Enhancement #566
closed
Enhancement #564: Unused accounts spring cleanup
DNS spring cleanup
100%
Description
We probably have DNS zones which are no more authoritative, so we should check the whois and report them.
Updated by Marc Dequènes over 6 years ago
- Status changed from New to In Progress
- Assignee set to Marc Dequènes
- % Done changed from 0 to 50
I created the adm_check_dns script in the admin repo.
Here is the current output:
OK andesi.org ERR audrey-et-arnaud.org does not exist ERR clan-hnk.com is not under our control OK ddns.duckcorp.org OK dimers.science OK duckcorp.org ERR evilgiggle.com is not under our control OK georgesleyeti.fr OK guihome.net OK happypeng.org OK hq.duckcorp.org ERR hurdfr.org is not under our control ERR laurafontaine.fr does not exist OK lespotos.com OK losange.org OK milkypond.org OK mini-dweeb.org OK rtp-net.org ERR taiste.org does not exist OK xn--mah-dma.netWhile we're at it:
- audrey-et-arnaud.org needs to be removed, I forgot to cleanup
- clan-hnk.com we have broken websites owned by Finger and he just told me to purge, this is one of the domains used for them
- evilgiggle.com no news from this former friend, so I guess it has long been broken and could be purged
- hurdfr.org is a sensitive topic…
- laurafontaine.fr should be kept, arnau's request
- taiste.org is Banya's test zone
If the DEBUG environment variable is set, then the script dumps a structure which could later be used for aggregation.
Updated by Marc Dequènes over 6 years ago
Reverse zones on Elwing were misnamed: no .arpa in the name.
Updated by Marc Dequènes over 6 years ago
- Status changed from In Progress to Resolved
- % Done changed from 50 to 100
After cleanup and latest fixes we've got:
WARN hq.duckcorp.org SERIAL differs ERR hurdfr.org NS1 is not ours WARN hurdfr.org SERIAL differs ERR hurdfr.org NS list differs ERR laurafontaine.fr does not exist ERR taiste.org does not exist
The only remaining problem now is hq.duckcorp.org, but it is due to problem with the L2TP link between DuckCorp and DuckLand and outside the goal of this ticket.
Updated by Marc Dequènes over 6 years ago
- Status changed from Resolved to In Progress
- % Done changed from 100 to 90
Reverse DNS zones have a fancy naming which prevents both this script and Banya to work on them. Let's rename them and improve this script.
Updated by Marc Dequènes over 6 years ago
New result with reverse zone support:
WARN 0.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs WARN 1.0.0.9.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs WARN 1.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs ERR 1.0.9.e.b.9.f.9.0.3.0.4.0.0.4.2.ip6.arpa does not exist WARN 3.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs ERR 3.0.9.e.b.9.f.9.0.3.0.4.0.0.4.2.ip6.arpa does not exist WARN 4.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs WARN 5.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs WARN 6.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs WARN 7.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa SERIAL differs ERR F.1.8.0.8.A.7.0.1.0.0.2.ip6.arpa does not exist WARN hq.duckcorp.org SERIAL differs ERR hurdfr.org NS1 is not ours WARN hurdfr.org SERIAL differs ERR hurdfr.org NS list differs ERR laurafontaine.fr does not exist ERR taiste.org does not exist
Most serial problems are due to the link with DuckLand.
F.1.8.0.8.A.7.0.1.0.0.2.ip6.arpa is obsolete, will remove.
Reverse query seem to take much more time. Also I had a bug in the Dnsruby library and had to make a workaround. I should ask upstream.
Updated by Marc Dequènes over 6 years ago
After quite some refactoring to add slave zone, here is the new output:
ERR | zone '1.0.0.9.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa' slave on NS 'ns1.hq.duckcorp.org' is not authoritative WARN| zone '1.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa' slave on NS 'ns1.duckcorp.org' has a different SERIAL WARN| zone '1.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa' master on NS 'ns1.hq.duckcorp.org' has a different SERIAL WARN| zone '1.0.0.a.0.4.7.1.c.7.6.0.1.0.0.2.ip6.arpa' slave on NS 'ns2.duckcorp.org' has a different SERIAL ERR | zone '1.0.9.e.b.9.f.9.0.3.0.4.0.0.4.2.ip6.arpa' does not exist ERR | zone '3.0.9.e.b.9.f.9.0.3.0.4.0.0.4.2.ip6.arpa' does not exist ERR | zone 'a.5.2.3.8.c.b.0.1.0.0.2.ip6.arpa' does not exist ERR | zone 'duckcorp.org' slave on NS 'ns1.hq.duckcorp.org' is not authoritative ERR | zone 'hurdfr.org' master is not ours ERR | zone 'hurdfr.org' master on NS 'ns1.duckcorp.org' is not authoritative WARN| zone 'hurdfr.org' master on NS 'ns1.duckcorp.org' has a different SERIAL ERR | zone 'hurdfr.org' master on NS 'ns1.duckcorp.org' has a different NS list ERR | zone 'hurdfr.org' slave on NS 'ns2.duckcorp.org' is not authoritative WARN| zone 'hurdfr.org' slave on NS 'ns2.duckcorp.org' has a different SERIAL ERR | zone 'hurdfr.org' slave on NS 'ns2.duckcorp.org' has a different NS list ERR | zone 'ir5.eu' does not exist ERR | zone 'laurafontaine.fr' does not exist ERR | zone 'piloucorp.eu' does not exist WARN| zone 't1r.net' slave on NS 'ns1.duckcorp.org' is useless (not authoritative and not published) WARN| zone 't1r.net' slave on NS 'ns2.duckcorp.org' is useless (not authoritative and not published) ERR | zone 'taiste.org' does not exist
I let the script go on when the zone is not authoritative to give more info, does not hurt.
Info combination is better now and the data tree also is clearer.
The script still does not handle NS having multiple names like Toushirou (one on each upstream interface).
Updated by Marc Dequènes over 6 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
Alternate NS names check was added. We do not have any zone with such problem so the output is the same.