linuxmafia.com. NS +short); do dig @$i linuxmafia.com. soa +short | awk '{ print $3 " on '$i'"}'; done
echo ""
echo "Zonefile S/Ns, unixmercenary.net:"
echo ""
for i in $(dig unixmercenary.net. NS +short); do dig @$i unixmercenary.net. soa +short | awk '{ print $3 " on '$i'"}'; done
echo ""
echo "Authoritative nameservers from whois, linuxmafia.com:"
echo ""
whois linuxmafia.com | grep 'Name Server' | awk -F: '{ print $2 }' 
echo ""
echo "Authoritative nameservers from whois, unixmercenary.net:"
echo ""
whois unixmercenary.net | grep 'Name Server' | awk -F: '{ print $2 }' 
echo ""
echo "Parent-zone NS records, linuxmafia.com:"
echo ""
dig @$(dig com. NS +short | head -n 1) linuxmafia.com. NS +noall +auth
echo ""
echo "Parent-zone NS records, unixmercenary.net:"
echo ""
dig @$(dig net. NS +short | head -n 1) unixmercenary.net. NS +noall +auth
echo ""
echo "In-domain NS records, linuxmafia.com:"
echo ""
dig @ns1.linuxmafia.com. linuxmafia.com. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats
echo ""
echo "In-domain NS records, unixmercenary.net:"
echo ""
dig @ns1.linuxmafia.com. unixmercenary.net. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats

} |
mail -s "Domains linuxmafia.com and unixmercenary.net SOA check" rick at linuxmafia.com


---<end>


----- Forwarded message from root <root at linuxmafia.com> -----

Date: Fri, 08 Sep 2023 10:27:59 -0700
From: root <root at linuxmafia.com>
To: rick at linuxmafia.com
Subject: Domains linuxmafia.com and unixmercenary.net SOA check

As of 2023-09-08, linuxmafia.com should show five authoritative nameservers:

ns.primate.net. 198.144.194.12, (Aaron T. Porter)
ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)
ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)
ns0.sunnyside.com. 192.147.248.10 (Al Whaley)
ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)

As of 2023-09-08, unixmercenary.net should show five authoritative nameservers:

ns.primate.net. 198.144.194.12, (Aaron T. Porter)
ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)
ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)
ns0.sunnyside.com. 192.147.248.10 (Al Whaley)
ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)

If any is missing from reports below, or produces odd data, something is wrong.

Zonefile S/Ns, linuxmafia.com:

2022041200 on ns3.linuxmafia.com.
2022041200 on ns.primate.net.
2022041200 on ns.tx.primate.net.
2022041200 on ns0.sunnyside.com.
2022041200 on ns1.linuxmafia.com.

Zonefile S/Ns, unixmercenary.net:

2022040401 on ns.primate.net.
2022040401 on ns.tx.primate.net.
2022040401 on ns3.linuxmafia.com.
2022040401 on ns0.sunnyside.com.
2022040401 on ns1.linuxmafia.com.

Authoritative nameservers from whois, linuxmafia.com:

 NS.PRIMATE.NET
 NS.TX.PRIMATE.NET
 NS0.SUNNYSIDE.COM
 NS1.LINUXMAFIA.COM
 NS3.LINUXMAFIA.COM
 ns0.sunnyside.com
 ns1.linuxmafia.com 96.95.217.99
 ns.primate.net
 ns.tx.primate.net
 ns3.linuxmafia.com 107.204.234.170

Authoritative nameservers from whois, unixmercenary.net:

 NS.PRIMATE.NET
 NS.TX.PRIMATE.NET
 NS0.SUNNYSIDE.COM
 NS1.LINUXMAFIA.COM
 NS3.LINUXMAFIA.COM
 ns0.sunnyside.com
 ns1.linuxmafia.com 96.95.217.99
 ns.primate.net
 ns.tx.primate.net
 ns3.linuxmafia.com 107.204.234.170

Parent-zone NS records, linuxmafia.com:


; <<>> DiG 9.4.2 <<>> @f.gtld-servers.net. linuxmafia.com. NS +noall +auth
; (1 server found)
;; global options:  printcmd
linuxmafia.com.		172800	IN	NS	ns0.sunnyside.com.
linuxmafia.com.		172800	IN	NS	ns1.linuxmafia.com.
linuxmafia.com.		172800	IN	NS	ns.primate.net.
linuxmafia.com.		172800	IN	NS	ns.tx.primate.net.
linuxmafia.com.		172800	IN	NS	ns3.linuxmafia.com.

Parent-zone NS records, unixmercenary.net:


; <<>> DiG 9.4.2 <<>> @k.gtld-servers.net. unixmercenary.net. NS +noall +auth
; (1 server found)
;; global options:  printcmd
unixmercenary.net.	172800	IN	NS	ns0.sunnyside.com.
unixmercenary.net.	172800	IN	NS	ns1.linuxmafia.com.
unixmercenary.net.	172800	IN	NS	ns.primate.net.
unixmercenary.net.	172800	IN	NS	ns.tx.primate.net.
unixmercenary.net.	172800	IN	NS	ns3.linuxmafia.com.

In-domain NS records, linuxmafia.com:


; <<>> DiG 9.4.2 <<>> @ns1.linuxmafia.com. linuxmafia.com. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats
; (1 server found)
;; global options:  printcmd
linuxmafia.com.		86400	IN	NS	ns.primate.net.
linuxmafia.com.		86400	IN	NS	ns0.sunnyside.com.
linuxmafia.com.		86400	IN	NS	ns.tx.primate.net.
linuxmafia.com.		86400	IN	NS	ns3.linuxmafia.com.
linuxmafia.com.		86400	IN	NS	ns1.linuxmafia.com.

In-domain NS records, unixmercenary.net:


; <<>> DiG 9.4.2 <<>> @ns1.linuxmafia.com. unixmercenary.net. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats
; (1 server found)
;; global options:  printcmd
unixmercenary.net.	86400	IN	NS	ns.primate.net.
unixmercenary.net.	86400	IN	NS	ns1.linuxmafia.com.
unixmercenary.net.	86400	IN	NS	ns0.sunnyside.com.
unixmercenary.net.	86400	IN	NS	ns3.linuxmafia.com.
unixmercenary.net.	86400	IN	NS	ns.tx.primate.net.

----- End forwarded message -----

_______________________________________________
BALUG-Admin mailing list
BALUG-Admin at lists.balug.org
https://lists.balug.org/cgi-bin/mailman/listinfo/balug-admin

----- End forwarded message -----



More information about the conspire mailing list