Slave DNS servers not updating

Need help? Ask here.

Moderator: Moderators

Post Reply
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

Slave DNS servers not updating

Post by sttng359 »

The slave dns service that is being hosted on rollernet.us
for my domain, north-winds.org, does not seem to be
getting updated very fast. The serial number for my
domain according to ns1.rollernet.us and ns2.rollernet.us
is 2006061000, which was created on the 10th. My current
serial is 2006061302 with the refresh rate unchanged at 2
hours. According to my bind logs and a packet trace, my
server is sending out DNS notify messages to all slave
name servers with a positive acknowledgement followed
by what looks like a successfull AXFR transfer, but the
database still seems to be out of date. I have recently
upgraded from bind 9.2.x to bind 9.3.2.
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

This is the error from our logs:

Code: Select all

Jun 13 18:47:38 mail named[28579]: transfer of 'north-winds.org/IN' from 216.99.199.78#53: failed while receiving responses: CNAME and other data
Jun 13 18:47:38 mail named[28579]: transfer of 'north-winds.org/IN' from 216.99.199.78#53: end of transfer
You have an illegal CNAME usage somewhere in your zone file; you'll need to correct it before our system can transfer the zone. Our nameservers will update a zone when a notify is received. It's probably erroring because you have additional data defined for something that resolves to a CNAME. From http://skriver.dk/bind9/FAQ:
Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
other data" when transferring a zone. What does this mean?

A: These indicate a malformed master zone. You can identify the exact records
involved by transferring the zone using dig then running named-checkzone on
it.

dig axfr example.com @master-server > tmp
named-checkzone example.com tmp

A CNAME record cannot exist with the same name as another record except for
the DNSSEC records which prove its existance (NSEC).

RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
should be present; this ensures that the data for a canonical name and its
aliases cannot be different. This rule also insures that a cached CNAME can
be used without checking with an authoritative server for other RR types."
Technical Support support@rollernet.us
Roller Network LLC
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

DNSSEC conflicting with CNAME's

Post by sttng359 »

I discovered the problem, and I should have mentioned, one
change I made to the nameserver was enabling DNSSEC on it.
As for authoritive nameservers, all they need to do is host the
appropriate RRSIG, NSEC, and DNSKEY records so I didn't think
there would be any problems, but apparently your nameservers
don't like the fact that CNAME's now have a NSEC and RRSIG
record sitting at the same location as the CNAME. This is required
according to the latest version of DNSSEC to be able to prevent
forged CNAME entries from being propagated. The FAQ entry you
quoted only mentioned about the NSEC record, so I'm assuming
it's just a little out of date. The signed zone files I am using were
created automatically using the dnssec-signzone file from the
original static zonefile which I have been using until now. Both
named-checkzone and bind itself allow the RRSIG and NSEC
records as well as a backup nameserver I am using at afraid.org.
All the tools I am using are from bind-9.3.2. Since I doubt
updating your nameservers are an option, I guess I'll have to
settle with not playing with dnssec at this time.
sttng359
Posts: 21
Joined: Tue Jun 13, 2006 10:50 am
Contact:

Post by sttng359 »

BTW, I just checked, my slave dns backup at afraid.org is
running bind 9.3.2, the same version as mine, and it appears
that both the nameservers at rollernet.us are running 9.2.4.
According to the changes file for bind, this is change #1625
made shortly after bind 9.3.0beta3.
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

We can upgrade bind to 9.3.2, but I have to do it on our test platform first just to make sure it won't cause any problems with the production systems. Barring any major problem with upgrading bind and integrating it with the account control center, I'm not opposed to doing so.
Technical Support support@rollernet.us
Roller Network LLC
Post Reply