[Pdns-users] Difficulty changing nameservers on domain registar's site
Kenneth Marshall
ktm at rice.edu
Thu Jul 2 16:50:17 UTC 2009
I have used:
nslookup -type=soa domain
for example for our top level domain:
>nslookup -type=soa rice.edu
Server: ns1.rice.edu
Address: 128.42.209.32
rice.edu
origin = ns1.rice.edu
mail addr = hostmaster.rice.edu
serial = 2009053009
refresh = 10800 (3H)
retry = 900 (15M)
expire = 3600000 (3600000)
minimum ttl = 3600 (1H)
Hope that helps.
Ken
On Thu, Jul 02, 2009 at 11:43:15AM -0400, SashaB wrote:
> Jani,
>
> That does help and I figured that since all the other NS are working fine
> and the registrar for my other domains has no problem entering our NS for
> our domains.
>
> Any idea how I fix it? The SOA data on the two servers are for two different
> servers so it will be different and serial numbers are, as you know, in date
> form.
>
> Is there some other way I can check my SOA records? I notice that once you
> enter the master record, you can't really see what underlies the SOA record
> if you don't use the template. Is this information saved elsewhere?
>
> Thank you for your insight.
>
> Sasha
>
> On Thu, Jul 2, 2009 at 11:15 AM, Jani Karlsson <jani.karlsson at iki.fi> wrote:
>
> > Hi,
> >
> > Your problem is with SOA DNS-record:
> > The given nameservers return different SOA entries.
> >
> > So either your SOA serial, data or TTL differs between servers. Or it just
> > that other server doesn't respond to SOA request that is making the SOA
> > check fail, even though the problem is not with SOA but in that the
> > nameserver isn't responding (common GoDaddy error), blaims SOA missing or
> > faulty when actually the problem is that the nameserver isn't responding.
> >
> > I hope this clears things a bit.
> >
> > Cheers,
> >
> > Jani Karlsson
> >
> >
> > SashaB wrote:
> >
> >> Ken,
> >>
> >> I'm not sure what you mean. For example, so we didn't have to enter
> >> different NS for 50 domains, I registered a domain name specifically for use
> >> with NS (that is their sole purpose) and I've set up NS for multiple website
> >> domain names that are identical--kinda like a webhosting company does? There
> >> are four NS on two different servers at two datacenters in different parts
> >> of a region (for which I haven't mirrored or set up round-robin yet, though
> >> I intend to do so--and research shows I can on pdns). Actually, two of the
> >> NS point to the same IP address as does the one in question and several
> >> other NS point to that IP, too. All server diffent content--blogs, websites,
> >> web interfaces for pdns, web guis for various applications, webmail
> >> servers--just fine.
> >>
> >> This works, in part, because the actual content is served, in most cases,
> >> though not all, from an entirely different IP addresses from the NS IP
> >> addresses (and the virtual host settings on apache reflect that). Yet, we
> >> have no problem reaching any of that content, even where the NS IP address
> >> are shared with content-serving hostnames rather than dedicated only to
> >> doing NS resolution like other IP addresses. Again, domain resolution isn't
> >> only about the nameservers--it's about the hosts and host.conf files, as
> >> well as whatever backends we use, too. (There are some other factors, like
> >> resolvers, but you get my point.)
> >>
> >> So, as I explained, my mail/webmail NS are on different IP addresses under
> >> its domain name from the content the webmail server and mail server
> >> 'serves'. All DNS records for the domain are contained on its master server,
> >> including both NS, which point back to those IP addresses. The secondary NS
> >> has it's own master record on the server where it's located and contains
> >> only its IP address, since pdns doesn't use "pointer" records, relying
> >> instead on it's native ability to resolve properly configured DNS.
> >>
> >> Since I've created an "A" record for those IP addresses from which actual
> >> content is served in the DNS records on our registrar's site (and have
> >> properly configured the vhosts in apache), when we enter either our webmail
> >> server IP address or its hostname, my webmail server software admin page
> >> loads--just like it should.
> >>
> >> When I load up the gui interface for our mailserver under either the
> >> hostname, which is something like "mailservertype.maildomain.eu", it loads
> >> perfectly. This stuff's fairly idiot proof because apache, mysql and pdns
> >> all let you know when you've misconfigured stuff by not working right--or at
> >> all.
> >>
> >> Therefore, I don't know how your answer relates to my problem and it
> >> doesn't address the issue of the registrar not being able to reach the
> >> secondary NS, which is on an entirely different server and has a separate IP
> >> address. This doesn't appear, as you suggested when I posted my last
> >> question about how PDNS works differently from BIND and again in this post,
> >> as my lack of understanding DNS. I'm new to PDNS, not to DNS. I couldn't
> >> have set this system up if I didn't have DNS understanding and the registrar
> >> for my other domain names seems to have no problem adding our changed NS to
> >> their system, so, our NS configuration aren't the problem.
> >>
> >> If anyone else has any suggestions--especially those in the EU where this
> >> seems to be an issue--at least when I bing(.com) it, I would greatly
> >> appreciate your help.
> >>
> >> Sasha
> >>
> >> On Thu, Jul 2, 2009 at 9:40 AM, Kenneth Marshall <ktm at rice.edu <mailto:
> >> ktm at rice.edu>> wrote:
> >>
> >> On Thu, Jul 02, 2009 at 09:15:03AM -0400, SashaB wrote:
> >> > Hello all,
> >> >
> >> > This is a long post with a lot of info since I thought you should
> >> know as
> >> > much as possible about these NS before (a) having to ask the obvious
> >> > questions and (b) so you can offer suggestions.
> >> >
> >> > Here's the situation. I have set up the NS for our domains (on
> >> four servers)
> >> > and nearly all resolving properly to the domains to which they
> >> point. (For
> >> > those few that are not, I have figured out and corrected the
> >> issue; now
> >> > we're waiting for the changes to propogate.)
> >> >
> >> > However, we I have a specific domain registered via a registrar
> >> in the EU
> >> > for one of our mail/webmail servers and, each time I try to
> >> change the NS
> >> > (domain 'owners' can modify their own DNS on the registrar's site
> >> similar to
> >> > (but far simpler than) GoDaddy's "Total DNS"), I get the
> >> following errors:
> >> >
> >> > ns1.maildomain.eu --->"The given nameservers return different
> >> SOA entries."
> >> > ns2.maildomain.eu --->"Connection to server failed."
> >> >
> >> > Before providing your help, you should know the following:
> >> >
> >> > 1) The nameservers are shared by other NS, all of which have
> >> domain names
> >> > associated for their specific purposes. (For example:
> >> ns1.foodomain.net <http://ns1.foodomain.net>,
> >> > dns1.thisdomain.com <http://dns1.thisdomain.com>,
> >>
> >> ns1.maildomain.eu, etc.). I've pointed all "ns1"
> >> > domains to one IP address on each server and "ns2" are pointed to a
> >> > different IP address on each server but share the same IP address
> >> on that
> >> > server, etc.
> >> > 2) The NS for this domain are on different servers in the same
> >> region and
> >> > located in entirely different datacenters.
> >> > 2) While there is a master record for the ccTLD itself on its
> >> resident
> >> > server, I've also set up a separate master record for the NS1 so
> >> I can see
> >> > updating serial numbers for just the NS. Because I also set up, as a
> >> > supermaster, the hostname for the servers on which each of their
> >> NS has its
> >> > master record, without creating each NS as a slave on the master
> >> server for
> >> > that record, they each show on the other server as a slave and
> >> their serial
> >> > numbers (and my logs, which I've set up to view by secure
> >> webserver) show
> >> > they have been updating regularly.
> >> > 3) Websites and other applications, some with the same NS IP (but
> >> different
> >> > domain name), are resolving correctly.
> >> > 3) All NS point to IP addresses, not CNAMEs or redirects. In
> >> fact, I tend to
> >> > use IP addresses over hostnames because they resolve better if we
> >> make DNS
> >> > changes to hostnames.
> >> > 4) I 'played around' with the NS to learn how pdns works and
> >> determine how
> >> > best to set them up, especially for security and convenience. In
> >> that
> >> > process, I found it was just easier to point the NS for all of
> >> our domains
> >> > to the same IPs on each server and use other IPs for other
> >> purposes (like
> >> > pointing a domain's webservers to). So, I changed the IP
> >> addresses for the
> >> > NS, deleted and recreated NS records, updated SOA records, etc.
> >> That may
> >> > affect the SOA entries.
> >> > 5) The NS have been live for at least 24 hours each.
> >> > 6) The NS point to different IPs from the domain's other records,
> >> like the
> >> > MX and webmail server, which have their own IP addresses. I've
> >> configured my
> >> > virtual hosts in apache accordinly (except I did not create any
> >> for the NS.)
> >> > 7) The SOA record of NS record on each server points to the
> >> appropriate IP
> >> > address and is configured, "ns1.maildomain.eu
> >> > hostmaster.masterrecordserver.com
> >> <http://hostmaster.masterrecordserver.com>". Since each is on
> >>
> >> different servers, the
> >> > "hostmaster" domain name is for that server, not the master
> >> server (ns1) of
> >> > the domain itself.
> >> > 8) I've given the registrar's IP address access to my server (via
> >> > hosts/csf.allow and the firewall) and added its network address
> >> to the
> >> > 'axfr' setting in pdns.conf. The pdns-recursor is not active on
> >> one server
> >> > (configuration issues) but is on the other. On the server with
> >> pdns-recursor
> >> > running, each master record has a corresponding "in-address.arpa"
> >> entry. I'm
> >> > still working on that for the other server. Neither server,
> >> however, is
> >> > experiencing resolution issues with the domains not associated
> >> with these in
> >> > question.
> >> >
> >> > So, that all said, I have a few questions that might be a source
> >> of some
> >> > issues:
> >> >
> >> > 1) I've taken the extra step of creating an "A" record for each
> >> NS in the
> >> > domain's DNS settings on the registrar's site as well as updating
> >> the other
> >> > records for the domain in the registrar's DNS as well, thinking
> >> that may
> >> > help. Will that affect the SOA records?
> >> > 2) Do the changes I've made to the master records, i.e., changing
> >> the IP
> >> > address of the NS several times before deciding on a final
> >> configuration,
> >> > cause such problems? (The NS for my websites, which have totally
> >> different
> >> > NS, in part, so we don't have these issues with them, have been
> >> 'cast in
> >> > stone' for several weeks and haven't changed so they're resolving
> >> > correctly.)
> >> > 3) My understanding is that mysql acts as recursor when
> >> pdns-recursor. How
> >> > can I tell if the records in mysql are correct? (I've looked at
> >> the records
> >> > via Webmin but they don't contain full record entries or have IP
> >> numbers
> >> > associated, so I can't tell how accurate they are.)
> >> > 4) How does pdns-recursor and rDNS configuration affect
> >> resolution? Could
> >> > that be part of the issue?
> >> >
> >> > Finally, I've done searches online and found that others have
> >> this issue
> >> > with EU-based registrars. Ostensibly, this is to prevent NS
> >> > misconfiguration. But, I'm finding pdns is pretty good at that so
> >> I'm not
> >> > understanding the problem. But, since I have three more domains
> >> with this
> >> > registrar, I've got to so I can fix it. Please provide your
> >> > solutions-oriented assistance in trying to ressolve this issue so
> >> we can use
> >> > our own NS for our mail/webmail servers.
> >> >
> >> > If you've read this far, thank you and I look forward to your help.
> >> >
> >> > Sasha
> >>
> >> Hi Sasha,
> >>
> >> Thank you for the detailed description, but I think that the problem
> >> is described correctly by the error message you received from your
> >> domain registrar:
> >>
> >> your nameservers have different SOA records (paraphrasing)
> >>
> >> All nameservers for a domain, by definition should have and serve
> >> identical content. I think that once you fix this inconsistancy it
> >> will all work.
> >>
> >> Regards,
> >> Ken
> >>
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Pdns-users mailing list
> >> Pdns-users at mailman.powerdns.com
> >> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >>
> >
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list