[Pdns-users] Difficulty changing nameservers on domain registar's site
Leen Besselink
leen at consolejunkie.net
Thu Jul 2 15:37:58 UTC 2009
On Thu, Jul 02, 2009 at 06:15:44PM +0300, Jani Karlsson wrote:
> Hi,
>
> Your problem is with SOA DNS-record:
> The given nameservers return different SOA entries.
>
> So either your SOA serial, data or TTL differs between servers. Or it
> just that other server doesn't respond to SOA request that is making the
> SOA check fail, even though the problem is not with SOA but in that the
> nameserver isn't responding (common GoDaddy error), blaims SOA missing
> or faulty when actually the problem is that the nameserver isn't responding.
>
> I hope this clears things a bit.
>
Hi SashaB,
If you want to lookup the SOA-record of a domain, you could use the 'dig'
command:
dig @nameserver domain.tld SOA
But if those are not the same, maybe the domain-zone is not a copy of the
zone on the other nameserver, which is asking for trouble if it's not just
a version difference.
> Cheers,
>
> Jani Karlsson
>
>
> SashaB wrote:
> >Ken,
> >
> >I'm not sure what you mean. For example, so we didn't have to enter
> >different NS for 50 domains, I registered a domain name specifically for
> >use with NS (that is their sole purpose) and I've set up NS for multiple
> >website domain names that are identical--kinda like a webhosting company
> >does? There are four NS on two different servers at two datacenters in
> >different parts of a region (for which I haven't mirrored or set up
> >round-robin yet, though I intend to do so--and research shows I can on
> >pdns). Actually, two of the NS point to the same IP address as does the
> >one in question and several other NS point to that IP, too. All server
> >diffent content--blogs, websites, web interfaces for pdns, web guis for
> >various applications, webmail servers--just fine.
> >
> >This works, in part, because the actual content is served, in most
> >cases, though not all, from an entirely different IP addresses from the
> >NS IP addresses (and the virtual host settings on apache reflect that).
> >Yet, we have no problem reaching any of that content, even where the NS
> >IP address are shared with content-serving hostnames rather than
> >dedicated only to doing NS resolution like other IP addresses. Again,
> >domain resolution isn't only about the nameservers--it's about the hosts
> >and host.conf files, as well as whatever backends we use, too. (There
> >are some other factors, like resolvers, but you get my point.)
> >
> >So, as I explained, my mail/webmail NS are on different IP addresses
> >under its domain name from the content the webmail server and mail
> >server 'serves'. All DNS records for the domain are contained on its
> >master server, including both NS, which point back to those IP
> >addresses. The secondary NS has it's own master record on the server
> >where it's located and contains only its IP address, since pdns doesn't
> >use "pointer" records, relying instead on it's native ability to resolve
> >properly configured DNS.
> >
> >Since I've created an "A" record for those IP addresses from which
> >actual content is served in the DNS records on our registrar's site (and
> >have properly configured the vhosts in apache), when we enter either our
> >webmail server IP address or its hostname, my webmail server software
> >admin page loads--just like it should.
> >
> >When I load up the gui interface for our mailserver under either the
> >hostname, which is something like "mailservertype.maildomain.eu", it
> >loads perfectly. This stuff's fairly idiot proof because apache, mysql
> >and pdns all let you know when you've misconfigured stuff by not working
> >right--or at all.
> >
> >Therefore, I don't know how your answer relates to my problem and it
> >doesn't address the issue of the registrar not being able to reach the
> >secondary NS, which is on an entirely different server and has a
> >separate IP address. This doesn't appear, as you suggested when I posted
> >my last question about how PDNS works differently from BIND and again in
> >this post, as my lack of understanding DNS. I'm new to PDNS, not to DNS.
> >I couldn't have set this system up if I didn't have DNS understanding
> >and the registrar for my other domain names seems to have no problem
> >adding our changed NS to their system, so, our NS configuration aren't
> >the problem.
> >
> >If anyone else has any suggestions--especially those in the EU where
> >this seems to be an issue--at least when I bing(.com) it, I would
> >greatly appreciate your help.
> >
> >Sasha
> >
> >On Thu, Jul 2, 2009 at 9:40 AM, Kenneth Marshall <ktm at rice.edu
> ><mailto:ktm at rice.edu>> wrote:
> >
> > On Thu, Jul 02, 2009 at 09:15:03AM -0400, SashaB wrote:
> > > Hello all,
> > >
> > > This is a long post with a lot of info since I thought you should
> > know as
> > > much as possible about these NS before (a) having to ask the obvious
> > > questions and (b) so you can offer suggestions.
> > >
> > > Here's the situation. I have set up the NS for our domains (on
> > four servers)
> > > and nearly all resolving properly to the domains to which they
> > point. (For
> > > those few that are not, I have figured out and corrected the
> > issue; now
> > > we're waiting for the changes to propogate.)
> > >
> > > However, we I have a specific domain registered via a registrar
> > in the EU
> > > for one of our mail/webmail servers and, each time I try to
> > change the NS
> > > (domain 'owners' can modify their own DNS on the registrar's site
> > similar to
> > > (but far simpler than) GoDaddy's "Total DNS"), I get the
> > following errors:
> > >
> > > ns1.maildomain.eu --->"The given nameservers return different
> > SOA entries."
> > > ns2.maildomain.eu --->"Connection to server failed."
> > >
> > > Before providing your help, you should know the following:
> > >
> > > 1) The nameservers are shared by other NS, all of which have
> > domain names
> > > associated for their specific purposes. (For example:
> > ns1.foodomain.net <http://ns1.foodomain.net>,
> > > dns1.thisdomain.com <http://dns1.thisdomain.com>,
> > ns1.maildomain.eu, etc.). I've pointed all "ns1"
> > > domains to one IP address on each server and "ns2" are pointed to a
> > > different IP address on each server but share the same IP address
> > on that
> > > server, etc.
> > > 2) The NS for this domain are on different servers in the same
> > region and
> > > located in entirely different datacenters.
> > > 2) While there is a master record for the ccTLD itself on its
> > resident
> > > server, I've also set up a separate master record for the NS1 so
> > I can see
> > > updating serial numbers for just the NS. Because I also set up, as a
> > > supermaster, the hostname for the servers on which each of their
> > NS has its
> > > master record, without creating each NS as a slave on the master
> > server for
> > > that record, they each show on the other server as a slave and
> > their serial
> > > numbers (and my logs, which I've set up to view by secure
> > webserver) show
> > > they have been updating regularly.
> > > 3) Websites and other applications, some with the same NS IP (but
> > different
> > > domain name), are resolving correctly.
> > > 3) All NS point to IP addresses, not CNAMEs or redirects. In
> > fact, I tend to
> > > use IP addresses over hostnames because they resolve better if we
> > make DNS
> > > changes to hostnames.
> > > 4) I 'played around' with the NS to learn how pdns works and
> > determine how
> > > best to set them up, especially for security and convenience. In
> > that
> > > process, I found it was just easier to point the NS for all of
> > our domains
> > > to the same IPs on each server and use other IPs for other
> > purposes (like
> > > pointing a domain's webservers to). So, I changed the IP
> > addresses for the
> > > NS, deleted and recreated NS records, updated SOA records, etc.
> > That may
> > > affect the SOA entries.
> > > 5) The NS have been live for at least 24 hours each.
> > > 6) The NS point to different IPs from the domain's other records,
> > like the
> > > MX and webmail server, which have their own IP addresses. I've
> > configured my
> > > virtual hosts in apache accordinly (except I did not create any
> > for the NS.)
> > > 7) The SOA record of NS record on each server points to the
> > appropriate IP
> > > address and is configured, "ns1.maildomain.eu
> > > hostmaster.masterrecordserver.com
> > <http://hostmaster.masterrecordserver.com>". Since each is on
> > different servers, the
> > > "hostmaster" domain name is for that server, not the master
> > server (ns1) of
> > > the domain itself.
> > > 8) I've given the registrar's IP address access to my server (via
> > > hosts/csf.allow and the firewall) and added its network address
> > to the
> > > 'axfr' setting in pdns.conf. The pdns-recursor is not active on
> > one server
> > > (configuration issues) but is on the other. On the server with
> > pdns-recursor
> > > running, each master record has a corresponding "in-address.arpa"
> > entry. I'm
> > > still working on that for the other server. Neither server,
> > however, is
> > > experiencing resolution issues with the domains not associated
> > with these in
> > > question.
> > >
> > > So, that all said, I have a few questions that might be a source
> > of some
> > > issues:
> > >
> > > 1) I've taken the extra step of creating an "A" record for each
> > NS in the
> > > domain's DNS settings on the registrar's site as well as updating
> > the other
> > > records for the domain in the registrar's DNS as well, thinking
> > that may
> > > help. Will that affect the SOA records?
> > > 2) Do the changes I've made to the master records, i.e., changing
> > the IP
> > > address of the NS several times before deciding on a final
> > configuration,
> > > cause such problems? (The NS for my websites, which have totally
> > different
> > > NS, in part, so we don't have these issues with them, have been
> > 'cast in
> > > stone' for several weeks and haven't changed so they're resolving
> > > correctly.)
> > > 3) My understanding is that mysql acts as recursor when
> > pdns-recursor. How
> > > can I tell if the records in mysql are correct? (I've looked at
> > the records
> > > via Webmin but they don't contain full record entries or have IP
> > numbers
> > > associated, so I can't tell how accurate they are.)
> > > 4) How does pdns-recursor and rDNS configuration affect
> > resolution? Could
> > > that be part of the issue?
> > >
> > > Finally, I've done searches online and found that others have
> > this issue
> > > with EU-based registrars. Ostensibly, this is to prevent NS
> > > misconfiguration. But, I'm finding pdns is pretty good at that so
> > I'm not
> > > understanding the problem. But, since I have three more domains
> > with this
> > > registrar, I've got to so I can fix it. Please provide your
> > > solutions-oriented assistance in trying to ressolve this issue so
> > we can use
> > > our own NS for our mail/webmail servers.
> > >
> > > If you've read this far, thank you and I look forward to your help.
> > >
> > > Sasha
> >
> > Hi Sasha,
> >
> > Thank you for the detailed description, but I think that the problem
> > is described correctly by the error message you received from your
> > domain registrar:
> >
> > your nameservers have different SOA records (paraphrasing)
> >
> > All nameservers for a domain, by definition should have and serve
> > identical content. I think that once you fix this inconsistancy it
> > will all work.
> >
> > Regards,
> > Ken
> >
> >
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Pdns-users mailing list
> >Pdns-users at mailman.powerdns.com
> >http://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
_____________________________________
New things are always on the horizon.
More information about the Pdns-users
mailing list