We recently upgraded our main DNS server to Bind 9.9 from 9.8.
There were occasional reports of a new host not being known to other DNS servers, which receive zone transfers via "also-notify".
This failure on downstream NS servers seemed to go along with warnings in the log...
zone serial (XXXXXXXXXX) unchanged. zone may fail to transfer to slaves.
Our configuration isn't built around master and slave, but that is the error nonetheless.
Our serial was set to increment, but it was based around YYYYMMDDHH so for some reason in the newer Bind 9.9 we were not going to get more than one zone transfer per hour. I decided we needed a new scheme, and given the serial number limits I would need to lose 2 digits from the year and add two for the minute: YYMMDDHHMM.
So that would mean a serial going from something like 2018050911
to 1805091130. Bind doesn't like that change as the number would be going backwards. Research reveals there are some rules about the serial number incrementing. Essentially we need to
get the odometer to roll over so we can introduce the smaller
numerical serial number.
Here are the rules of the Bind serial number game:
- The equivalent of 99999999 on the odometer is 2^32 - 1 , or 4294967295
- Serial number must go forward, never backward
- Serial number can never advance more than 2147483647 at a time
- Wait for all secondary DNS to get the transferred zone before incrementing again
In our case we have d-zone.ca as an additional DNS service, and they have an unknown number of round robin DNS servers behind one hosted NS like ns1.d-zone.ca.
That required help from their support to get zone updates forced through with a target serial number. Checking repeatly with "host -t soa example.com ns1.d-zone" allowed confirmation
all the ghost NS behind that name were giving the same answer.
To get from our serial starting with 2018 to one starting with 1805 I used this sequence of serial number updates with waiting and checking between each update:
Hopefully that might be useful to someone. I found a lot of the information on stack exchange and so on, but it was fragmented