• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Secondary DNS: frequently zonetransfers

Started by fstoyan, August 14, 2010, 09:06:23 PM

Previous topic - Next topic

fstoyan

I'm using HEs free secondary nameservice for a couple of zones.
Everything works well. Now I have discovered HE is doing
zonetransfers every hour for all zones since August 13. Is this
the intended behaviour?

gshaver

#1
A script runs periodically to deactivate the zones that we can no longer successfully axfr.  I've bumped this up to troubleshoot.
It's been put back to once per day.

Regards,
Gary

snarked

Should it actually be transferring, or simply checking the serial number on the SOA record (and transferring if different)?  (There's no need to AXFR the zone if the serial number hasn't changed....)

gshaver

#3
Pulling the soa and performing a zone transfer are not the same.  In many cases, we can pull the soa, but are denied zone xfers, and in one
case we could perform a zone xfr, but not pull an soa record....

The external check is additionally performed periodically to so we can know to deactivate the slave service for masters that have not been configured to allow us to axfr the zone.  The server itself normally pulls the soa periodically and updates as needed (or sooner if a notify has been sent).

Gary

snarked

#4
OK, but what I am seeing at my server (BIND 9.7.2b1) is repeated AXFRs (hours to 1 day apart) when the serial number of the zone has NOT changed.  That implies blindly initiating the AXFR without checking the serial on the SOA in a separate query first.  I also see this behavior with one other (NON-HE) secondary (and some former secondaries I no longer have), but not with secondaries that run BIND.

(The extra bandwidth isn't going to kill me as all my zones combined farmed to HE as secondary are about 100k, and I blow through that much data on my web server in about 10 seconds.  However, each AXFR does show in my syslog, and without a serial number change, is unnecessary.)

fstoyan

Quote from: gshaver on August 15, 2010, 07:57:25 PM
The external check is additionally performed periodically to so we can know to deactivate the slave service for masters that have not been configured to allow us to axfr the zone.  The server itself normally pulls the soa periodically and updates as needed (or sooner if a notify has been sent).

Gary

What happens in case of a primary dns failure, for example due to a hardware fault? SOA query and AXFR won't work. Secondary NS should be authoritive as long as the expiry time from SOA is not exceeded.

gshaver

If the primary fails, then the secondary would perform as expected.  It would serve the last version of the zone that it was able to successfully fetch.   When the slave scanner runs, it simply suspends the slave service until the master is available.  It does not remove the zone.

snarked

...At least until the zone expiration time is reached.

snarked

Re - Reply #4 - Issue no longer observed.  Must have been a quirk.