DNS Supermaster sync issues

[G.Haaijer]

Hello,

We have the following setup running for a while now:

1) several Plesk servers running Bind as master nameservers with zonefiles built by Plesk according to the DNS zone template.
2) two PowerDNS nameservers, one of which runs as a slave for the Plesk servers, but is seen by the rest of the world as the master server. The other PowerDNS server is secondary master, syncs with the first.
3) the Plesk servers are configured as "hidden supermasters" in PowerDNS: PowerDNS accepts zone updates from the Plesk servers, but does not tell the rest of the world that it isn't the master.

Now the issue:
The situation as given above only works if the zone file (based on the DNS template in Plesk) contains the PowerDNS hostnames (ns1.domain.com and ns2.domain.com) as NS records. Because the Plesk servers
only sync with the first PowerDNS nameserver (ns1.domain.com) the order of the NS records -has- to be ns1.domain.com ns2.domain.com - ie. ns1.domain.com as primary nameserver. This used to work, up until
a few days ago. For some reason, Plesk started generating zones with NS records in the wrong order. While the DNS template still has the right settings (ns1.domain.com as primary), for some reason this gets
switched up when the actual zone is generated. The PowerDNS server then says "I'm not authoritative for this domain" and refuses to retrieve the zone.

Anyone seen the same and any idea what causes this?

 

[Faris Raouf]

I don't fully understand the problem, so take what I say with a pinch of salt:

The concept of primary/secondary and master/slave is more of a convenience or convention than anything. In terms of DNS records, there is no difference between ns1 and ns2. They are both nameservers and nothing specifies that one is a master/primary and one is a slave/secondary.

When records are changed in Plesk, bind notifies all listed namservers - so ns1 and ns2 will get a Notify, and ns1 and ns2 will initiate an transfer IF they are configured to accept notifies from the sending IP.

In your case ns1 is configured to accept notifies and initiate a transfer but ns2 is not (I think?). So the order of the nameserver records should make no difference whatsoever. ns2 should simply ignore the notify, and ns1 should accept it.

Do you have any custom configuration additions in named.conf on the plesk box that could be affecting what happens?
How does ns1 know about new domains configured in Plesk? Is there a script that runs or something?

Also I'm aware that on the Plesk server, in the zone files for each domain, the SOA record will have ns1. in it designating it the master authoritative nameserver, but I don't think that will have any effect here because ns1 is the master in the way you have things configured, I think?

 

[G.Haaijer]

To clarify: the PowerDNS server (ns1) is provisioned to accept the Plesk servers as supermasters. This means that, regardless of whether PowerDNS knows the domains that Plesk sends out notices for, it will accept them. In other words, you do not need to add the domains to PowerDNS first like with a regular slave, once PowerDNS gets a notice for a domain it doesn't already know it will automatically add it to its database and then request a zone transfer.

 

[Linulex]

We used to have the same problem of switched prim and sec dns. The .nl registry demanded that the dns must be configured correct before a .nl domain could be registered and what was entered in the test as primary should be in the soa record as primary. When the nameservers where switched the dns test would fail. Some servers did it correct, some never did it correct, but as we are a dutch company we do a lot .nl names so it was a big deal at the time.

At the moment we also use powerdns, but as standard secundary (with supermasters), the plesk is normal master, not hidden master.
Our total solution is twofold:

1: notify the powerdns.
2: to fix the prim and sec

SOLUTION 1:

don't count on bind to notify the correct powerdns. Order him to do so. We use powerdns as secundary, also with supermasters. our bind config has this entry added to it

options {
also-notify { 123.123.123.123; };
.....

bind will everytime something is changed send notify to the ip address entered. It doesn't matter is whats ns1 or ns2. If the powerdns on the ip address has the notifying ip address configured as master server, it will always accept the change or create the dns record if it doesn't exist.

This might be enough if the order doesn't matter like it did for us with registry demands. If the order does matter, you need to implement solution 2 also. We don't anymore because the .nl demands have been dropped a while ago.

SOLUTION 2:

We used this script to fix the nameserver order via the eventmanager whenever a domain was created:

<?php
$ns1 = "nsxx.yoursecundaydns.com";

list($system, $host, $kernel) = split(" ", exec("uname -a"), 5);

switch($argv[1]) {
  case "domcreate":
    $dom = $_ENV['NEW_DOMAIN_NAME'];
  break;
  case "domaliascreate":
    $dom = $_ENV['NEW_DOMAIN_ALIAS_NAME'];
  break;
  default:
    $error = "We hit a part of the code we shouldn't have hit...\n\n";
}

$error = shell_exec("/usr/local/psa/bin/dns -d $dom -ns '' -nameserver $ns1");
$error .= shell_exec("/usr/local/psa/bin/dns -a $dom -ns '' -nameserver $ns1");
$error .= shell_exec("/usr/local/psa/bin/dns --off $dom");
$error .= shell_exec("/usr/local/psa/bin/dns --on $dom");

#mail("[email protected]","DNS Master $host","$error");
?>

The trick is to delete ns2 (secundary). Plesk will then automaticly set the remaining as primary in soa. Then add the secundary back. The result is that prim is always in soa.
you need to delete 2 secundary if you have 3 namservers.


hope this helps,

regards
Jan

 

[Tozz]

I don't fully understand the problem, so take what I say with a pinch of salt:
The concept of primary/secondary and master/slave is more of a convenience or convention than anything. In terms of DNS records, there is no difference between ns1 and ns2. They are both nameservers and nothing specifies that one is a master/primary and one is a slave/secondary.
When records are changed in Plesk, bind notifies all listed namservers - so ns1 and ns2 will get a Notify, and ns1 and ns2 will initiate an transfer IF they are configured to accept notifies from the sending IP.
In your case ns1 is configured to accept notifies and initiate a transfer but ns2 is not (I think?). So the order of the nameserver records should make no difference whatsoever. ns2 should simply ignore the notify, and ns1 should accept it.
Also I'm aware that on the Plesk server, in the zone files for each domain, the SOA record will have ns1. in it designating it the master authoritative nameserver, but I don't think that will have any effect here because ns1 is the master in the way you have things configured, I think?

You are correct that the order of ns1/ns2 is irrelevant. However, the issue we are seeing is that Plesk sometimes uses ns2 in the SOA record. And that is causing problems with our hidden master setup. PowerDNS only accepts zones when ns1 is listed in the SOA record. When ns2 is listed in the SOA record PowerDNS will not retrieve the zone, and the domain is unavailable in the DNS.

Plesk sometimes chooses ns1 in the zone SOA record, and sometimes ns2. This needs to be forced to ns1.