Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Secondary DNS: frequently zonetransfers  (Read 5016 times)

fstoyan

  • Newbie
  • *
  • Posts: 2
Secondary DNS: frequently zonetransfers
« on: August 14, 2010, 09:06:23 PM »

I'm using HEs free secondary nameservice for a couple of zones.
Everything works well. Now I have discovered HE is doing
zonetransfers every hour for all zones since August 13. Is this
the intended behaviour?
Logged

gshaver

  • Administrator
  • Newbie
  • *****
  • Posts: 16
Re: Secondary DNS: frequently zonetransfers
« Reply #1 on: August 14, 2010, 09:55:23 PM »

A script runs periodically to deactivate the zones that we can no longer successfully axfr.  I've bumped this up to troubleshoot.
It's been put back to once per day.

Regards,
Gary
« Last Edit: August 16, 2010, 01:37:12 PM by gshaver »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 786
Re: Secondary DNS: frequently zonetransfers
« Reply #2 on: August 15, 2010, 12:12:39 PM »

Should it actually be transferring, or simply checking the serial number on the SOA record (and transferring if different)?  (There's no need to AXFR the zone if the serial number hasn't changed....)
Logged

gshaver

  • Administrator
  • Newbie
  • *****
  • Posts: 16
Re: Secondary DNS: frequently zonetransfers
« Reply #3 on: August 15, 2010, 07:57:25 PM »

Pulling the soa and performing a zone transfer are not the same.  In many cases, we can pull the soa, but are denied zone xfers, and in one
case we could perform a zone xfr, but not pull an soa record....

The external check is additionally performed periodically to so we can know to deactivate the slave service for masters that have not been configured to allow us to axfr the zone.  The server itself normally pulls the soa periodically and updates as needed (or sooner if a notify has been sent).

Gary
« Last Edit: August 16, 2010, 01:33:56 PM by gshaver »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 786
Re: Secondary DNS: frequently zonetransfers
« Reply #4 on: August 15, 2010, 11:47:13 PM »

OK, but what I am seeing at my server (BIND 9.7.2b1) is repeated AXFRs (hours to 1 day apart) when the serial number of the zone has NOT changed.  That implies blindly initiating the AXFR without checking the serial on the SOA in a separate query first.  I also see this behavior with one other (NON-HE) secondary (and some former secondaries I no longer have), but not with secondaries that run BIND.

(The extra bandwidth isn't going to kill me as all my zones combined farmed to HE as secondary are about 100k, and I blow through that much data on my web server in about 10 seconds.  However, each AXFR does show in my syslog, and without a serial number change, is unnecessary.)
« Last Edit: August 15, 2010, 11:49:37 PM by snarked »
Logged

fstoyan

  • Newbie
  • *
  • Posts: 2
Re: Secondary DNS: frequently zonetransfers
« Reply #5 on: August 17, 2010, 12:20:11 AM »

The external check is additionally performed periodically to so we can know to deactivate the slave service for masters that have not been configured to allow us to axfr the zone.  The server itself normally pulls the soa periodically and updates as needed (or sooner if a notify has been sent).

Gary

What happens in case of a primary dns failure, for example due to a hardware fault? SOA query and AXFR won't work. Secondary NS should be authoritive as long as the expiry time from SOA is not exceeded.
Logged

gshaver

  • Administrator
  • Newbie
  • *****
  • Posts: 16
Re: Secondary DNS: frequently zonetransfers
« Reply #6 on: August 17, 2010, 12:35:27 AM »

If the primary fails, then the secondary would perform as expected.  It would serve the last version of the zone that it was able to successfully fetch.   When the slave scanner runs, it simply suspends the slave service until the master is available.  It does not remove the zone.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 786
Re: Secondary DNS: frequently zonetransfers
« Reply #7 on: August 17, 2010, 12:38:10 PM »

...At least until the zone expiration time is reached.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 786
Re: Secondary DNS: frequently zonetransfers
« Reply #8 on: August 18, 2010, 01:55:50 AM »

Re - Reply #4 - Issue no longer observed.  Must have been a quirk.
Logged