Setting validation options for a configuration - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Set deployment validation options for a configuration for DNS, DHCP, and DNS zones. You must set validation options in order to be able to perform deployment validation.

If the validation options are set, pre-deployment validation will also be performed as part of normal deployment. For more information, refer to Pre-deployment validation.

To set validation options for a configuration:

  1. Select the Administration tab. Tabs remember the page you last worked on. Select the Administration tab again to ensure you are working with the Administration page.
  2. Under General, click Configurations.
  3. Click on a configuration.
  4. Under Configuration Settings, click Define validation settings.
  5. Under Validation Options, select the validation options for DNS configuration and zone files:
    • Enable DHCP configuration validation—validates the syntax of the dhcpd.conf file before data is deployed from Address Manager.
    • Enable DNS configuration validation—validates the syntax of the named.conf file before data is deployed from Address Manager.
    • Enable DNS zones validation—validates the syntax of each DNS zone file before data is deployed from Address Manager.
  6. When you select Enable DNS zones validation, the DNS Zones Validation Settings section opens. Set the following zone validation options:
    • Post-load zone integrity validation—select None, Local, Local-sibling, Full, or Full-sibling.
      Full checks that:
      • MX records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
      • SRV records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
      • Delegation NS records refer to A or AAAA records, for both in-zone and out-of-zone hostnames
      • glue address records in the zone match those specified by the child.
      Local checks that:
      • MX records refer to A or AAAA records, for in-zone hostnames.
      • SRV records refer to A or AAAA records, for in-zone hostnames.
      • Delegation NS records refer to an A or AAAA record, for in-zone hostnames.
      • glue address records in the zone match those specified by the child.

      Full-sibling performs the same checks as in Full mode but doesn't check the glue records.

      Local-sibling performs the same checks as in Local mode but doesn't check the glue records.

      None disables all post-load zone integrity checks.

    • Check names—select Ignore, Warn, or Fail. This option checks that A, AAAA, and MX record names are legal hostnames. It also checks that domain names in the RDATA of NS, SOA, and MX records are legal. This is equivalent to setting the -k switch for the named-checkzone tool.
    • Check if MX records are IP addresses—select Ignore, Warn, or Fail. This option checks that MX records point to an IP address rather than an A or AAAA record. This is equivalent to setting the -m switch for the named-checkzone tool.
    • Check if MX records point to CNAME records—select Ignore, Warn, or Fail. This option checks that MX records point to a CNAME record rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool.
    • Check if NS records are IP addresses—select Ignore, Warn, or Fail. This option checks that NS records point to an IP address rather than an A or AAAA record. This is equivalent to setting the -n switch for the named-checkzone tool.
    • Check if SRV records point to CNAME records—select Ignore, Warn, or Fail. This option checks that SRV records point to a CNAME record rather than A or AAAA record. This is equivalent to setting the -S switch for the named-checkzone tool.
    • Check for non-terminal wildcards—select Ignore or Warn. This option checks for wildcards in zone names that don't appear as the left-most segment of a zone name: for example, mail.*.example.com. Non-terminal wildcards are permissible, but you may want to be alerted to their presence. This is equivalent to setting the -W switch for the named-checkzone tool.
    For the above options, Ignore, Warn, or Fail have the following effects:
    • Ignore—ignores the condition, so it isn't logged in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
    • Warn—logs the condition in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
    • Fail—logs the condition in the Zone Validation server log. Deployment fails. The existing DNS data is left in place and the new data isn't deployed.
  7. Click Update.
    Note: Deployment validation options can also be set for individual servers. For more information, refer to Managing servers.