Skip to content

Instantly share code, notes, and snippets.

@jpmens

jpmens/bind-9-6-24.md Secret

Last active January 13, 2022 10:39
Show Gist options
  • Save jpmens/91cd66d88f3fd99dfa5b8fbf5063a43c to your computer and use it in GitHub Desktop.
Save jpmens/91cd66d88f3fd99dfa5b8fbf5063a43c to your computer and use it in GitHub Desktop.
Download ZIP
SOA EXPIRE (0 seconds)
Raw
bind-9-6-24.md

named.conf

zone "a1.dnslab.org" IN {
	type secondary;
	primaries {
	   137.184.55.191;
	};
	file "a1";
};

modus

  1. rndc reconfig on primary
  2. rndc reconfig on secondary
  3. wait for transfer to complete
  4. rndc stop on primary

logs on secondary

13-Jan-2022 08:38:08.055 zoneload: managed-keys-zone: loaded serial 0
13-Jan-2022 08:38:08.056 general: all zones loaded
13-Jan-2022 08:38:08.056 general: running
13-Jan-2022 08:42:43.361 general: zone a1.dnslab.org/IN: refresh: retry limit for master 137.184.55.191#53 exceeded (source 0.0.0.0#0)
13-Jan-2022 08:50:09.362 general: zone a1.dnslab.org/IN: refresh: retry limit for master 137.184.55.191#53 exceeded (source 0.0.0.0#0)
(I restart primary)
13-Jan-2022 08:51:28.362 general: zone a1.dnslab.org/IN: expired
13-Jan-2022 08:51:28.461 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)

13 minutes, and 20 seconds from running until expired.

query on secondary

; <<>> DiG 9.16.24 <<>> @::1 a1.dnslab.org SOA +norec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20915
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 005adf1a6c9ea0bb0100000061dfe6d8cac56016bdb0f1a4 (good)
;; QUESTION SECTION:
;a1.dnslab.org.		IN SOA

;; ANSWER SECTION:
a1.dnslab.org.		60 IN SOA mname.a1.dnslab.org. jp.a1.dnslab.org. (
				3          ; serial
				180        ; refresh (3 minutes)
				60         ; retry (1 minute)
				0          ; expire (0 seconds)
				30         ; minimum (30 seconds)
				)

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jan 13 08:46:16 UTC 2022
;; MSG SIZE  rcvd: 115

query on secondary after expire

; <<>> DiG 9.16.24 <<>> @::1 a1.dnslab.org SOA +norec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60827
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c5e4f6e7e5d487000100000061dfe838b4363bb17c47c7da (good)
;; QUESTION SECTION:
;a1.dnslab.org.		IN SOA

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jan 13 08:52:08 UTC 2022
;; MSG SIZE  rcvd: 70

reset secondary (rm files stop/start)

  1. rndc stop on secondary
  2. enable zone on primary
  3. launch secondary
  4. disable zone on primary but leave named running (REFUSED)

logs on secondary

13-Jan-2022 08:53:59.488 zoneload: managed-keys-zone: loaded serial 0
13-Jan-2022 08:53:59.489 general: all zones loaded
13-Jan-2022 08:53:59.489 general: running
13-Jan-2022 08:58:54.892 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)
13-Jan-2022 09:06:01.893 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)
13-Jan-2022 09:07:19.793 general: zone a1.dnslab.org/IN: expired
13-Jan-2022 09:07:19.891 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)

13 minutes, and 20 seconds from running until expired.

Raw
zone-restore.md

I re-enable the zone on the primary, and see the following on the secondary (continuing from where I left off above):

13-Jan-2022 09:07:19.793 general: zone a1.dnslab.org/IN: expired
13-Jan-2022 09:07:19.891 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)
13-Jan-2022 09:08:12.892 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)
13-Jan-2022 09:10:02.894 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)
13-Jan-2022 09:13:39.893 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)
13-Jan-2022 09:20:10.894 general: zone a1.dnslab.org/IN: refresh: unexpected rcode (REFUSED) from master 137.184.55.191#53 (source 0.0.0.0#0)
13-Jan-2022 09:45:34.091 general: zone a1.dnslab.org/IN: expired
13-Jan-2022 09:58:54.387 general: zone a1.dnslab.org/IN: expired
13-Jan-2022 10:12:14.683 general: zone a1.dnslab.org/IN: expired

The transfer.log shows how from unsuccessful (because NOTAUTH) to success, the zone has been transferred:

13-Jan-2022 09:07:19.891 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:07:19.990 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#56057
13-Jan-2022 09:07:20.087 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: failed while receiving responses: NOTAUTH
13-Jan-2022 09:07:20.087 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: NOTAUTH
13-Jan-2022 09:07:20.087 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.097 secs (0 bytes/sec) (serial 0)
13-Jan-2022 09:08:12.892 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:08:12.991 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#50045
13-Jan-2022 09:08:13.088 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: failed while receiving responses: NOTAUTH
13-Jan-2022 09:08:13.088 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: NOTAUTH
13-Jan-2022 09:08:13.088 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.097 secs (0 bytes/sec) (serial 0)
13-Jan-2022 09:10:02.894 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:10:02.993 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#37301
13-Jan-2022 09:10:03.091 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: failed while receiving responses: NOTAUTH
13-Jan-2022 09:10:03.092 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: NOTAUTH
13-Jan-2022 09:10:03.092 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.099 secs (0 bytes/sec) (serial 0)
13-Jan-2022 09:13:39.893 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:13:39.992 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#37945
13-Jan-2022 09:13:40.089 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: failed while receiving responses: NOTAUTH
13-Jan-2022 09:13:40.089 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: NOTAUTH
13-Jan-2022 09:13:40.089 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.097 secs (0 bytes/sec) (serial 0)
13-Jan-2022 09:20:10.894 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:20:10.993 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#57269
13-Jan-2022 09:20:11.090 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: failed while receiving responses: NOTAUTH
13-Jan-2022 09:20:11.090 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: NOTAUTH
13-Jan-2022 09:20:11.090 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.097 secs (0 bytes/sec) (serial 0)
13-Jan-2022 09:32:13.894 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:32:13.993 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#59007
13-Jan-2022 09:32:14.090 zone a1.dnslab.org/IN: transferred serial 3
13-Jan-2022 09:32:14.090 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: success
13-Jan-2022 09:32:14.090 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 1 messages, 5 records, 178 bytes, 0.097 secs (1835 bytes/sec) (serial 3)
13-Jan-2022 09:32:14.092 zone a1.dnslab.org/IN: sending notifies (serial 3)
13-Jan-2022 09:45:34.190 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:45:34.290 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#47541
13-Jan-2022 09:45:34.387 zone a1.dnslab.org/IN: transferred serial 3
13-Jan-2022 09:45:34.387 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: success
13-Jan-2022 09:45:34.387 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 1 messages, 5 records, 178 bytes, 0.097 secs (1835 bytes/sec) (serial 3)
13-Jan-2022 09:45:34.387 zone a1.dnslab.org/IN: sending notifies (serial 3)
13-Jan-2022 09:58:54.486 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 09:58:54.586 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#57345
13-Jan-2022 09:58:54.683 zone a1.dnslab.org/IN: transferred serial 3
13-Jan-2022 09:58:54.683 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: success
13-Jan-2022 09:58:54.683 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 1 messages, 5 records, 178 bytes, 0.097 secs (1835 bytes/sec) (serial 3)
13-Jan-2022 09:58:54.683 zone a1.dnslab.org/IN: sending notifies (serial 3)
13-Jan-2022 10:12:14.782 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 10:12:14.882 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#33409
13-Jan-2022 10:12:14.979 zone a1.dnslab.org/IN: transferred serial 3
13-Jan-2022 10:12:14.979 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: success
13-Jan-2022 10:12:14.979 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 1 messages, 5 records, 178 bytes, 0.097 secs (1835 bytes/sec) (serial 3)
13-Jan-2022 10:12:14.981 zone a1.dnslab.org/IN: sending notifies (serial 3)

Also the secondary responds to queries:

; <<>> DiG 9.16.24 <<>> @::1 a1.dnslab.org SOA +norec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7589
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ec6ee086cb7b9fbb0100000061dffc9c94d09d3f0621b06e (good)
;; QUESTION SECTION:
;a1.dnslab.org.		IN SOA

;; ANSWER SECTION:
a1.dnslab.org.		60 IN SOA mname.a1.dnslab.org. jp.a1.dnslab.org. (
				3          ; serial
				180        ; refresh (3 minutes)
				60         ; retry (1 minute)
				0          ; expire (0 seconds)
				30         ; minimum (30 seconds)
				)

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jan 13 10:19:08 UTC 2022
;; MSG SIZE  rcvd: 115

But note how named understandably continues reporting that the zone has expired and then transfers it:

13-Jan-2022 10:38:55.274 general: zone a1.dnslab.org/IN: expired
13-Jan-2022 10:38:55.373 zone a1.dnslab.org/IN: Transfer started.
13-Jan-2022 10:38:55.472 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: connected using 142.93.164.149#52387
13-Jan-2022 10:38:55.570 zone a1.dnslab.org/IN: transferred serial 3
13-Jan-2022 10:38:55.570 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer status: success
13-Jan-2022 10:38:55.570 transfer of 'a1.dnslab.org/IN' from 137.184.55.191#53: Transfer completed: 1 messages, 5 records, 178 bytes, 0.098 secs (1816 bytes/sec) (serial 3)
13-Jan-2022 10:38:55.572 zone a1.dnslab.org/IN: sending notifies (serial 3)
Raw
zone.md

lib/dns/include/dns/zone.h

#define DNS_ZONE_DEFAULTREFRESH 3600 /*%< 1 hour */
#define DNS_ZONE_DEFAULTRETRY        \
        60 /*%< 1 minute, subject to \
            * exponential backoff */
#define DNS_ZONE_MAXREFRESH 2419200 /*%< 4 weeks */
#define DNS_ZONE_MINREFRESH 300 /*%< 5 minutes */
#define DNS_ZONE_MINRETRY 300 /*%< 5 minutes */
#define DNS_ZONE_MAXRETRY 1209600 /*%< 2 weeks */

lib/dns/zone.c:

                         .refresh = DNS_ZONE_DEFAULTREFRESH,
                         .retry = DNS_ZONE_DEFAULTRETRY,
                         .maxrefresh = DNS_ZONE_MAXREFRESH,
                         .minrefresh = DNS_ZONE_MINREFRESH,
                         .maxretry = DNS_ZONE_MAXRETRY,
                         .minretry = DNS_ZONE_MINRETRY,
zone->refresh = RANGE(refresh, zone->minrefresh, zone->maxrefresh);
zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
zone->expire = RANGE(expire, zone->refresh + zone->retry, DNS_MAX_EXPIRE);

...
delay = (zone->retry - isc_random_uniform((zone->retry * 3) / 4));
                        DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);

So, in my case with SOA

				180        ; refresh (3 minutes)
				60         ; retry (1 minute)
				0          ; expire (0 seconds)

this begins to make sense to me:

refresh: 3m, but minimum is: 5m
retry: 1m, but minimum is: 5m
expire: 0, but minimum is refresh+retry: 10m
delay: retry*3/4: 5*3/4: 3.75 => 3
total: 13m
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment