On Thu, Apr 25, 2019 at 3:14 PM Frank Altpeter <frank.altpe...@gmail.com> wrote:
> I've come up with a very strange behaviour and after some quite intensive > search, I wasn't able to find any information about that topic. > > I'm running a powerdns-4.1.8 with mysql-backend on my master, and a 4.1.8 > with mysql-backend on the slave. Master zones are configured as MASTER, so > notifies are sent. > > In case it's relevant, the master has the setting > default-soa-edit=INCEPTION-INCREMENT > for convenience. I like the retro-style of the serials. The zones are not > signed, though. > > Now, when updating a zone via "pdnsutil edit-zone", I'm currently required > to update the serial afterwards. But after doing that, the serial values > between master and slave are different. As you see in the below example, > it's even different between the database entry and the data that gets > output on a dns query: > > - step 1 - manually increase serial > root@master:~ # pdnsutil increase-serial einhorn.bar > SOA serial for zone einhorn.bar set to 2019042505 > > - step 2 - verify database entry > root@master:~ # echo "select content from records where name = > 'einhorn.bar' and type='SOA'" | mysql pdns > content > ns1.foxalpha.de. frank.altpeter.de. 2019042505 10800 3600 604800 3600 > > root@slave:~ # echo "select content from records where name = > 'einhorn.bar' and type='SOA'" | mysql pdns > content > ns1.foxalpha.de frank.altpeter.de 2019042507 10800 3600 604800 3600 > > - step 3 - verify dns output > user@workstation ~ % dig +short +noshort @ns1.foxalpha.de einhorn.bar soa > einhorn.bar. 3600 IN SOA ns1.foxalpha.de. frank.altpeter.de. 2019042507 > 10800 3600 604800 3600 > > user@workstation ~ % dig +short +noshort @s-dns.irz42.net einhorn.bar soa > einhorn.bar. 3600 IN SOA ns1.foxalpha.de. frank.altpeter.de. 2019042509 > 10800 3600 604800 3600 > > You see, serial in master's db is 5, output on dns query is 7, so this is > what slave's AXFR gets, therefore slave's database entry is 7, and slave's > output on dns query is 9. > So, it seems that powerdns is adding 2 to any database serial value. But > why? Problem is, that it makes incredible problems when it comes to serial > update and freshness monitoring. Also, some of my customers that use the > same slave server are using bind, which seems to make lots of problems for > them when slave's serial doesn't match master's serial. > > Does anyone have an idea what's wrong here? > I believe the INCEPTION-INCREMENT behaves as documented [1] in your case, because it's within two days of inception [2] (as it's a Thursday), which will trigger the condition to add 2 and then increment by INCEPTION-age in YYYYMMDDSS format. (The actual why for that it does that is not very clear to me, though.) Are you sure you've unset the default-soa-edit setting on the slaves? It seems that your 's-dns.irz42.net' host is performing another soa-edit. All other ouput seems to work as intended. Having secondary nameservers serve different SOA serials is indeed not okay The broader question I have is why you're using this setting in the first place if you are serving only unsigned zones. Your backend already has the 'retro-style' serials, so I'm not sure what's in it for you by setting it (what 'convenience'?). But I may not fully understand your issue perhaps. [1]: https://doc.powerdns.com/authoritative/dnssec/operational.html#inception-increment [2]: https://doc.powerdns.com/authoritative/dnssec/operational.html#possible-soa-edit-values HTH
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
