📄 doc
字号:
endif @ glue = $stat % 16 @ ttls = $stat / 16######################################################## Here we make a seperate list of info based on whether the## server (for parent domain) happens to also be authoritative## for the domain being tested.#### if ($isaa == 0) then @ nsdadno++ set nsdad=($nsdad $i) set what="(non-AUTH)" foreach j ($nslists) diff -i $j $dom.ns.$i >& /dev/null if ($status == 0) then set another=0 break endif end if ($another) set nslists=($nslists $dom.ns.$i) else @ nsdadnoaa++ set nsdadaa=($nsdadaa $i) set what="(AUTH)" foreach j ($nslistsaa) diff -i $j $dom.ns.$i >& /dev/null if ($status == 0) then set another=0 break endif end if ($another) set nslistsaa=($nslistsaa $dom.ns.$i) endif####XX#
set dadno = `wc -l < $dom.ns.$i` echo Found $dadno NS and $glue glue records for $dom @$i $what >> log.$dom if ($vflag) echo Found $dadno NS and $glue glue records for $dom @$i $what if ($ttls > 1) then @ fferror++ echo "ERROR: multiple TTLs found for $dom NS records @$i" >> log.$dom if ($eflag) echo "ERROR: multiple TTLs found for $dom NS records @$i" if ($ddflag) echo "DDBUG: 10" endif if ($pflag) then set domservall = `cat $dom.ns.$i` if ($isaa) then set nslistsaa = $dom.ns.$i else set nslists = $dom.ns.$i break endif endifend ## foreachif ($pflag) then echo "Using NSlist from parent domain server $i" >> log.$dom if ($vflag) echo "Using NSlist from parent domain server $i" goto skip3endifecho "DNServers for $dad" >> log.$domecho " === $nsdadnoaa were also authoritatve for $dom" >> log.$domecho " === $nsdadno were non-authoritative for $dom" >> log.$domif ($vflag) then echo "DNServers for $dad" echo " === $nsdadnoaa were also authoritatve for $dom" echo " === $nsdadno were non-authoritative for $dom"endif####XX#
#################################################### Print info about authoritative responses.##set tmpcntone=0if ($#nslistsaa > 1) then @ fferror++ set tmpcntone=$#nslistsaa echo "ERROR: Found $#nslistsaa diff sets of NS records" >> log.$dom echo " === from servers authoritative for $dom" >> log.$dom if ($eflag) echo "ERROR: Found $#nslistsaa diff sets of NS records" if ($eflag) echo " === from servers authoritative for $dom" if ($ddflag) echo "DDBUG: 11"else if ($nslistsaa != "") then set tmpcntone=1 if ($nsdadnoaa > 1) then echo "Servers for $dad that are also authoritative for $dom" >> log.$dom echo " === agree on NS records for $dom" >> log.$dom if ($vflag) echo "Servers for $dad that are also authoritative for $dom" if ($vflag) echo " === agree on NS records for $dom" if ($ddflag) echo "DDBUG: 12" endifendif#################################################### Print info about non-authoritative responses.##set tmpcnttwo=0if ($#nslists > 1) then @ ffwarn++ set tmpcnttwo=$#nslists echo "WARN: Found $#nslists diff sets of NS records" >> log.$dom echo " === from servers not authoritative for $dom" >> log.$dom if ($wflag) echo "WARN: Found $#nslists diff sets of NS records" if ($wflag) echo " === from servers not authoritative for $dom" if ($ddflag) echo "DDBUG: 13"else if ($nslists != "") then set tmpcnttwo=1 if ($nsdadno > 1) then echo "Servers for $dad (not also authoritative for $dom)" >> log.$dom echo " === agree on NS records for $dom" >> log.$dom if ($vflag) echo "Servers for $dad (not also authoritative for $dom)" if ($vflag) echo " === agree on NS records for $dom" if ($ddflag) echo "DDBUG: 14" endif####XX#
################################################### If both authoritative && non-authoritative responses and## if they agree among themselves,## then check if NS records are consitent among all.## if ($tmpcntone == 1) then diff -i $nslists $nslistsaa >& /dev/null if ($status == 0) thenecho "NS lists for $dom from all $dad servers are identical" >> log.$domecho " === (both authoritative and non-authoritative for $dom)" >> log.$dom if ($ddflag) echo "DDBUG: 15" if ($vflag) then echo "NS lists for $dom from all $dad servers are identical" echo " === (both authoritative and non-authoritative for $dom)" endif set agree=1 else @ fferror++echo "ERROR: NS list for $dom from parent servers differ" >> log.$domecho " === authoritative disagree with those not AUTH for $dom " >> log.$dom if ($ddflag) echo "DDBUG: 16" if ($eflag) then echo "ERROR: NS list for $dom from parent servers differ" echo " === authoritative disagree with those not AUTH for $dom" diff -c -i $nslists $nslistsaa endif endif endifendif########################################################### Take union of lists of nameservers for the domain.################################################# Union of lists from (parent) servers --## those not also authoritative for domain.foreach i ($nsdad) cat $dom.ns.$i >> $dom.ns.dadendif (-e $dom.ns.dad) then sort -u $dom.ns.dad > $dom.tmp mv $dom.tmp $dom.ns.dad set domserv=`cat $dom.ns.dad` if ($dflag) echo "DEBUG: domserv = $domserv"else set domserv=""endif####XX#
################################################## Union of lists from (parent) servers --## those also authoritative for domain.foreach i ($nsdadaa) cat $dom.ns.$i >> $dom.ns.dadaaendif (-e $dom.ns.dadaa) then sort -u $dom.ns.dadaa > $dom.tmp mv $dom.tmp $dom.ns.dadaa set domservaa=`cat $dom.ns.dadaa` if ($dflag) echo "DEBUG: domservaa = $domservaa"else set domservaa=""endif##################################################### Look for nameservers (NS records) known by## non-authoritative but not by authoritative servers.#### XXX: might want to find the other way also/insteadset domservdiff=""foreach i ($domserv) set another=1 foreach j ($domservaa) if ($i == $j) then set another = 0 break endif end if ($another) then set domservdiff=($domservdiff $i) endifend####XX#
########################################################## Look to make certain that parent servers that claim to be## authoritative are listed among the NS records of a server.## (Strangely enough, often they claim to be AUTH, but do## not hold an NS record for themselves!!##set domservall=($domservaa $domservdiff)foreach i ($nsdadaa) set another=1 foreach j ($domservall) if ($i == $j) then set another=0 break endif end if ($another) then @ ffwarn++ echo "WARNING: $i claims to be authoritative for $dom " >> log.$dom echo " == but no NS record at parent zone" >> log.$dom if ($wflag) echo "WARNING: $i claims authoritative for $dom" if ($wflag) echo " == but no NS record at parent zone" if ($ddflag) echo "DDBUG: 17" endifendskip3:echo "NS list summary for $dom from parent ($dad) servers" >> log.$domif ($vflag) echo "NS list summary for $dom from parent ($dad) servers"if ($#domservall > 3) then echo " == $domservall[1-3]" >> log.$dom if ($vflag) echo " == $domservall[1-3]" if ($#domservall > 6) then echo " == $domservall[4-6]" >> log.$dom echo " == $domservall[7-]" >> log.$dom if ($vflag) echo " == $domservall[4-6]" if ($vflag) echo " == $domservall[7-]" else echo " == $domservall[4-]" >> log.$dom if ($vflag) echo " == $domservall[4-]" endifelse echo " == $domservall" >> log.$dom if ($vflag) echo " == $domservall"endif####XX#
############################################################# Check that SOA's from all NS (for domain) have same serial nos## Keep list of nameservers that are authoritative and have## exactly one SOA record.set sns=""set aafile=""set aaserv=""set noaaserv=""set cnttwo=0foreach i ($domservall) if ($dflag) echo "digging @$i for soa of $dom" if ($dflag) echo "digging @$i for soa of $dom" >> log.$dom dig @$i soa $dom +norec $RET +pfset=0xa224 | $tolower > $dom.soa.$i set stat = $status if ($stat != 0) then set estr = $error[$stat] echo "DIGERR ($estr): dig @$i for SOA of $dom failed" >> log.$dom echo "DIGERR ($estr): dig @$i for SOA of $dom failed" @ ffallone++ rm $dom.soa.$i if ($ddflag) echo "DDBUG: 20" continue endif echo "## SOA record for $dom domain from nameserver $i" >> logXX.$dom echo "" >> logXX.$dom cat $dom.soa.$i >> logXX.$dom echo "===================" >> logXX.$dom echo "" >> logXX.$dom set serial=`awk -f ${auxd}doc1.awk $dom.soa.$i` set stat=$status if ($vflag) echo "soa @$i for $dom serial: $serial" echo "soa @$i for $dom serial: $serial" >> log.$dom####XX#
######################################################## Check that answer is authoritative and that## SOA record (one) was found.#### fix for shells which return unsigned 8 bit exit codes if ($stat > 127) then @ stat = $stat - 256 endif if ($stat < 0) then @ fferror++ set noaaserv = ($noaaserv $i) echo "ERROR: non-authoritative SOA for $dom from $i" >> log.$dom if ($eflag) echo "ERROR: non-authoritative SOA for $dom from $i" if ($ddflag) echo "DDBUG: 21" else if ($stat == 0) then @ fferror++ echo "ERROR: no SOA record for $dom from $i" >> log.$dom if ($eflag) echo "ERROR: no SOA record for $dom from $i" if ($ddflag) echo "DDBUG: 22" else if ($stat > 1) then @ ffwarn++ echo "WARNING: multiple SOA records found for $dom from $i" >> log.$dom if ($wflag) echo "WARNING: multiple SOA records found for $dom from $i" if ($ddflag) echo "DDBUG: 23" endif################################################# Check for multiple SOA serial numbers## grep -v ";; flag" $dom.soa.$i | $tolower > tmp.$$ mv tmp.$$ $dom.soa.$i set aafile = ($aafile $dom.soa.$i) set aaserv = ($aaserv $i) @ cnttwo++ set another=1 foreach j ($sns) if ($serial == $j) then set another=0 break endif end if ($another) then set sns=($sns $serial) endif endif ### may need to be removed XXX endifend ## foreach#####XX#
################################################ Note results about SOA serial numbers.## If only one, check that entire SOA records are identical.##if ($#sns > 1) then @ ffwarn++⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -