[Pdns-users] strange bevaviour of serial increasing
Gert van Dijk
gertvdijk+pdns-users at gmail.com
Thu Apr 25 13:51:34 UTC 2019
On Thu, Apr 25, 2019 at 3:14 PM Frank Altpeter <frank.altpeter at gmail.com>
wrote:
> I've come up with a very strange behaviour and after some quite intensive
> search, I wasn't able to find any information about that topic.
>
> I'm running a powerdns-4.1.8 with mysql-backend on my master, and a 4.1.8
> with mysql-backend on the slave. Master zones are configured as MASTER, so
> notifies are sent.
>
> In case it's relevant, the master has the setting
> default-soa-edit=INCEPTION-INCREMENT
> for convenience. I like the retro-style of the serials. The zones are not
> signed, though.
>
> Now, when updating a zone via "pdnsutil edit-zone", I'm currently required
> to update the serial afterwards. But after doing that, the serial values
> between master and slave are different. As you see in the below example,
> it's even different between the database entry and the data that gets
> output on a dns query:
>
> - step 1 - manually increase serial
> root at master:~ # pdnsutil increase-serial einhorn.bar
> SOA serial for zone einhorn.bar set to 2019042505
>
> - step 2 - verify database entry
> root at master:~ # echo "select content from records where name =
> 'einhorn.bar' and type='SOA'" | mysql pdns
> content
> ns1.foxalpha.de. frank.altpeter.de. 2019042505 10800 3600 604800 3600
>
> root at slave:~ # echo "select content from records where name =
> 'einhorn.bar' and type='SOA'" | mysql pdns
> content
> ns1.foxalpha.de frank.altpeter.de 2019042507 10800 3600 604800 3600
>
> - step 3 - verify dns output
> user at workstation ~ % dig +short +noshort @ns1.foxalpha.de einhorn.bar soa
> einhorn.bar. 3600 IN SOA ns1.foxalpha.de. frank.altpeter.de. 2019042507
> 10800 3600 604800 3600
>
> user at workstation ~ % dig +short +noshort @s-dns.irz42.net einhorn.bar soa
> einhorn.bar. 3600 IN SOA ns1.foxalpha.de. frank.altpeter.de. 2019042509
> 10800 3600 604800 3600
>
> You see, serial in master's db is 5, output on dns query is 7, so this is
> what slave's AXFR gets, therefore slave's database entry is 7, and slave's
> output on dns query is 9.
> So, it seems that powerdns is adding 2 to any database serial value. But
> why? Problem is, that it makes incredible problems when it comes to serial
> update and freshness monitoring. Also, some of my customers that use the
> same slave server are using bind, which seems to make lots of problems for
> them when slave's serial doesn't match master's serial.
>
> Does anyone have an idea what's wrong here?
>
I believe the INCEPTION-INCREMENT behaves as documented [1] in your case,
because it's within two days of inception [2] (as it's a Thursday), which
will trigger the condition to add 2 and then increment by INCEPTION-age in
YYYYMMDDSS format. (The actual why for that it does that is not very clear
to me, though.)
Are you sure you've unset the default-soa-edit setting on the slaves? It
seems that your 's-dns.irz42.net' host is performing another soa-edit. All
other ouput seems to work as intended. Having secondary nameservers serve
different SOA serials is indeed not okay
The broader question I have is why you're using this setting in the first
place if you are serving only unsigned zones. Your backend already has the
'retro-style' serials, so I'm not sure what's in it for you by setting it
(what 'convenience'?). But I may not fully understand your issue perhaps.
[1]:
https://doc.powerdns.com/authoritative/dnssec/operational.html#inception-increment
[2]:
https://doc.powerdns.com/authoritative/dnssec/operational.html#possible-soa-edit-values
HTH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190425/6402bcbf/attachment.html>
More information about the Pdns-users
mailing list