Je suis Charlie

Autres trucs


Seulement les RFC

Seulement les fiches de lecture


Checking quickly a DNS zone: a new variant of check-soa

First publication of this article on 26 December 2012
Last update on of 22 November 2014

When you want to assert rapidly whether or not a DNS zone works fine, typical exhaustive tools like Zonecheck may be too slow. There is room for a light-and-fast tool and many people used to rely on the check_soa (with an underscore) program developed by Liu and Albitz and published with their famous book DNS and BIND. This original program no longer seems maintained and, the last time I tested it, did not support IPv6. So, I wrote one more variant of "my very own check-soa".

Like the original one, it queries each name server of a zone for the SOA record of the zone:

% check-soa fr OK: 2222258998
	2001:500:2e::2: OK: 2222258998 OK: 2222258998
	2001:678:c::1: OK: 2222258998 OK: 2222258998
	2a00:d78:0:102:193:176:144:6: OK: 2222258998 OK: 2222258998
	2001:67c:1010:11::53: OK: 2222258998 OK: 2222258997
	2001:678:4c::1: OK: 2222258997

Here, we can see that all name servers of .FR reply properly and their serial number is 2222258998. You have several options (-h to see them all). For instance, -i will display the response time:

% check-soa -i nl OK: 2012122607 (3 ms)
	2001:67c:1010:10::53: OK: 2012122607 (40 ms) OK: 2012122607 (3 ms)
	2001:660:3005:1::1:2: OK: 2012122607 (2 ms) OK: 2012122607 (25 ms)
	2a00:d78:0:102:193:176:144:5: OK: 2012122607 (38 ms)
	2001:7b8:606::85: OK: 2012122607 (15 ms) OK: 2012122607 (36 ms) OK: 2012122607 (24 ms)
	2001:610:0:800d::10: OK: 2012122607 (29 ms) OK: 2012122607 (25 ms)
	2a00:1188:5::212: OK: 2012122607 (34 ms) OK: 2012122607 (24 ms)
	2001:678:2c:0:194:0:28:53: OK: 2012122607 (33 ms)
	2001:500:2e::1: OK: 2012122607 (14 ms) OK: 2012122607 (19 ms)

Sometimes, the name servers of the zone are not synchronized (it can be temporary, the DNS being only loosely consistent, or it can be permanent if there is a problem):

% check-soa                  OK: 2012081301 OK: 2009030502 OK: 2012081301
	2a01:e0b:1:64:240:63ff:fee8:6155: OK: 2012081301 OK: 2012081301
	2a01:4a0:2002:2198:130:185:108:193: OK: 2012081301

Here, lags behind.

Do note that check-soa uses a zone, not just any domain:

% check-soa
No NS records for "". It is probably a domain but not a zone

Of course, when everything works fine, it is boring. What if there is a problem? check-soa will display it and will set the exit code accordingly:

% check-soa OK: 2011112300 OK: 2011112300 OK: 2011112300
	2001:788::88: ERROR: Timeout OK: 2011112300
	2001:788::98: ERROR: Timeout

Here, two name servers failed to reply in time (you can tune the timeout with options -t and -n). The actual problem was with IPv6 connectivity, so you can try with -4:

% check-soa -q
	2001:788::88: ERROR: Timeout
	2001:788::98: ERROR: Timeout
% echo $?               

% check-soa -q -4
% echo $?                  

In this specific case, I tested from several sites. But do note that, quite often, networks problems and the resulting timeout will depend on the site from which you test. check-soa sees the Internet from just one point. Other points may be different (this is specially true with IPv6 today.) A good example is a test from Free (it works for every other operator):

% check-soa -i mil ERROR: Timeout ERROR: Timeout ERROR: Timeout OK: 2012122703 (229 ms) ERROR: Timeout ERROR: Timeout

There are of course many other possible errors. For instance, on the TLD of Cambodia:

% check-soa kh ERROR: REFUSED
	2001:67c:2e8:5:53::6: ERROR: REFUSED OK: 2012030124
	Cannot get the IPv4 address: NXDOMAIN OK: 2012030124 ERROR: Not authoritative OK: 2012030124
	2001:dc0:1:0:4777::140: OK: 2012030124 OK: 2012030124

We see three types of errors, refuses to answer for this TLD (it is called a "lame delegation", the TLD is delegated to a server which does not know or does not want to answer about it, probably because of a misunderstanding between operators), does not exist and replies, but is not authoritative (it is actually an open recursive resolver, something which is frowned upon, see RFC 5358).

By default, check-soa uses EDNS. This can create problems with some very old name servers:

% check-soa ERROR: FORMERR
	2a01:111:2005::1:1: ERROR: FORMERR
	2a01:111:2020::1:1: ERROR: FORMERR
	2a01:111:200f:1::1:1: ERROR: FORMERR

All of Microsoft's name servers reply "FORmat ERRor". The -r option will force back old DNS:

% check-soa -r OK: 2012122401
	2a01:111:2005::1:1: OK: 2012122401
	2a01:111:2006:6::1:1: OK: 2012122401 OK: 2012122401 OK: 2012122401
	2a01:111:2020::1:1: OK: 2012122401
	2404:f800:2003::1:1: OK: 2012122401 OK: 2012122401 OK: 2012122401
	2a01:111:200f:1::1:1: OK: 2012122401

One of the points where my check-soa is an improvment over the original is that it issues DNS requests in parallel. So, the waiting time will depend only on the slowest server, not on the sum of all servers. Let's try it on Sri Lanka TLD:

% time check-soa -i lk OK: 2012122601 (268 ms)
	2405:5400:3:1:203:143:29:3: OK: 2012122601 (274 ms) OK: 2012122601 (133 ms) OK: 2012122601 (189 ms) OK: 2012122601 (290 ms) OK: 2012122601 (179 ms)
	2401:dd00:1::162: OK: 2012122601 (300 ms) OK: 2012122601 (4 ms)
	2001:500:14:6027:ad::1: OK: 2012122601 (5 ms) OK: 2012122601 (142 ms)
	2001:67c:e0::88: OK: 2012122601 (16 ms) OK: 2012122601 (17 ms) OK: 2012122601 (622 ms)
check-soa -i lk  0.02s user 0.00s system 3% cpu 0.637 total

The elapsed time was only 637 ms (a bit more than the slowest server, which was at 622), not the sum of all the delays. Parallelism is specially important when some servers timeout. By default, check-soa tries three times, with a waiting time of 1.5 second (other programs have a default of 5 seconds, which is extremely long: a DNS reply never comes back after 5 seconds!). So:

% time check-soa -i ml ERROR: Timeout OK: 2012122100 (115 ms) OK: 2012122100 (109 ms) ERROR: REFUSED (13 ms)
	2001:67c:e0::95: ERROR: REFUSED (14 ms)
	2001:4f8:0:2::13: OK: 2012122100 (173 ms) OK: 2012122100 (183 ms) OK: 2012122100 (124 ms)
check-soa -i ml  0.01s user 0.00s system 0% cpu 4.518 total

The elapsed time, 4.518 seconds, is mostly because of the timeout (and retries) on

By default, check-soa retrieves the list of name servers to query from the local resolver. If the domain is so broken that it cannot even handle these requests, or simply if you want to test with different name servers (for instance because the zone is not yet delegated), you can use the -ns option to indicate explicitely the name servers:

% check-soa -ns "" com
	2001:503:a83e::2:30: OK: 1416671393 OK: 1416671393
	2001:503:231d::2:30: OK: 1416671393 OK: 1416671393

Are you convinced? Do you want to install it? Then, get the source code and follow the instructions in the file Do note that my check-soa is written in Go so you'll need a Go compiler. Also, it depends on the excellent godns library so you need to install it first.

If you read the source code, there is nothing extraordinary: parallelism is very simple in Go, thanks to the goroutines so there is little extra effort to make a parallel program (one of the great strengths of Go).

I also wrote a Nagios plugin in Go to perform more or less the same tests. But the Nagios plugin does not use parallelism: since it is not an interactive program, it is less important if the elapsed time is longer.

Other versions of check-soa (or check_soa):

A recent alternative to check-soa is the option nssearch of dig:

% dig +nodnssec +nssearch
SOA 2012122602 7200 3600 604800 3600 from server in 1 ms.
SOA 2012122602 7200 3600 604800 3600 from server 2001:67c:2219:3::1:4 in 1 ms.
SOA 2012122602 7200 3600 604800 3600 from server in 2 ms.

It has several limitations: each server is tested only once, even if it has multiple IP addresses (which can belong to different physical machines), if stops immediately for some errors (such as a name server which has no entry in the DNS), it does not react properly to non-EDNS name servers like mentioned above, etc.

Thanks to Miek Gieben for godns and for his debugging of my code.

Version PDF de cette page (mais vous pouvez aussi imprimer depuis votre navigateur, il y a une feuille de style prévue pour cela)

Source XML de cette page (cette page est distribuée sous les termes de la licence GFDL)