Issue Remove DNS zone files on Slave DNS

[klowet]

Hello

When I delete zones in Plesk (which is the Master DNS), they are not deleted on the Slave DNS servers. Adding and modifying zones is not a problem, but zone files are not removed on the slave DNS servers when they are removed from the Plesk Master DNS server.

It seems that no 'rndc delzone' is executed when removing a domain.

Any thoughts on this?

Thanks

 

[AYamshanov]

Hi klowet,

It seems there should be something other. What version of BIND is installed on the servers?

Slave DNS Manager executes "rndc delzone" if it receives info about deleting:

• plesk/ext-slave-dns-manager

Slave DNS Manager uses "-clean" if the flag is supported:

• plesk/ext-slave-dns-manager

delzone [-clean] zone [class [view]]
Delete a zone while the server is running.

If the -clean argument is specified, the zone's master file (and
journal file, if any) will be deleted along with the zone. With-
out the -clean option, zone files must be cleaned up by hand.
(If the zone is of type "slave" or "stub", the files needing to
be cleaned up will be reported in the output of the rndc delzone
command.)

If the zone was originally added via rndc addzone, then it will
be removed permanently. However, if it was originally configured
in named.conf, then that original configuration is still in
place; when the server is restarted or reconfigured, the zone
will come back. To remove it permanently, it must also be re-
moved from named.conf

See also rndc addzone and rndc modzone.

(c) rndc

 

[klowet]

Hello AYamshanov

On both servers (Plesk Master and the Slaves): BIND 9.16.1-Ubuntu (Stable Release).

 

[AYamshanov]

I see, it seems to need to update regex expression in plesk/ext-slave-dns-manager

I will create a bug report.

 

[klowet]

Ahh great. Thank you.

 

[maffi]

Hello, unfortunately the problem still exists. Is there a solution for this?

Master & Slave Debian 10 with bind9 -1:9.11.5.P4+dfsg-5.1+deb10u6

 

[AYamshanov]

Sorry, it is my fault. The bug report is created: EXTPLESK-3353.

 

[IgorG]

Fixed in Slave DNS Manager 1.10.1

 

[LRob]

Hello,

Sorry to bother and up this issue, but here is a related one @AYamshanov @IgorG
When you disable a DNS zone, Plesk should also remove it from slaves.

Otherwise you get spammed by this kind of entries on slave's DNS logs:

Apr 11 22:06:38 ns1 named[3064945]: transfer of 'domain.tld/IN' from [Master DNS IP]#53: connected using  [Slave DNS IP]#57133
Apr 11 22:06:38 ns1 named[3064945]: transfer of 'domain.tld/IN' from [Master DNS IP]#53: failed while receiving responses: NOTAUTH
Apr 11 22:06:38 ns1 named[3064945]: transfer of 'domain.tld/IN' from [Master DNS IP]#53: Transfer status: NOTAUTH
Apr 11 22:06:38 ns1 named[3064945]: transfer of 'domain.tld/IN' from [Master DNS IP]#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.003 secs (0 bytes/sec) (serial 0)

Ultimately for best cleaning, instead of sending "rndc delzone domain.tld", Plesk should use "rndc delzone -clean domain.tld" in order to actually remove files from obsolete DNS zones from slave DNS. Otherwise you can't add back these DNS zones from other Plesk servers until you manually go to your slaves and run the "delzone -clean" command.

Best regards

 

[johnny_silverhand]

Hello everyone.

there is such a problem.

Two servers with Plesk two slave DNS servers via Slave DNS (identical for both Plesk). Creating a domain on server 1, everything works. We create a domain on server 2, the domain works from server 1 (as it should be, The IP points to the first Plesk server), but if we delete the domain from server 2, then the DNS server's Slave also deletes the zone, although the domain works from another server and not from the one from which the rndc delzone -clean command came example.com . I think an additional check is needed here.

 

[AYamshanov]

Hi,

Plesk should use "rndc delzone -clean domain.tld" in order to actually remove files from obsolete DNS zones from slave DNS.

Supporting of `-clean` depends on BIND/named on secondary servers. BIND version 9.10 and earlier does not support this flag. Could you please provide more details about your environment, it could help to understand is there any issue/bug or not.

Two servers with Plesk two slave DNS servers via Slave DNS (identical for both Plesk).

I would say it is not a good enough idea. It is better to use different servers for different Plesk servers. Probably, as a work-around you can use different "views" with BIND/named and Slave DNS Manager for different Plesk servers.
Another idea I found, provided by @websavers here Question - Multiple Plesk servers to the same Slave DNS servers, but I can't say anything additional because do not test it and can't see any additional data in the thread since 2021.

 

[johnny_silverhand]

Hi,

Thanks for your reply.

We use BIND 9.10.3-P4-Ubuntu, to create two external DNS servers for each Plesk installation is very expensive in my opinion.

It's not about the [clear] parameter, the problem is that someone can create someone else's domain on the second Plesk server, delete it, after which the real owner of the site will have problems with the availability of the site.

let's try to come up with something)

 

[LRob]

Supporting of `-clean` depends on BIND/named on secondary servers. BIND version 9.10 and earlier does not support this flag. Could you please provide more details about your environment, it could help to understand is there any issue/bug or not.

Hello, thanks for your interest.

Version on master (Plesk server) is latest from Debian 11:
# named -v
BIND 9.16.44-Debian

Versions on slaves are latest from Debian 12:
# named -v
BIND 9.18.19-1~deb12u1-Debian

So if I understood well, it should perform a "-clean" but it doesn't. Bug?

 

[AYamshanov]

So if I understood well, it should perform a "-clean" but it doesn't. Bug?

Thank you for providing exactly versions. In the extension code, there is only one place where it decided to use or not the flag, ext-slave-dns-manager/plib/library/Rndc.php at master · plesk/ext-slave-dns-manager

I have quickly checked how the code works with BIND/named from Debian 12, it detects version correctly and should add the flag to the command,


If the flag is used, you should be able to see it in the debug logs because of ext-slave-dns-manager/plib/library/Rndc.php at master · plesk/ext-slave-dns-manager. The next step is executing the `rndc` tool to command to a secondary server.

As I have a test Debian12 server as a secondary DNS, I also perform a quick test,

# pwd
/var/cache/bind
#

// [default]
# named-nzd2nzf _default.nzd
#

// [after adding a domain]
# named-nzd2nzf _default.nzd
zone "example.org" { type slave; file "example.org"; masters { 192.0.2.1; }; };
#

// [after removing the domain]
# named-nzd2nzf _default.nzd
#

So, currently, I can't confirm the bug. Let me know if you have more detailed steps on how to reproduce the issue, probably the issue is somewhere else.

 

[LRob]

So, currently, I can't confirm the bug. Let me know if you have more detailed steps on how to reproduce the issue, probably the issue is somewhere else.

Thank you for looking into it. Did you try disabling DNS zone, or removing the domain entirely? Removing works, disabling does not.

So I've tested again and in my config I can confirm it does not work as expected.

I've added a "testdomain.tld", disabled its the DNS zone, and tried to query it with nslookup on one of the slaves.
-> Query worked.
--> So the zone isn't removed from slaves when a DNS zone is disabled. Slaves still answer queries. Logs show that. (my IP is shown that's no problem, I'm even hosting stuff at home so it's basically public anyway).


After removing the domain however, it is successfully removed from slaves. But not when disabling DNS zone.

With domain disabled on master, the slave DNS should not answer queries.

lr@lr-desktop:~$ nslookup testdomain.tld ns1.lrob.net
Server:         ns1.lrob.net
Address:        51.91.101.109#53

Name:   testdomain.tld
Address: 138.201.17.216
Name:   testdomain.tld
Address: 2a01:4f8:171:28e8::2

With domain removed from plesk, slave DNS do not answer queries, as expected.

lr@lr-desktop:~$ nslookup testdomain.tld ns1.lrob.net
Server:         ns1.lrob.net
Address:        51.91.101.109#53

** server can't find testdomain.tld: REFUSED

 

[AYamshanov]

Thank you for new details, @Lrob.

With these details, I can say that it is definitely not a bug in the Slave DNS Manager extension, but in Plesk.
For Plesk it has internal ID PPP-36129.