[Pdns-users] Difficulty changing nameservers on domain registar's site
Kenneth Marshall
ktm at rice.edu
Thu Jul 2 15:40:53 UTC 2009
Hi,
I think that this is a good possibility. We have seen connection
problems when trying to talk to a multi-homed DNS server. If you
are not very careful, you get a three-way traffic pattern which
results in a failed TCP conversation.
Regards,
Ken
On Thu, Jul 02, 2009 at 06:15:44PM +0300, Jani Karlsson wrote:
> Hi,
>
> Your problem is with SOA DNS-record:
> The given nameservers return different SOA entries.
>
> So either your SOA serial, data or TTL differs between servers. Or it just
> that other server doesn't respond to SOA request that is making the SOA
> check fail, even though the problem is not with SOA but in that the
> nameserver isn't responding (common GoDaddy error), blaims SOA missing or
> faulty when actually the problem is that the nameserver isn't responding.
>
> I hope this clears things a bit.
>
> Cheers,
>
> Jani Karlsson
>
>
> SashaB wrote:
>> Ken,
>> I'm not sure what you mean. For example, so we didn't have to enter
>> different NS for 50 domains, I registered a domain name specifically for
>> use with NS (that is their sole purpose) and I've set up NS for multiple
>> website domain names that are identical--kinda like a webhosting company
>> does? There are four NS on two different servers at two datacenters in
>> different parts of a region (for which I haven't mirrored or set up
>> round-robin yet, though I intend to do so--and research shows I can on
>> pdns). Actually, two of the NS point to the same IP address as does the
>> one in question and several other NS point to that IP, too. All server
>> diffent content--blogs, websites, web interfaces for pdns, web guis for
>> various applications, webmail servers--just fine.
>> This works, in part, because the actual content is served, in most cases,
>> though not all, from an entirely different IP addresses from the NS IP
>> addresses (and the virtual host settings on apache reflect that). Yet, we
>> have no problem reaching any of that content, even where the NS IP address
>> are shared with content-serving hostnames rather than dedicated only to
>> doing NS resolution like other IP addresses. Again, domain resolution
>> isn't only about the nameservers--it's about the hosts and host.conf
>> files, as well as whatever backends we use, too. (There are some other
>> factors, like resolvers, but you get my point.)
>> So, as I explained, my mail/webmail NS are on different IP addresses under
>> its domain name from the content the webmail server and mail server
>> 'serves'. All DNS records for the domain are contained on its master
>> server, including both NS, which point back to those IP addresses. The
>> secondary NS has it's own master record on the server where it's located
>> and contains only its IP address, since pdns doesn't use "pointer"
>> records, relying instead on it's native ability to resolve properly
>> configured DNS.
>> Since I've created an "A" record for those IP addresses from which actual
>> content is served in the DNS records on our registrar's site (and have
>> properly configured the vhosts in apache), when we enter either our
>> webmail server IP address or its hostname, my webmail server software
>> admin page loads--just like it should.
>> When I load up the gui interface for our mailserver under either the
>> hostname, which is something like "mailservertype.maildomain.eu", it loads
>> perfectly. This stuff's fairly idiot proof because apache, mysql and pdns
>> all let you know when you've misconfigured stuff by not working right--or
>> at all.
>> Therefore, I don't know how your answer relates to my problem and it
>> doesn't address the issue of the registrar not being able to reach the
>> secondary NS, which is on an entirely different server and has a separate
>> IP address. This doesn't appear, as you suggested when I posted my last
>> question about how PDNS works differently from BIND and again in this
>> post, as my lack of understanding DNS. I'm new to PDNS, not to DNS. I
>> couldn't have set this system up if I didn't have DNS understanding and
>> the registrar for my other domain names seems to have no problem adding
>> our changed NS to their system, so, our NS configuration aren't the
>> problem.
>> If anyone else has any suggestions--especially those in the EU where this
>> seems to be an issue--at least when I bing(.com) it, I would greatly
>> appreciate your help.
>> Sasha
>> On Thu, Jul 2, 2009 at 9:40 AM, Kenneth Marshall <ktm at rice.edu
>> <mailto:ktm at rice.edu>> wrote:
>> On Thu, Jul 02, 2009 at 09:15:03AM -0400, SashaB wrote:
>> > Hello all,
>> >
>> > This is a long post with a lot of info since I thought you should
>> know as
>> > much as possible about these NS before (a) having to ask the
>> obvious
>> > questions and (b) so you can offer suggestions.
>> >
>> > Here's the situation. I have set up the NS for our domains (on
>> four servers)
>> > and nearly all resolving properly to the domains to which they
>> point. (For
>> > those few that are not, I have figured out and corrected the
>> issue; now
>> > we're waiting for the changes to propogate.)
>> >
>> > However, we I have a specific domain registered via a registrar
>> in the EU
>> > for one of our mail/webmail servers and, each time I try to
>> change the NS
>> > (domain 'owners' can modify their own DNS on the registrar's site
>> similar to
>> > (but far simpler than) GoDaddy's "Total DNS"), I get the
>> following errors:
>> >
>> > ns1.maildomain.eu --->"The given nameservers return different
>> SOA entries."
>> > ns2.maildomain.eu --->"Connection to server failed."
>> >
>> > Before providing your help, you should know the following:
>> >
>> > 1) The nameservers are shared by other NS, all of which have
>> domain names
>> > associated for their specific purposes. (For example:
>> ns1.foodomain.net <http://ns1.foodomain.net>,
>> > dns1.thisdomain.com <http://dns1.thisdomain.com>,
>> ns1.maildomain.eu, etc.). I've pointed all "ns1"
>> > domains to one IP address on each server and "ns2" are pointed to a
>> > different IP address on each server but share the same IP address
>> on that
>> > server, etc.
>> > 2) The NS for this domain are on different servers in the same
>> region and
>> > located in entirely different datacenters.
>> > 2) While there is a master record for the ccTLD itself on its
>> resident
>> > server, I've also set up a separate master record for the NS1 so
>> I can see
>> > updating serial numbers for just the NS. Because I also set up, as
>> a
>> > supermaster, the hostname for the servers on which each of their
>> NS has its
>> > master record, without creating each NS as a slave on the master
>> server for
>> > that record, they each show on the other server as a slave and
>> their serial
>> > numbers (and my logs, which I've set up to view by secure
>> webserver) show
>> > they have been updating regularly.
>> > 3) Websites and other applications, some with the same NS IP (but
>> different
>> > domain name), are resolving correctly.
>> > 3) All NS point to IP addresses, not CNAMEs or redirects. In
>> fact, I tend to
>> > use IP addresses over hostnames because they resolve better if we
>> make DNS
>> > changes to hostnames.
>> > 4) I 'played around' with the NS to learn how pdns works and
>> determine how
>> > best to set them up, especially for security and convenience. In
>> that
>> > process, I found it was just easier to point the NS for all of
>> our domains
>> > to the same IPs on each server and use other IPs for other
>> purposes (like
>> > pointing a domain's webservers to). So, I changed the IP
>> addresses for the
>> > NS, deleted and recreated NS records, updated SOA records, etc.
>> That may
>> > affect the SOA entries.
>> > 5) The NS have been live for at least 24 hours each.
>> > 6) The NS point to different IPs from the domain's other records,
>> like the
>> > MX and webmail server, which have their own IP addresses. I've
>> configured my
>> > virtual hosts in apache accordinly (except I did not create any
>> for the NS.)
>> > 7) The SOA record of NS record on each server points to the
>> appropriate IP
>> > address and is configured, "ns1.maildomain.eu
>> > hostmaster.masterrecordserver.com
>> <http://hostmaster.masterrecordserver.com>". Since each is on
>> different servers, the
>> > "hostmaster" domain name is for that server, not the master
>> server (ns1) of
>> > the domain itself.
>> > 8) I've given the registrar's IP address access to my server (via
>> > hosts/csf.allow and the firewall) and added its network address
>> to the
>> > 'axfr' setting in pdns.conf. The pdns-recursor is not active on
>> one server
>> > (configuration issues) but is on the other. On the server with
>> pdns-recursor
>> > running, each master record has a corresponding "in-address.arpa"
>> entry. I'm
>> > still working on that for the other server. Neither server,
>> however, is
>> > experiencing resolution issues with the domains not associated
>> with these in
>> > question.
>> >
>> > So, that all said, I have a few questions that might be a source
>> of some
>> > issues:
>> >
>> > 1) I've taken the extra step of creating an "A" record for each
>> NS in the
>> > domain's DNS settings on the registrar's site as well as updating
>> the other
>> > records for the domain in the registrar's DNS as well, thinking
>> that may
>> > help. Will that affect the SOA records?
>> > 2) Do the changes I've made to the master records, i.e., changing
>> the IP
>> > address of the NS several times before deciding on a final
>> configuration,
>> > cause such problems? (The NS for my websites, which have totally
>> different
>> > NS, in part, so we don't have these issues with them, have been
>> 'cast in
>> > stone' for several weeks and haven't changed so they're resolving
>> > correctly.)
>> > 3) My understanding is that mysql acts as recursor when
>> pdns-recursor. How
>> > can I tell if the records in mysql are correct? (I've looked at
>> the records
>> > via Webmin but they don't contain full record entries or have IP
>> numbers
>> > associated, so I can't tell how accurate they are.)
>> > 4) How does pdns-recursor and rDNS configuration affect
>> resolution? Could
>> > that be part of the issue?
>> >
>> > Finally, I've done searches online and found that others have
>> this issue
>> > with EU-based registrars. Ostensibly, this is to prevent NS
>> > misconfiguration. But, I'm finding pdns is pretty good at that so
>> I'm not
>> > understanding the problem. But, since I have three more domains
>> with this
>> > registrar, I've got to so I can fix it. Please provide your
>> > solutions-oriented assistance in trying to ressolve this issue so
>> we can use
>> > our own NS for our mail/webmail servers.
>> >
>> > If you've read this far, thank you and I look forward to your help.
>> >
>> > Sasha
>> Hi Sasha,
>> Thank you for the detailed description, but I think that the problem
>> is described correctly by the error message you received from your
>> domain registrar:
>> your nameservers have different SOA records (paraphrasing)
>> All nameservers for a domain, by definition should have and serve
>> identical content. I think that once you fix this inconsistancy it
>> will all work.
>> Regards,
>> Ken
>> ------------------------------------------------------------------------
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
More information about the Pdns-users
mailing list