#!/bin/ksh # $Id: zones,v 1.18 2011/08/19 15:53:19 ksb Exp $ # This is a part of netlint. If this script is found in # /usr/local/libexec/netlint-plugins/ # netlint will run it and include this output in the netlint report. # #****p* netlint/zones # NAME # zones # DESCRIPTION # Netlint checks sanity for any node which offers a resolver service. # IMPACT # A bad resolver can confuse all the nodes that resolve with it # (in /etc/resolv.conf). #*** PROGNAME=`basename $0` : ${CARP:=echo} TFILE=/tmp/nlz.$$.$((RANDOM%100)) if [ _"$1" = _"-V" ]; then echo "$PROGNAME: "'$Id: zones,v 1.18 2011/08/19 15:53:19 ksb Exp $' [ -d /etc/namedb ] || echo "$PROGNAME: no /etc/namedb found" exit 0 fi #****a* zones/NS_PERMS # NAME # NS_PERMS # FORMAT # NS_PERMS: file # DESCRIPTION # The permissions on the named file don't allow netlint to check for some # other problem. # REMEDIATION # Correct the permissions on the file or run netlint as the correct user. #*** if [ ! -e /etc/namedb/named.conf ] ; then exit 0 fi cd /etc/namedb 2>/dev/null || exit 0 if [ ! -r named.conf ] ; then $CARP NS_PERMS: `pwd`/named.conf exit 0 fi SERIALSED='s,^[ ]*\([0-9][0-9]*\)[ ; ]*[Ss]erial.*$,\1,p' SERIALSED2='s,^[^#].*IN[ ][ ]*SOA[ ]*[^ ]*[ ][^ ]*[ ][ ]*\([0-9][0-9]*\)[ ]*[0-9 ]*$,\1,p' SHELL=/bin/ksh export SHELL SERIALSED SERIALSED2 CARP # Walk named.conf, pull out the zones + files that aren't commented out. # Group them together and comb out the master files only for now. # Read the serial number from the zone file, and from the running nameserver # (with dig) and compare them. Also check if the file is writable (co'd). # XXX: Should we check for revision control differences? sed -n -e "/pid-file/d" -e "/dump-file/d" -e "/statistics-file/d" \ -e "/\/\//d" \ -e "/empty.db/d" -e "/localhost-forward.db/d" -e "/localhost-reverse.db/d" \ -e "\:^[ ]*/\*[^*]*$:,\:^[ ]*\*/[ ]*$:d" \ -e "s,^[^#]*file[ ]\"\([masterslave/]*[^\"]*\)\".*,\1,p;" named.conf >$TFILE.file sed -n -e "\:^[ ]*/\*[^*]*$:,\:^[ ]*\*/[ ]*$:d" \ -e "/empty.db/d" -e "/localhost-forward.db/d" -e "/localhost-reverse.db/d" \ -e "s,^zone[ ]\"\([^\"]*\)\".*,\1,p" named.conf >$TFILE.zone #****a* zones/NS_SERIAL # NAME # NS_SERIAL # FORMAT # NS_SERIAL: zone # DESCRIPTION # The slave's serial number doesn't match one we found with the resolver, so # we might be publishing an out of date zone. # REMEDIATION # If it remains out-of-date: # * The zone transfer might be broken. # * The configuration for the named might be wrong. # * It might be better to take the resolver off-line rather than publishing # an out-of-date zone. # SEE ALSO # NS_SLAVESERIAL #*** #****a* zones/NS_WRITABLE_FILE # NAME # NS_WRITABLE_FILE # FORMAT # NS_WRITABLE_FILE: path # DESCRIPTION # A file that might contain a zone is writable in the filesystem. # REMEDIATION # Upgrade bind to a verson that honors a umask and fix the file modes. There # is a bug in older bind's that didn't honor the file creation mask. #*** xapply -fn2 '%1 %2' $TFILE.zone $TFILE.file | grep -v '^\. ' | egrep -v 'db.(cache|localhost)$' | tee $TFILE | grep master/ | xapply -f '[ -r %[1 2] ] || exit SERIAL=`sed -n -e "$SERIALSED" -e "$SERIALSED2" %[1 2]` LOADED=`dig soa %[1 1] | sed -n -e "$SERIALSED" -e "$SERIALSED2"` [ _"$SERIAL" != _"$LOADED" ] && $CARP "NS_SERIAL: %[1 1]" [ -w %[1 2] ] && $CARP "NS_WRITABLE_FILE: %[1 2]"' - # find masters for each slave zone sed -n -e 's,//.*$,,' -e 's,#.*,,' \ -e "\:^[ ]*/\*[^*]*$:,\:^[ ]*\*/[ ]*$:d" \ -e ' /^zone[ ]\"\([^\"]*\)\".*/{ s,,\1, x n } :top /masters[^}]*$/{ N s/\n// btop } /masters/{ s/.*masters.*{\(.*\)}.*/\1/ H x s/[ ]*;[ ]*/ /g s/\n/;/p }' /etc/namedb/named.conf | sort > $TFILE.ip grep -v master/ $TFILE | sort | sed -e 's,[ ],;,' > $TFILE.slaves #****a* zones/NS_BADMASTERS # NAME # NS_BADMASTERS # FORMAT # NS_BADMASTERS: zone: no masters # DESCRIPTION # No master service can be located for the zone we secondary. # REMEDIATION # Remdiate this in named's configuration on the node. #*** #****a* zones/NS_SLAVESERIAL # NAME # NS_SLAVESERIAL # FORMAT # NS_SLAVESERIAL: zone: out of date # DESCRIPTION # This node is publishing an out-of-date zone. # SEE ALSO # NS_SERIAL #*** # zone ; masters seperated by whitespace ; dbfile join -t\; $TFILE.ip $TFILE.slaves | xapply -f 'for master in %[1;2]; do M=`dig @$master soa %[1;1] 2>/dev/null | sed -n -e "$SERIALSED" -e "$SERIALSED2"` [ -z "$M" ] || break done [ -z "$M" ] && { $CARP "NS_BADMASTERS: %[1;1]: no masters" exit 0 } SERIAL=`dig @localhost soa %[1;1] 2>/dev/null | sed -n -e "$SERIALSED" -e "$SERIALSED2"` [ _"$SERIAL" != _"$M" ] && $CARP "NS_SLAVESERIAL: %[1;1]: out of date"' - rm $TFILE $TFILE.* exit 0