dnswalk 1.6 - July 1993Author: David Barr <barr@pop.psu.edu>$Id: README,v 1.1 1993/07/21 14:39:25 barr Exp barr $INTROdnswalk is a DNS debugger.  It performs zone transfers of specifieddomains, and checks the database in numerous ways for internalconsistency, as well as accuracy.dnswalk requires perl and dig.  (Tested under perl-4.036, dig 2.0, andthe dig shipped with BIND 4.9.x) If you do not have these tools, getthem.  (perl is assumed to be in /usr/local/bin, edit the first line ofdnswalk if it is not)They can be found by anonymous ftp at:ftp.uu.net:/networking/ip/dns/dig.2.0.tar.Zftp.uu.net:/systems/gnu/perl-*.tar.Zgatekeeper.dec.com:/pub/BSD/bind/4.9/4.9.*.tar.Z	dnswalk works much better if you use the dig that is packagedwith the BIND 4.9.x distribution.  (It is much less buggy than itspredecessor)	dnswalk is not for the faint of heart.  It should NOT beused without a firm knowledge of the DNS RFC's.  If you use thistool for cracking or otherwise evil purposes, the author herebyconsiders you a slime-ball.  See the end of this README file fora list of good reading material.	dnswalk is not the be-all end-all tool for checking theintegrity of your DNS database.  I would suggest it be used afterusing 'doc', written by Steve Hotz (hotz@isi.edu) and Paul Mockapetris(pvm@isi.edu).  It can be found via FTP from:ftp.uu.net:/networking/ip/dns/doc.2.0.tar.Z	dnswalk is not a replacement for doc.  This was written tocheck individual database entries, while 'doc' ensures that the overalldatabase structure and authority records are consistent.  dnswalk maynot even function correctly if authority records are missing orincorrect.	This program may be freely distributed, as long as this noticeand documentation are distributed with the program.  This program isreleased as-is, with no warranty expressed or implied.  Some assemblyrequired, contents may settle during shipment.  This program can befound at ftp.pop.psu.edu:/pub/src/dnswalk/dnswalk.1.6.tar.Z,ftp.univ-lyon1.fr:/pub/mirrors/unix/dnswalk, and probably also inftp.uu.net:/networking/ip/dns.USAGE	Invoke dnswalk as follows:dnswalk [-fradm] domain [> logfile]	dnswalk tends to produce lots of output, so I'd suggestredirecting this into a file of your choice.  I debated using doc'sstrategy of automatically putting it in a logfile, but decided notto.  (The author reserves the right to change his mind)  For small,mostly-correct domains it is pretty manageable, however.  For largerdomains, use the included 'do-dnswalk' script as a guide.Options:	-f	Force a zone transfer from an authoritative nameserver.		dnswalk normally will look in its saved 'axfr' file		for each domain and use that. (if it exists)	-r	Recursively descend sub-domains of the specified		domain.  Use with caution and care.	-a	Turn on warning of duplicate A records.  (see below)	-d	Some debugging.  (Use only if redirecting stdout)	-m	Perform checks only if the zone has been modified since		the previous run.	-F	perform "fascist" checking.  When checking an A record,		compare the PTR name for each IP address with the forward		name and report mismatches.  (see below)  I recommend		you try this option at least once to see what sorts of		errors pop up - you might be surprised!.	-l	Perform "lame delegation" checking.  For every NS record,		check to see that the listed host is indeed returning		authoritative answers for this domain.  Inspiration for		this comes from the guys at the Univ. of Michigan.The domain name specified on the command line MUST end with a '.'.You can specify a forward domain, such as "dnswalk pop.psu.edu."or a reverse domain, such as "dnswalk 155.118.128.in-addr.arpa."What dnswalk will do is if it is checking "pop.psu.edu.", it willdo a zone transfer of the data from the authoritative nameserver andput it in the file "edu/psu/pop/axfr".  (relative to the current directory)If dnswalk is run again, it will use this file instead of asking thenameserver again.  You can override this with the '-f' switch.  Itwill also do a zone transfer again later if the serial number in thefile is less than what is returned from the server.As a result, if you use the recursive option, you will get a directorytree corresponding exactly to the DNS hierarchy.  Again, I must stressthat you use the recursive option with care, and the author calls youa slime-ball again if you use this for evil purposes.WHAT DNSWALK CHECKS FOR..*  all PTR records that look like a full IP address point back to aforward name.  In other words, "3.155.118.128.in-addr.arpa."will be checked, but "155.118.128.in-addr.arpa." will NOT be checked.(For those people who give their subnets a name)  Addresses endingin .0 are also NOT checked.[ reports error as "X PTR Y: unknown host" ]*  PTR records are listed as IP addresses in forward name.  In otherwords if 4.3.2.1.in-addr.arpa. points to "foo.org", but "foo.org"doesn't have "1.2.3.4" listed in its forward A records then it will be an error.[ reports error as "X PTR Y: forward matching A record not found" ]*  PTR records do not point to a CNAME.[ reports error as "X PTR Y: CNAME (to Z)" ]*  CNAMEs point to a host with an A record.[ reports error as "X CNAME Y: unknown host" ]*  CNAMEs do not point to another CNAME.[ reports error as "X CNAME Y: CNAME (to Z)" ]*  MXs point to a host with an A record.[ reports error as "X MX Y: unknown host" ]*  MXs do not point to a CNAME.[ reports error as "X MX Y: CNAME (to Z)" ]*  A records have some corresponding PTR record.  (Not necessarilyof the same name, of course)[ reports error as "X A Y: no PTR record" ]*  Reports any packet size errors listed in dig zone transfer output(Could be caused by a corrupted zone file, or invalid syntax used)*  That there is more than one authoritative nameserver for a zone.It does not check if the machine is on a separate network (yet).A site should ALWAYS have a secondary nameserver.  It SHOULD beon a different network than the primary.(with -a switch)*  duplicate A records listed for a given host.  NOTE: this is mostoften caused by the practice of always putting A records for allsecondaries after NS glue records.  While this is not an error, it isusually redundant and makes changing IP addresses later more difficult,since they occur more than one time in the file (and in multiplefiles).  This checking needs more work.  (Mostly because of a quirk inBIND that reports cached A records in a zone transfer even though theydon't exist in the original zone file.  I might just end up skipping thischeck altogether.)[ reports error as "X: possible duplicate A record (glue of Z?)" where Z is the previous zone listed in the file ](with -F switch)* perform "fascist" checking.  When checking an A record, compare the PTR  name for each IP address with the forward name.  This WILL result in  needless errors (like if you have an A record for your domain name  pointing to your main server, or have A records like "mailhost" or  "ns" defined to point to your mail or DNS server) but will catch little  errors that may have crept in if you have an A record pointing to a host  that you didn't intend to.[ reports error as "X A Y: points to Z" where Z is the "canonical" name  as returned by gethostbyaddr() ](with -l switch)* Lame delegations.  A lame delegation is when a domain says "thisserver is a secondary for zone Z" but the listed server is not givingout authoritative data for zone Z.  This is usually the result ofa lack of communication on the part of the respective hostmasters.Lame delegations are not fatal problems, they just tend to createsignificant increases in DNS traffic.[ reports error as "X NS Y: lame NS delegation" where X is the domain,and Y is the lame nameserver ]* Nameserver errors.  Any errors while contacting other nameservers(like connection refused or timeout) will be reported.  This couldmean a lame delegation, or simply that the host is temporarilyunreachable.[ reports error as "X NS Y: nameserver error (lame?)" followed by theerror message from dig]*** NOTICE ***	I fully realize that while some of the above rules are notin violation of an RFC, it might be wise to reconsider their usage anyway.dnswalk was written to be a tool to let the hostmaster decide what are troublesome areas, not as a program that has all the answers.*** NOTICE ***CAVEATS	If a domain "foo.edu" lists "ns.bar.foo.edu" as authoritative fora zone "bar.foo.edu", but "ns.bar.foo.edu" isn't, then the the dig ofthe zone transfer will hang.  (This was the case here for a subdomainthat moved into a new set of IP addresses, but the parent nameserver stillhad the old authority records pointing to their nameservers which weren'tanswering to the old reverse domain anymore.)  If this happens, you canhit ^C while the transfer is going on and dnswalk will abort that server.(It will also remove the partial axfr file)  Hopefully I can figure amore elegant way around this.  (or fix dig so that it doesn't hang)This program was tested with data from the psu.edu domain.  If yoursite does things differently than the way we do things, then youmay see it report things as errors, when in fact they are "okay".If you notice something not being reported, or something reported thatis not an error, please send me output!  I fully admit that I'm notan expert in DNS and the requirements.  My rules tend to be skewed tomy personal feelings about what "nice" DNS databases look like.  Othersare free to differ.  (and tell me so)BUGS	I should get around to writing a real man page.	dnswalk will make the directory tree before it has a chance tofind out that you gave it a bogus domain name.	When checking lots of hosts and lots of options, it is veryslow.  Running dnswalk on a machine with a local nameserver helpsconsiderably.	Perl's gethostby{name,addr}() routine doesn't seem toconsistently return an error whenever it is unable to resolve anaddress.  Argh.  This will mean lots of "no PTR record" and "host unknown"errors if a server is unavailable, or for some reason the lookup fails.	I really need to rewrite this all to not rely on dig, and usebind.pl instead.OTHER SOURCESRFC 1034 - "DOMAIN NAMES - CONCEPTS AND FACILITIES"RFC 1035 - "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"RFC 1123 - "Requirements for Internet Hosts -- Application and Support"Paul Albits, Cricket Liu: "DNS and BIND" O'Reilly & Associates.[the author recommends copies by your favorite bathroom and/or nightstand]David Barr - System AdministratorThe Pennsylvania State University Population Research Institute<barr@pop.psu.edu>Thanks:Bill Fenner - tips with perlBUGS FIXEDadded equal() routine and changed all string comparisons to use itinstead.  equal() does case-insensitive comparisons.  This was causingseveral problems with mixed case host and domain names in variousplaces.checks for invalid PTR records now skip addresses ending in ".0".shortened error messages so they are more likely to fit in 80 columnshandles failed zone transfers better.  You can't trust dig to returna non-zero return code if the transfer fails, so I parse the outputmyself to see if it contains an SOA record to prove that it is 'valid'.sorts output by zone.  Also displays server of authority and thecontact for the zone.  (So you know who to bug :-) )produced erroneous warnings regarding having only one authoratativenameserver for a zone.  It now warns correctly.[ BUGS now moved to CHANGES file ]