Resolved Slave DNS manager do not transfer new domain zone

MariuszB · Aug 1, 2023

When I add new domain to Plesk server, DNS zone do not transfer to slave DNS server via Slave DNS manager extension. After manual update in domain DNS settings transfer is completing correctly.

Here is full log from adding i manual update.

Aug 1 11:31:10 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80656 process=80657 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:11 h6 systemd[1]: Started Plesk task: Event 'domain_limits_update' for object with ID '779' (example.com) (task=80659 process=80658 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:11 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80656 process=80657 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:11 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80657 process=80659 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:11 h6 systemd[1]: Stopped Plesk task: Event 'domain_limits_update' for object with ID '779' (example.com) (task=80659 process=80658 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:11 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80657 process=80659 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:11 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80658 process=80660 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:12 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80658 process=80660 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:12 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80660 process=80661 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:12 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80660 process=80661 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:12 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80661 process=80662 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:13 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80661 process=80662 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:13 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80662 process=80663 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:13 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80662 process=80663 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:17 h6 systemd[1]: Started Plesk task: Event 'domain_limits_update' for object with ID '779' (example.com) (task=80663 process=80664 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:18 h6 systemd[1]: Stopped Plesk task: Event 'domain_limits_update' for object with ID '779' (example.com) (task=80663 process=80664 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:18 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80664 process=80665 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:18 h6 named[3345]: zone example.com/IN: loaded serial 2023080105
Aug 1 11:31:18 h6 named[3345]: zone example.com/IN: sending notifies (serial 2023080105)
Aug 1 11:31:19 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80664 process=80665 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:19 h6 named[3345]: zone example.com/IN: zone serial (2023080105) unchanged. zone may fail to transfer to slaves.
Aug 1 11:31:19 h6 named[3345]: zone example.com/IN: loaded serial 2023080105
Aug 1 11:31:19 h6 systemd[1]: Started Plesk task: Apache reconfiguration (example.com) (task=80665 process=80666 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:20 h6 systemd[1]: Started Plesk task: Nginx reconfiguration (example.com) (task=80666 process=80667 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:20 h6 systemd[1]: Started Plesk task: Event 'domain_create' for object with ID '779' (example.com) (task=80667 process=80668 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:20 h6 systemd[1]: Started Plesk task: Event 'phys_hosting_create' for object with ID '779' (example.com) (task=80669 process=80669 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:20 h6 systemd[1]: Stopped Plesk task: Event 'phys_hosting_create' for object with ID '779' (example.com) (task=80669 process=80669 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:20 h6 systemd[1]: Started Plesk task: Event 'phys_hosting_create' for object with ID '779' (example.com) (task=80670 process=80671 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:22 h6 systemd[1]: Stopped Plesk task: Event 'domain_create' for object with ID '779' (example.com) (task=80667 process=80668 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:22 h6 systemd[1]: Started Plesk task: Event 'domain_create' for object with ID '779' (example.com) (task=80668 process=80672 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:22 h6 systemd[1]: Stopped Plesk task: Event 'phys_hosting_create' for object with ID '779' (example.com) (task=80670 process=80671 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:22 h6 systemd[1]: Started Plesk task: Event 'phys_hosting_create' for object with ID '779' (example.com) (task=80671 process=80673 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:22 h6 systemd[1]: Started plesk-php74-fpm_example.com_779.service.
Aug 1 11:31:23 h6 systemd[1]: Stopped Plesk task: Event 'domain_create' for object with ID '779' (example.com) (task=80668 process=80672 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:23 h6 named[3345]: zone example.com/IN: sending notifies (serial 2023080105)
Aug 1 11:31:24 h6 systemd[1]: Stopped Plesk task: Event 'phys_hosting_create' for object with ID '779' (example.com) (task=80671 process=80673 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:36 h6 systemd[1]: Stopped Plesk task: Apache reconfiguration (example.com) (task=80665 process=80666 trace=3064549:64c8d0de84a2e).
Aug 1 11:31:39 h6 systemd[1]: Stopped Plesk task: Nginx reconfiguration (example.com) (task=80666 process=80667 trace=3064549:64c8d0de84a2e).
Aug 1 11:33:19 h6 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80676 process=80677 trace=3066527:64c8d15fc7990).
Aug 1 11:33:20 h6 named[3345]: zone example.com/IN: loaded serial 2023080106
Aug 1 11:33:20 h6 named[3345]: zone example.com/IN: sending notifies (serial 2023080106)
Aug 1 11:33:20 h6 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '779' (example.com) (task=80676 process=80677 trace=3066527:64c8d15fc7990).
Aug 1 11:33:21 h6 named[3345]: client @0x7fca984fd688 xx.yy.zz.6#54359 (example.com): transfer of 'example.com/IN': AXFR started (serial 2023080106)
Aug 1 11:33:21 h6 named[3345]: client @0x7fca984fd688 xx.yy.zz.6#54359 (example.com): transfer of 'example.com/IN': AXFR ended: 1 messages, 17 records, 792 bytes, 0.001 secs (792000 bytes/sec) (serial 2023080106)
Aug 1 11:33:21 h6 named[3345]: client @0x7fca984fd688 xx.yy.zz.7#53013 (example.com): transfer of 'example.com/IN': AXFR started (serial 2023080106)
Aug 1 11:33:21 h6 named[3345]: client @0x7fca984fd688 xx.yy.zz.7#53013 (example.com): transfer of 'example.com/IN': AXFR ended: 1 messages, 17 records, 792 bytes, 0.001 secs (792000 bytes/sec) (serial 2023080106)
Aug 1 11:55:28 h6 named-checkconf[3079513]: zone example.com/IN: loaded serial 2023080106
Aug 1 11:55:28 h6 named[3079570]: zone example.com/IN: loaded serial 2023080106
Aug 1 11:55:28 h6 named[3079570]: zone example.com/IN: sending notifies (serial 2023080106)

Peter Debik · Aug 1, 2023

Do you see any suspicious messages in /var/log/messages like
Aug 7 16:39:39 named[29678]: client 192.168.1.2#60958 (example.com): query (cache) 'example.com/SOA/IN' denied
Aug 7 16:39:39 named[29678]: client 192.168.1.2#43315 (example.com): bad zone transfer request: 'example.com/IN': non-authoritative zone (NOTAUTH)
or similar regarding named that point to an error?

Peter Debik · Aug 1, 2023

Ah, I think I got it what the problem could be. The line
Aug 1 11:31:19 h6 named[3345]: zone example.com/IN: zone serial (2023080105) unchanged. zone may fail to transfer to slaves.
hints to it. This means that the SOA format is different on master and slave. Example:

# dig example.com @ns1.slave.com SOA +short
ns1.slave.com. example.com. 1547674823 10800 3600 604800 10800
# dig example.com @localhost SOA +short
ns1.example.com.com. example.com. 2019011612 10800 3600 604800 10800

The serial number format is not synced. Switching between different serial number formats can cause a delay in updating of the DNS zone. Wait for 2 days to sync it or do it manually.

- OR it could be this: -

Aug 1 11:31:18 h6 named[3345]: zone example.com/IN: loaded serial 2023080105
Aug 1 11:31:18 h6 named[3345]: zone example.com/IN: sending notifies (serial 2023080105)
Aug 1 11:31:19 h6 named[3345]: zone example.com/IN: zone serial (2023080105) unchanged. zone may fail to transfer to slaves.

The following error messages appear on a slave server side in /var/log/syslog when trying to query zone information from the Slave IP:
named[10511]: #33984 (.): query (cache) './NS/IN' denied
named[10511]: #38290 (ns1.example.com): query (cache) 'ns1.example.com/A/IN' denied
<...>
CONFIG_TEXT: client @0x7fd62c0c71d0 203.0.113.2 3#30266: received notify for zone 'example.com': not authoritative

Secret keys are different in /etc/bind/rndc.key and /etc/bind/named.conf.local on a Slave server:
# grep secret /etc/bind/rndc.key && grep secret /etc/bind/named.conf.local
secret "Ibr1UFFLK6wo5X+Cars8Eg==";
secret "ui7xsdI4n4cVRUhKAOAAIA==";

In that case the solution is to edit /etc/bind/named.conf.local and to replace the wrong key with the correct one taken from /etc/bind/rndc.key file. Example:
# cat /etc/bind/named.conf.local
key "rndc-key-203.0.113.3" {
algorithm hmac-md5;
secret "Ibr1UFFLK6wo5X+Cars8Eg==";
};
controls {
inet * port 953 allow { 203.0.113.3; 127.0.0.1; } keys { "rndc-key-203.0.113.3"; };
};

(with 203.0.113.3 being the master server's IP.)
Also edit /opt/psa/var/modules/slave-dns-manager/slave_<ip address>.conf and set the same key from /etc/bind/rndc.key.

Then restart bind9.

MariuszB · Aug 1, 2023

Peter Debik said:
Do you see any suspicious messages in /var/log/messages like
Aug 7 16:39:39 named[29678]: client 192.168.1.2#60958 (example.com): query (cache) 'example.com/SOA/IN' denied
Aug 7 16:39:39 named[29678]: client 192.168.1.2#43315 (example.com): bad zone transfer request: 'example.com/IN': non-authoritative zone (NOTAUTH)
or similar regarding named that point to an error?

No. I was greped all logs by new domain name.

Peter Debik said:
Ah, I think I got it what the problem could be. The line
Aug 1 11:31:19 h6 named[3345]: zone example.com/IN: zone serial (2023080105) unchanged. zone may fail to transfer to slaves.
hints to it. This means that the SOA format is different on master and slave. Example:

# dig example.com @ns1.slave.com SOA +short
ns1.slave.com. example.com. 1547674823 10800 3600 604800 10800
# dig example.com @localhost SOA +short
ns1.example.com.com. example.com. 2019011612 10800 3600 604800 10800

The serial number format is not synced. Switching between different serial number formats can cause a delay in updating of the DNS zone. Wait for 2 days to sync it or do it manually.

- OR it could be this: -

Aug 1 11:31:18 h6 named[3345]: zone example.com/IN: loaded serial 2023080105
Aug 1 11:31:18 h6 named[3345]: zone example.com/IN: sending notifies (serial 2023080105)
Aug 1 11:31:19 h6 named[3345]: zone example.com/IN: zone serial (2023080105) unchanged. zone may fail to transfer to slaves.

The following error messages appear on a slave server side in /var/log/syslog when trying to query zone information from the Slave IP:
named[10511]: #33984 (.): query (cache) './NS/IN' denied
named[10511]: #38290 (ns1.example.com): query (cache) 'ns1.example.com/A/IN' denied
<...>
CONFIG_TEXT: client @0x7fd62c0c71d0 203.0.113.2 3#30266: received notify for zone 'example.com': not authoritative

Secret keys are different in /etc/bind/rndc.key and /etc/bind/named.conf.local on a Slave server:
# grep secret /etc/bind/rndc.key && grep secret /etc/bind/named.conf.local
secret "Ibr1UFFLK6wo5X+Cars8Eg==";
secret "ui7xsdI4n4cVRUhKAOAAIA==";

In that case the solution is to edit /etc/bind/named.conf.local and to replace the wrong key with the correct one taken from /etc/bind/rndc.key file. Example:
# cat /etc/bind/named.conf.local
key "rndc-key-203.0.113.3" {
algorithm hmac-md5;
secret "Ibr1UFFLK6wo5X+Cars8Eg==";
};
controls {
inet * port 953 allow { 203.0.113.3; 127.0.0.1; } keys { "rndc-key-203.0.113.3"; };
};

(with 203.0.113.3 being the master server's IP.)
Also edit /opt/psa/var/modules/slave-dns-manager/slave_<ip address>.conf and set the same key from /etc/bind/rndc.key.

Then restart bind9.

I think serial is not a problem. It's looks like Slave DNS extension don't send rndc query. On slaves server I don't see any sign about new domain.

If my rndc key was wrong I won't update zone manually. It's right?

MariuszB · Feb 28, 2024

Version 18.0.59 fixed this issue.

Resolved Slave DNS manager do not transfer new domain zone

MariuszB

Basic Pleskian

Peter Debik

Community Manager until 3/2024

Peter Debik

Community Manager until 3/2024

MariuszB

Basic Pleskian

MariuszB

Basic Pleskian

Similar threads