Hidden DNS master only sending notify to one slave

domain-name-system bind

My hidden DNS master is only sending notifies to one of the name servers for a zone I have 3 named servers ns0,ns1 & ns2 all running bind 9.7.3.dfsg-1ubuntu4.1.

When an update is processed the master (ns0) seems to behave normally.

ns0 (192.168.2.50)

zone domain.org/IN: sending notifies (serial 2012060703)
client 192.168.2.52#42892: transfer of 'domain.org/IN': AXFR-style IXFR started: TSIG rndc-key
client 192.168.2.52#42892: transfer of 'domain.org/IN': AXFR-style IXFR ended

ns2 (192.168.2.52)

client 192.168.2.50#3762: received notify for zone 'domain.org': TSIG 'rndc-key'
zone domain.org/IN: Transfer started.
transfer of 'domain.org/IN' from 192.168.2.50#53: connected using 192.168.2.52#55747
zone domain.org/IN: transferred serial 2012060704: TSIG 'rndc-key'
transfer of 'domain.org/IN' from 192.168.2.50#53: Transfer completed: 1 messages, 34 records, 1028 bytes, 0.001 secs (1028000 bytes/sec)

Nothing happens on ns1. I've turned up the logging level but there's no information in syslog about the actual name servers bind has sent notifications to so I guess this is something it doesn't log.

I've also tried watching tcpdump, it never makes any attempt to notify ns1 only ns2

192.168.2.50.56278 > 192.168.2.52.53: [udp sum ok] 56418 notify [b2&3=0x2400] [1a] [1au]
↵ SOA? domain.org. domain.org. [0s] SOA ns1.domain.net. dnsmaster.domain.net. 
↵ 2012060801 10800 3600 604800 3600 ar: rndc-key. ANY [0s] TSIG hmac-md5.sig-alg.reg.int. fudge=300 maclen=16 origid=56418 error=0 otherlen=0 (174)

the authoritive zone has both ns1 and ns2 records

$ORIGIN domain.org.
$TTL 3h
@   IN  SOA ns1.domain.net. dnsmaster.domain.net. (
        2012060801  ; Serial yyyymmddnn
        3h  ; Refresh After 3 hours
        1h  ; Retry Retry after 1 hour
        1w  ; Expire after 1 week
        1h )    ; Minimum negative caching of 1 hour

@   3600    IN  NS  ns1.domain.net.
@   3600    IN  NS  ns2.domain.net.

// Edit

I have added also-notify {192.168.2.51;192.168.2.52;}; explicitly to the zone file and it all works fine, both ns1 and ns2 get notify messages and transfers succeed.

I was under the impression bind would automatically send notifies to all NS records on a zone, maybe it's bugged?


Have you tried setting this?

notify-to-soa yes;

From the BIND 9 Configuration Reference:

notify-to-soa

If yes do not check the nameservers in the NS RRset against the SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME (SOA ORIGIN) as it is supposed to contain the name of the ultimate master. Sometimes, however, a slave is listed as the SOA MNAME in hidden master configurations and in that case you would want the ultimate master to still send NOTIFY messages to all the nameservers listed in the NS RRset.


Without knowing a great deal about this, does setting the SOA to ns1 confuse ns0 sufficiently to stop it sending it updates?

@   IN  SOA ns1.domain.net.

i.e. does setting it to,

@   IN  SOA ns0.domain.net.

fix this issue (although I appreciate it might cause others)

Related

Remote desktop to my KVM virtual machine
Symbolic link to mysql database
How to debug why w3wp.exe crashes randomly?
Backup with Mercurial and Robocopy?
Xcode 11 beta swift ui preview not showing
In-app purchases with multiple accounts
How can I add a key binding for a quickMenu similar to the "Refactor" context menu in JDT?
knitr/Rmd: page break after n lines/n distance
HW kbd Failed to set (null) as keyboard focus ios
Newly Published App reporting Version as "Unknown" in iTunes Connect
Run Python Console via docker-compose on Pycharm
Xcode 8.3 libMobileGestalt MobileGestaltSupport.m:153: