[sf-lug] Notice: ns1.svlug.org downtime, DNS secondary

Rick Moen rick at linuxmafia.com
Sat Nov 13 15:02:49 PST 2021


Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> SF-LUG's non-canonical names have NS delegating authority records
> that include ns1.svlug.org.  Perhaps not critical, but would be
> best to remove those records for now - would reduce DNS latency and
> possibly other issues, e.g. lame response before ns1.svlug.org. is
> slave/secondary again but after it's again a DNS server on The Internet.

Basic rule of thumb:  You always want the NS records served in-zone to 
match those in the parent zone (the ones edited at the registrar). 
A mismatch produces either a stealth nameserver or a lame nameserver.
Either is at least a minor problem.  Catching such developments, e.g., 
because a secondary (slave) nameserver ceased to exist without notice,
is one reason I wrote quick one-off cron jobs to check and report on
_both_ sets of NS records for my own two domans, in cron job
/etc/cron.weekly/mydomains, included below.  (As you'll see, it also
queries and reports SOA S/Ns from all auth nameservers.)

As I've said before when citing these sorts of scripts, I'm sure with 
some effort much more clever and concise reporting is possible, but 
my point is:  Never put off doing an admin task _well enough_, just 
because you lack the time/patience/caffeine to do it better.

(OTOH, if someone wants boasting rights from writing something more
clever and effective, go for it!)

> Alas, Comcast Business isn't nearly as rock solid as Raw Bandwidth
> was.

Roger that.  And I'm very not surprised.  These big companies pretty
much _always_ do a slipshod job compared to the mom-and-pops.

I didn't mention upthread lots of unexplained outages for periods brief
enough that I'm aware of them only from logcheck reports, e.g., my 
Linux server reports that eth2 has lost its connection and then gotten
it back.  And that really _never_ happened with Raw Bandwidth ADSL1.




#!/bin/sh

# mydomains     Cron script to sanity-check my domains' SOA records at
#               all of their authoritative nameservers, as a quick and 
#               dirty way of making sure (1) they're all online and
#               (2) they're all serving up the same data (or at least
#               data with the same zonefile serial number).
#  
#               The script queries all nameservers for their current
#               SOA value, and then uses awk to parse out of that 
#               verbose record just the S/N field, which is field #3.  
#               The point is that you can visually spot offline or 
#               aberrant nameservers by their S/Ns being (respectively) 
#               missing or an out-of-step value.
#
#		Written by Rick Moen (rick at linuxmafia.com)
#		$Id: cron.weekly,v 1.06 2019/12/03 00:36:00 rick
# Copyright (C) Rick Moen, 2011-2018.  Do anything you want with this work.

set -o errexit  #aka "set -e": exit if any line returns non-true value
set -o nounset  #aka "set -u": exit upon finding an uninitialised variable

test -x /usr/bin/mail || exit 0
test -x /usr/bin/whois || exit 0
test -x /usr/bin/awk || exit 0
test -x /bin/grep || exit 0
test -x /usr/bin/dig || exit 0


{
echo "As of 2020-03-20, linuxmafia.com should show five authoritative nameservers:"
echo ""
echo "ns.primate.net. 198.144.194.12, (Aaron T. Porter)"
echo "ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)"
echo "ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)"
echo "ns6.linuxmafia.com. 209.205.200.166, aka ns1.thecoop.net (Drew Bertola)"
echo "ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)"
echo ""
echo "As of 2020-03-20, unixmercenary.net should show five authoritative nameservers:"
echo ""
echo "ns.primate.net. 198.144.194.12, (Aaron T. Porter)"
echo "ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)"
echo "ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)"
echo "ns6.linuxmafia.com. 209.205.200.166, ns1.thecoop.net (Drew Bertola)"
echo "ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)"
echo ""
echo "If any is missing from reports below, or produces odd data, something is wrong."
echo ""
echo "Zonefile S/Ns, linuxmafia.com:"
echo ""
dig -t soa linuxmafia.com. @ns.primate.net. +short | awk '{ print $3 " on ns.primate.net." }'
dig -t soa linuxmafia.com. @ns.tx.primate.net. +short | awk '{ print $3 " on ns.tx.primate.net." }'
dig -t soa linuxmafia.com. @ns3.linuxmafia.com. +short | awk '{ print $3 " on ns3.linuxmafia.com." }'
dig -t soa linuxmafia.com. @ns6.linuxmafia.com. +short | awk '{ print $3 " on ns6.linuxmafia.com."}'
dig -t soa linuxmafia.com. @ns1.linuxmafia.com. +short | awk '{ print $3 " on ns1.linuxmafia.com."}'
echo ""
echo "Zonefile S/Ns, unixmercenary.net:"
echo ""
dig -t soa unixmercenary.net. @ns.primate.net. +short | awk '{ print $3 " on ns.primate.net." }'
dig -t soa unixmercenary.net. @ns.tx.primate.net. +short | awk '{ print $3 " on ns.tx.primate.net." }'  
dig -t soa unixmercenary.net. @ns3.linuxmafia.com. +short | awk '{ print $3 " on ns3.linuxmafia.com." }'
dig -t soa unixmercenary.net. @ns6.linuxmafia.com. +short | awk '{ print $3 " on ns6.linuxmafia.com."}'
dig -t soa unixmercenary.net. @ns1.linuxmafia.com. +short | awk '{ print $3 " on ns1.linuxmafia.com."}' 
echo ""
echo "Authoritative nameservers from whois, linuxmafia.com:"
echo ""
whois linuxmafia.com | grep 'Name Server' | awk -F: '{ print $2 }' | head -n 7
echo ""
echo "Authoritative nameservers from whois, unixmercenary.net:"
echo ""
whois unixmercenary.net | grep 'Name Server' | awk -F: '{ print $2 }' | head -n 7
echo ""
echo "Parent-zone NS records and matching A records (glue), linuxmafia.com:"
echo ""
dig -t ns linuxmafia.com. @$(dig -t ns com. +short | head -n 1) +nocmd +noquestion +nostats +nocomments
echo ""
echo "Parent-zone NS records and matching A records (glue), unixmercenary.net:"
echo ""
dig -t ns unixmercenary.net. @$(dig -t ns net. +short | head -n 1) +nocmd +noquestion +nostats +nocomments
echo ""
echo "In-domain NS records and matching A records, linuxmafia.com:"
echo ""
dig -t ns linuxmafia.com. @$(dig -t ns linuxmafia.com. +short | head -n 1) +nocmd +noquestion +nostats +nocomments
echo ""
echo "In-domain NS records and matching A records, unixmercenary.net:"
echo ""
dig -t ns unixmercenary.net. @$(dig -t ns unixmercenary.net. +short | head -n 1) +nocmd +noquestion +nostats +nocomments

} |
mail -s "Domains linuxmafia.com and unixmercenary.net SOA check" rick at linuxmafia.com





More information about the sf-lug mailing list