Last night, I tidied up my perfunctory weekly cron job that
checks on master & all slave nameserver for my two domains, making the
script itself more terse and easier to read, along with eliminating some
undesired junk report output. The revised Bourne script and its current
output follow, below.
And, if anyone feels like helping improve it more, that'd be cool.
As you'll see, I was lazy in my design & implementation, for which I
make no apology: A good-enough implementation you complete beats a
better one you never quite get to, every time. And yet, it could be a
lot better.
One obvious misfeature is that the script output says (figuratively)
"Here's the five nameservers you ought to see; if any are missing,
something is wrong", but a _better_ script would simply use shell logic
to report, for each of the five, _either_ its returned zonefile S/N _or_
the fact that it doesn't respond. For extra credit, disagreement about
the S/N could be somehow highlighted rather than left for the reader to
vgrep.
Maybe, I dunno, state the master nameserver's S/N first, and then
for each of the slaves say either "$FOO: agrees", "$FOO: no response",
or "$FOO: is a rebel and says $BAR". Or, _even better_, if (as should
be the case routinely) all nameservers are in agreement, say "All
$N nameservers report $BAR", and cite details only in the exceptional case
needing attention, where there are nonresponses or disagreements.
In general, my sense is that one wants to have much terser output when
results are normal and expected: Ideally, the report's substance
should be either "Everything's cool this week" or "Some things are off
this week, details below."
E.g., a well-tuned logcheck report deliberately doesn't tell you
anything about the many things going on that are routine, so that
non-routine and possibly worrying things will stand out better.
I'm also dissatisfied with the results of parsing out "Name Server"
lines from /usr/bin/whois output: Notice the auth. namserver roster
is reported twice, once in all-caps, once in lower case. Why? Because
"whois linuxmafia.com" (or same for unixmercenary.net) _itself_ reports
the output from registrar whois server whois.1api.net twice in a row,
in two stanzas, first without domain stakeholder contacts, the second
time with them. I really have no idea why the latter is the case.
Maybe the registrar whois servers are just unfixably funky: I know from
messing around with Perl script d-check and its predecessor domain-check
that the registrars mess around with whois output at unpredictable
intervals. Maybe I should just be happy that the service exists, at
all: A lot of Internet money people keep wanting to kill public whois,
because of course it's not a profit centre (despite newer Web-mediated
whois that can clot you down with ads).
And last, notice that each of the four reported "dig" output sections
is prefaced by three lines of comments declaring the dig version,
the command line dig is processing, then "(1 server found)", then
"global options: printcmd". I kept playing last night with "+no$FOO"
options, trying to eliminate those from what dig reported, and didn't
find the answer. One perversity "dig" has is that it appears to answer
a bit differently when run at the command line vs. in a shell script.
Of course, I could just pipe the output through a GNU sed filter that
strips out lines starting with ";", but I keep feeling sheepish about
not knowing the magic for tersifying "dig" output more, in scripts.
Oh, and also, my "+no$FOO" experiment gave different results from
queries of the parent-zone NS records vs. queries of in-zone NS records,
as to how much undesired junk output got eliminated. That's why the
current script use different sets of flags for the two "dig" use-cases.
I don't entirely understand why this is the case; I don't think I was
hallucinating, but obviously there are complexities to taming "dig"'s
output verbosity that I haven't yet mastered.
---<begin /etc/cron.weekly/mydomains contents>---
#!/bin/sh
# mydomains Cron script to sanity-check my domains' SOA records at
# all of their authoritative nameservers, as a quick and
# dirty way of making sure (1) they're all online and
# (2) they're all serving up the same data (or at least
# data with the same zonefile serial number).
#
# The script queries all nameservers for their current
# SOA value, and then uses awk to parse out of that
# verbose record just the S/N field, which is field #3.
# The point is that you can visually spot offline or
# aberrant nameservers by their S/Ns being (respectively)
# missing or an out-of-step value.
#
# Written by Rick Moen (rick(a)linuxmafia.com)
# $Id: cron.weekly,v 1.07 2023/09/08 00:23:00 rick
# Copyright (C) Rick Moen, 2011-2023. Do anything you want with this work.
set -o errexit #aka "set -e": exit if any line returns non-true value
set -o nounset #aka "set -u": exit upon finding an uninitialised variable
test -x /usr/bin/mail || exit 0
test -x /usr/bin/whois || exit 0
test -x /usr/bin/awk || exit 0
test -x /bin/grep || exit 0
test -x /usr/bin/dig || exit 0
{
echo "As of 2023-09-08, linuxmafia.com should show five authoritative nameservers:"
echo ""
echo "ns.primate.net. 198.144.194.12, (Aaron T. Porter)"
echo "ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)"
echo "ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)"
echo "ns0.sunnyside.com. 192.147.248.10 (Al Whaley)"
echo "ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)"
echo ""
echo "As of 2023-09-08, unixmercenary.net should show five authoritative nameservers:"
echo ""
echo "ns.primate.net. 198.144.194.12, (Aaron T. Porter)"
echo "ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)"
echo "ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)"
echo "ns0.sunnyside.com. 192.147.248.10 (Al Whaley)"
echo "ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)"
echo ""
echo "If any is missing from reports below, or produces odd data, something is wrong."
echo ""
echo "Zonefile S/Ns, linuxmafia.com:"
echo ""
for i in $(dig linuxmafia.com. NS +short); do dig @$i linuxmafia.com. soa +short | awk '{ print $3 " on '$i'"}'; done
echo ""
echo "Zonefile S/Ns, unixmercenary.net:"
echo ""
for i in $(dig unixmercenary.net. NS +short); do dig @$i unixmercenary.net. soa +short | awk '{ print $3 " on '$i'"}'; done
echo ""
echo "Authoritative nameservers from whois, linuxmafia.com:"
echo ""
whois linuxmafia.com | grep 'Name Server' | awk -F: '{ print $2 }'
echo ""
echo "Authoritative nameservers from whois, unixmercenary.net:"
echo ""
whois unixmercenary.net | grep 'Name Server' | awk -F: '{ print $2 }'
echo ""
echo "Parent-zone NS records, linuxmafia.com:"
echo ""
dig @$(dig com. NS +short | head -n 1) linuxmafia.com. NS +noall +auth
echo ""
echo "Parent-zone NS records, unixmercenary.net:"
echo ""
dig @$(dig net. NS +short | head -n 1) unixmercenary.net. NS +noall +auth
echo ""
echo "In-domain NS records, linuxmafia.com:"
echo ""
dig @ns1.linuxmafia.com. linuxmafia.com. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats
echo ""
echo "In-domain NS records, unixmercenary.net:"
echo ""
dig @ns1.linuxmafia.com. unixmercenary.net. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats
} |
mail -s "Domains linuxmafia.com and unixmercenary.net SOA check" rick(a)linuxmafia.com
---<end>
----- Forwarded message from root <root(a)linuxmafia.com> -----
Date: Fri, 08 Sep 2023 10:27:59 -0700
From: root <root(a)linuxmafia.com>
To: rick(a)linuxmafia.com
Subject: Domains linuxmafia.com and unixmercenary.net SOA check
As of 2023-09-08, linuxmafia.com should show five authoritative nameservers:
ns.primate.net. 198.144.194.12, (Aaron T. Porter)
ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)
ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)
ns0.sunnyside.com. 192.147.248.10 (Al Whaley)
ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)
As of 2023-09-08, unixmercenary.net should show five authoritative nameservers:
ns.primate.net. 198.144.194.12, (Aaron T. Porter)
ns.tx.primate.net. 72.249.38.88 (Aaron T. Porter)
ns3.linuxmafia.com. 107.204.234.170, aka ns.catwhisker.org (David Wolfskill)
ns0.sunnyside.com. 192.147.248.10 (Al Whaley)
ns1.linuxmafia.com. 96.95.217.99 (Rick Moen)
If any is missing from reports below, or produces odd data, something is wrong.
Zonefile S/Ns, linuxmafia.com:
2022041200 on ns3.linuxmafia.com.
2022041200 on ns.primate.net.
2022041200 on ns.tx.primate.net.
2022041200 on ns0.sunnyside.com.
2022041200 on ns1.linuxmafia.com.
Zonefile S/Ns, unixmercenary.net:
2022040401 on ns.primate.net.
2022040401 on ns.tx.primate.net.
2022040401 on ns3.linuxmafia.com.
2022040401 on ns0.sunnyside.com.
2022040401 on ns1.linuxmafia.com.
Authoritative nameservers from whois, linuxmafia.com:
NS.PRIMATE.NETNS.TX.PRIMATE.NETNS0.SUNNYSIDE.COMNS1.LINUXMAFIA.COMNS3.LINUXMAFIA.COMns0.sunnyside.comns1.linuxmafia.com 96.95.217.99
ns.primate.netns.tx.primate.netns3.linuxmafia.com 107.204.234.170
Authoritative nameservers from whois, unixmercenary.net:
NS.PRIMATE.NETNS.TX.PRIMATE.NETNS0.SUNNYSIDE.COMNS1.LINUXMAFIA.COMNS3.LINUXMAFIA.COMns0.sunnyside.comns1.linuxmafia.com 96.95.217.99
ns.primate.netns.tx.primate.netns3.linuxmafia.com 107.204.234.170
Parent-zone NS records, linuxmafia.com:
; <<>> DiG 9.4.2 <<>> @f.gtld-servers.net. linuxmafia.com. NS +noall +auth
; (1 server found)
;; global options: printcmd
linuxmafia.com. 172800 IN NS ns0.sunnyside.com.
linuxmafia.com. 172800 IN NS ns1.linuxmafia.com.
linuxmafia.com. 172800 IN NS ns.primate.net.
linuxmafia.com. 172800 IN NS ns.tx.primate.net.
linuxmafia.com. 172800 IN NS ns3.linuxmafia.com.
Parent-zone NS records, unixmercenary.net:
; <<>> DiG 9.4.2 <<>> @k.gtld-servers.net. unixmercenary.net. NS +noall +auth
; (1 server found)
;; global options: printcmd
unixmercenary.net. 172800 IN NS ns0.sunnyside.com.
unixmercenary.net. 172800 IN NS ns1.linuxmafia.com.
unixmercenary.net. 172800 IN NS ns.primate.net.
unixmercenary.net. 172800 IN NS ns.tx.primate.net.
unixmercenary.net. 172800 IN NS ns3.linuxmafia.com.
In-domain NS records, linuxmafia.com:
; <<>> DiG 9.4.2 <<>> @ns1.linuxmafia.com. linuxmafia.com. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats
; (1 server found)
;; global options: printcmd
linuxmafia.com. 86400 IN NS ns.primate.net.
linuxmafia.com. 86400 IN NS ns0.sunnyside.com.
linuxmafia.com. 86400 IN NS ns.tx.primate.net.
linuxmafia.com. 86400 IN NS ns3.linuxmafia.com.
linuxmafia.com. 86400 IN NS ns1.linuxmafia.com.
In-domain NS records, unixmercenary.net:
; <<>> DiG 9.4.2 <<>> @ns1.linuxmafia.com. unixmercenary.net. ns +nocomments +noadd +nocmd +noquestion +noqr +nostats
; (1 server found)
;; global options: printcmd
unixmercenary.net. 86400 IN NS ns.primate.net.
unixmercenary.net. 86400 IN NS ns1.linuxmafia.com.
unixmercenary.net. 86400 IN NS ns0.sunnyside.com.
unixmercenary.net. 86400 IN NS ns3.linuxmafia.com.
unixmercenary.net. 86400 IN NS ns.tx.primate.net.
----- End forwarded message -----
I used to have my two domains, linuxmafia.com and unixmercenary.net,
registered through an individual in Texas, found via my wife Deirdre,
who was a Tucows OpenSRS reseller. Years down the line, he wound down
that operation: I think I was among the final customers, probably kept
because I wasn't "high maintenance" unlike many domain owners.
Where I moved was to small, clueful registrar IWantMyName.com of
Wellington, NZ. And all was good for a long time. There was one brief
bobble when GDPR kicked in: Suddenly and without explanation, let alone
my request, all my domain contacts toggled to "private registration". I
opened a IWantMyName.com support ticket, like "not what I want, please
revert."
Their clued and cheerful tech quickly figured out what happened:
IWantMyName.com is a reseller of domain services provided by very large,
German registrar 1API Gmbh (with presumably IWantMyName.com doing its
work via 1API's, er, API. And, like many large registrars, 1API Gmbh
had reacted to the rollout of GDPR by doing a "Fine, we'll just set
everyone for maximum privacy as a new default, so we cannot be sued for
privacy violation."
IWantMyName.com staff intervened with the larger company, and it got
fixed. More years passed. In August 2019, the unwelcome news arrived
that the Wellington, NZ shop was now a wholly owned subsidiary of
CentralNic Group PLC of London.[1] Drat. You go to the effort of
researching a small clueful business, run by people you have confidence
in, and they get bought out by some distant idiots. More years pass.
A few days ago, I check, and linuxmafia.com and unixmercenary.net are
_again_ set to "private registration". Grr. I do due-diligence by
visiting the IWantMyName.com customer WebUI: For each domain, there is
a toggle to _enable_ (but not one to disable) "private registration".
Fine, I've tried to fix it myself, and no. Will require registrar
action.
New support ticket. I thank them for prior help, detail 1API Gmbh
having pushed out this unrequested change once _before_, suggest this
might have been a similar corporate spasm, give the context that I'm
one of those rare people who insist on _public_ WHOIS, and that I've
had these domains for decades.
Support guy sends back a one-liner saying:
<---begin--->
Shaswat, 2 Feb 2023, 00:23 UTC
Hello there,
Verisign domains do not show registrant details, regardless of privacy setting.
This is registry policy over which we do not have any influence so there isn't much we can do from our end.
Shaswat
<---end--->
I draft a response, saying "That's odd, I find nobody online discussing
Verisign ever adopting such a policy, which is suspicious. Nor can I
find any declaration of such a policy. Can you please point me to one?
Also, when did this occur? Please give me details so I know how to
escalate my complaint at Verisign." (Verisign is indeed the operator of
the .com and .net TLDs, since their acquisition of NSI.)
But, before sending, I smell a rat. Wait, does Shaswat's statement
actually check out? If it's true, then _no_ .com or .net domains have
public WHOIS, any more.
I check:
o apple.com
o verisign.net
Both have public WHOIS. I discard my pending draft response to Shaswat,
and politely point out that his assertion is erroneous, citing the above
two domains as counter-examples. I reiterate my request, say that his
first response is in no way acceptable, and advise checking with his
team if he doesn't know how to proceed. I also say he should use
standard WHOIS client queried to verify what I said about apple.com and
verisign.net -- and paste the contact results for his convenience.
A few minutes later, Shaswat responds:
<---begin--->
Shaswat, 2 Feb 2023, 04:11 UTC
I passed your email to our developers and I am getting the same response.
Here is a third party source that displays registrant info :- +https://www.whois.com/
Despite the privacy being turned off for the domains: linuxmafia.com and +unixmercenary.net, it says redacted.
That's because whois pulls data from the registry database and verisign keeps it
private.
Shaswat
<---end--->
Notice the implication that his _entire_ notion of how to view WHOIS
is to use an outsourced third-party _Web_ front-end to WHOIS. I.e., I
suspect he is completely unaware of /usr/bin/whois and /usr/bin/jwhois .
One gets the picture of some underpaid technophone, who knows nothing
about the registrar business and uses only a Web browser, never command
lines.
I reply back, reiterating that irrespective of what "our developers"
say, that is obviously incorrect, and that he can see that for himself
using any WHOIS tool including the third-party https://www.whois.com/
CGI. I also add that I'd advise him becoming fluent with /usr/bin/whois
and /usr/bin/jwhois, as that is a necessary skill for his present job.
That was about 14 hours ago. I'm still waiting to hear... something.
So, I get the picture that CentralNic Group PLC probably laid off
all the competent support staff and moved IWantMyName.com support
into its existing ultra-low-paid helpdesk staff operation who only
copy-paste stock answers and are incompetent to do technical work.
I'm going to give it a day, and maybe try to escalate to the CentralNic
Group PLC / IWantMyName.com _sales_ staff, pointing out that they're
about to lose a customer.
My expection is: They're going to lose a customer. I suspect they've
been Computer Associated.
( http://linuxmafia.com/~rick/lexicon.html#computer-associates )
(1) Michael, I notice you have berleleylug.com (with public WHOIS) at
registrar gandi.net . Still happy with them?
(2) Anyone here have a .net domain (with public WHOIS) at gandi.net
or any other reputable registrar?
[1] https://iwantmyname.com/abouthttps://iwantmyname.com/blog/iwantmyname-becomes-part-of-centralnic-group-p…