Bind 9.9 very particular about serial numbers

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bind 9.9 very particular about serial numbers

D G Teed-2

We recently upgraded our main DNS server to Bind 9.9 from 9.8.

There were occasional reports of a new host not being known to
other DNS servers, which receive zone transfers via "also-notify".

This failure on downstream NS servers seemed to go along with warnings in the log...

zone serial (XXXXXXXXXX) unchanged. zone may fail to transfer to slaves.

Our configuration isn't built around master and slave, but that is the error nonetheless.

Our serial was set to increment, but it was based around YYYYMMDDHH
so for some reason in the newer Bind 9.9 we were not going to get
more than one zone transfer per hour.  I decided we needed a new
scheme, and given the serial number limits I would need to lose 2 digits
from the year and add two for the minute: YYMMDDHHMM.

So that would mean a serial going from something like 2018050911
to 1805091130.  Bind doesn't like that change as the number would
be going backwards.  Research reveals there are some rules
about the serial number incrementing.  Essentially we need to
get the odometer to roll over so we can introduce the smaller
numerical serial number.

Here are the rules of the Bind serial number game:

- The equivalent of 99999999 on the odometer is 2^32 - 1 , or 4294967295
- Serial number must go forward, never backward
- Serial number can never advance more than 2147483647 at a time
- Wait for all secondary DNS to get the transferred zone before incrementing again

In our case we have d-zone.ca as an additional DNS service,
and they have an unknown number of round robin DNS servers
behind one hosted NS like ns1.d-zone.ca.

That required help from their support to get zone updates forced
through with a target serial number.  Checking repeatly with
"host -t soa example.com ns1.d-zone" allowed confirmation
all the ghost NS behind that name were giving the same answer.

To get from our serial starting with 2018 to one starting with 1805
I used this sequence of serial number updates with waiting and checking
between each update:

2018050912
4165534560
4294967295
1805091405

Hopefully that might be useful to someone.  I found a lot of
the information on stack exchange and so on, but it was fragmented
and some answers used broken links.



_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: Bind 9.9 very particular about serial numbers

Mike Spencer

D G Teed <[hidden email]> wrote:

[snip detailed description of Bind problem and resolution]

Almost certainly stuff I'll never have to deal with.  But I applaud
your taking the trouble to write the piece and post it for the record.

()()()(),
- Mike

--
Michael Spencer                  Nova Scotia, Canada       .~.
                                                           /V\
[hidden email]                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug