Monitoring DNS server synchronicity

We, along with some customers, have our authoritative DNS setup with 1 PowerDNS master (which is unreachable over the internet), running poweradmin, and 2 BIND9 slaves (which are ns1 and ns2). This setup works great, but there is a bug in (older versions of) PowerAdmin and one in BIND that together can cause some havoc.

PowerAdmin does not validate input. For instance it is possible to have a CNAME and an A record for the same hostname. When BIND sees that there is a CNAME and A record for the same hostname, it stops serving the entire zone the hostname is in (you can see where this is going right?).

This, along with our need to check if the master and slaves are in sync (or not out of sync for too long during an {I,A}XFR), gave us the idea of making a nagios-check for it. So without further ado, the help:

usage: [-h] [-w MINUTES] [-c MINUTES] [-v]
zone master slave

This script tests if and for how long the master and slave nameservers are out
of sync, it retains it’s state by creating a timestamped file. This script is
meant to be invoked by nagios/icinga.

positional arguments:
zone                  The zone to be checked
master                The master nameserver hostname or IP-address
slave                 The slave nameserver hostname or IP-address

optional arguments:
-h, –help            show this help message and exit
-w MINUTES, –warning MINUTES
The amount of time in minutes the slave can be out of
sync with the master without raising a warning(default
= 10)
-c MINUTES, –critical MINUTES
The amount of time in minutes the slave can be out of
sync with the master before it’s critical(default =
-v, –verbose

This script checks the “zone” on two nameservers (“master” and “slave”) by querying both namerservers for the SOA record of that zone. It then extracts the serialnumber from the record and compares them. If they match, a timestamp is written to a temporary file. If they do not match the script compares the current time with the timestamp, if the nameservers are out of sync for too long it exits with a message and exit-code indicating this:

DNS-ZONE OK: serial is 2011032805.

There is a small caveat: This script requires python-ipaddr, python-argparse and python-dnspython, which are all available in Squeeze and newer, so you’ll need a recent version of a *nix operating system and python libraries.

The file:

Tags: , ,

Leave a Reply