Strange zone expired in BIND problem between i-MSCP master / slave servers.

**jackstone** · Mar 5th 2019

Hello everyone,

I've been having problems these past few weeks with the transfer of zone files between i-MSCP 1.5.3 latest version master servers and their very old ispCP slave servers. Every week or so, the domains stop working on the slave servers (ispCP) until i manually edit the zone file on the slave and change the serial number of the zone. Then I manually restart bind and the zone transfer begins again and the domains work. Needless to say this is very bad, having to manually edit all the zone files each week is becoming a nightmare. Any ideas how to fix this ?

Bellow is the setup :

- All domains have ns1 & ns2 setup as NS servers.

- ns1 & ns2 are the SLAVE servers running an outdated ispCP version.

- All domains are setup as MASTER on the specific server where they are hosted with websites / e-mails on i-MSCP 1.5.3 latest version.

Slave 1 /etc/bind/named.conf.options :

Code

acl "masters" {
master_ip; //server1
master_ip; //server2
master_ip; //server3
master_ip; //server4
};
options {
directory "/var/cache/bind";
transfer-format many-answers;
// allow-query { 127.0.0.1; masters; };
allow-notify { masters; };
// allow-recursion { 127.0.0.1; masters; };
listen-on { any; };
dnssec-enable yes;
allow-transfer { key MasterKey; };
auth-nxdomain no; # conform to RFC1035
recursion yes;
version "private";
};
//logging {
// category "general" { "general"; };
// category lame-servers { null; };
// category security { null; };
// category edns-disabled { null; };
// channel "general" {
// file "/var/log/named.log";
// print-time yes;
// };
//};

Display More

Slave 1 /etc/bind/named.conf.local

Quote

include "/etc/bind/bind.keys";

include "/etc/bind/rndc.key";

include "/etc/bind/named.server1.secondary";

include "/etc/bind/named.server4.secondary";

include "/etc/bind/named.server9.secondary";

server ......... { keys { MasterKey; }; }; //server1

server .......... { keys { MasterKey; }; };

And /etc/bind/named.serverXX.secondary :

zone "blabla.com" {

type slave;

masters {

............; <- IP of the i-MSCP 1.5.3 hosted domain and master DNS

};

file "/var/cache/bind/secondary/server9/blabla.com.hosts";

allow-query{ any; };

};

Display More

Master of a zone with problems running on i-MSCP 1.5.3 latest :

- named.conf.options :

Code

acl "masters"{
............; // server 1
............; // server 2
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
dnssec-enable no;
dnssec-validation no;
// Listen to all IPv4 and IPv6 interfaces
listen-on { any; };
listen-on-v6 { none; };
// Improving server performances by reducing outgoing data volumes
minimal-responses yes;
// Protecting server against common attacks
allow-recursion { localhost; };
allow-query-cache { localhost; };
allow-transfer { masters; };
allow-notify { masters; };
version "i-MSCP DNS Server";
// As per RFC 7208, SPF DNS record are deprecated
check-spf ignore;
// imscp [{ENTRY_ID}] entry BEGIN
// imscp [{ENTRY_ID}] entry ENDING
};
key "MasterKey" {
algorithm hmac-md5;
secret "jdfynf+LXkdFukRzhnYdfTLDzoSWjSCfBOzyFKn2BfCmntL0AusxbAdoG7MgOCiTfasahI3K5rOwp3fw==";
};

Display More

Master named.conf.local on i-MSCP 1.5.3 latest :

Code

zone "blabla.com" {
type master;
masterfile-format raw;
file "imscp/master/blabla.com.db";
allow-transfer { localhost; };
notify yes;
};

Logs from bind :

Code

05-Mar-2019 12:00:01.838 zone ......../IN: expired
05-Mar-2019 12:00:01.838 zone ........./IN: expired
05-Mar-2019 12:00:01.838 zone ...../IN: expired
05-Mar-2019 12:00:01.839 zone ........./IN: expired

The old ispCP slave servers are running on Debian 6

The latest i-MSCP 1.5.3 2018 servers are running on Ubuntu 18.04

Can anyone tell me what's wrong with this config and why I have to manually change the serial number of each zone in order to get it to work ?

When the logs say that the zone is expired if I dig @localhost zone.com it doesn't resolve, if i change 1 number from the serial, restart bind and dig @localhost zone.com it rezolves without problem for about 1 week. After that it stops working and says the serial expired again.

I'm going crazy here with this, please help!

**Nuxwin** · Mar 5th 2019

jackstone

Good evening,

If I understand well your setup:

You have the NS1 and NS2 slave DNS servers managed by an ispCP instance and which are the public DNS used by your end-users
You have many i-MSCP instances running their own authoritative master DNS server for the domains they manage but which are not publicky accessible
The NS1 and NS2 slave DNS servers which are managed by your ispCP instance pull zone data from various i-MSCP instances DNS servers

Does I understood correct?

Problem: NS1 and NS2 zones get expired after one week, right?

The question here is how the transfer is made? As I see, transfer from your i-MSCP master DNS server is only allowed locally.

**jackstone** · Mar 5th 2019

Nuxwin exactly !! 100% correct !

I added allow transfer & notify on the i-MSCP servers in named.conf.options and it works.

I also saw that on the master there is only { localhost } in the named.conf.local but the transfer works if I set allowed servers in named.conf.options so I didn't bother to add { localhost ; masters ; } in the named.conf.local + I wasn't sure if i-MSCP replaces that file and I would just edit it until next i-MSCP restart and than the file is overwritten.

The thing that I cannot understand is why in God's name do the zones expire on ns1 & ns2 after one week. It's really really bad because I cannot know for sure when a zone expires and suddenly I get calls from customers that the domain is not working and it's happened 2-3 times already, people are getting frustrated and with good reason.

Any ideas ?!

**Nuxwin** · Mar 6th 2019

jackstone

Re,

The slave servers refresh their zones automatically by contacting the master DNS server . This is dicted by the SOA refresh value which for the i-MSCP DNS zones is set to 3 hours (default value).

So, a slave DNS server will contact the i-MSCP master DNS server every 3 hours to check whether or not the SOA serial value (on a per zone basis) as been updated and if so, will request a new copy of the zone. However, if the slave DNS server cannot get a new copy of the zone when the SOA serial value has changed, it will still considere old zone data as valid till expiry time, as dicted by the SOA expiry value. That value is set to 2 weeks for the i-MSCP DNS zones (default value). If after two weeks, the slave DNS server still fail to get a new copy of the zone, it will no longer answer to DNS queries.

Here, you need to make sure that:

Slave DNS servers can contact the i-MSCP master DNS server to check whether or not the SOA serial value of a specific zone has been updated or not
Slave DNS servers can request a new copy of the zone.

You need of course also make sure that the slave DNS servers will get notified by the i-MSCP master DNS server when a zone is being updated. This mean that slave DNS servers must accept notifications from i-MSCP master DNS servers as well.

Please check your configuration because it seem you miss-configured some parts. For instance, the directive allow-notify only apply to slave DNS zones. Thus, that directive shouldn't be added into the i-MSCP master DNS configuration file.

Another thing is about the allow-transfer directive which, if added in the zone declaration, will take precedence over the global one. Thus, the following declaration in your i-MSCP master DNS server named.conf.local configuration file:

Code

zone "blabla.com" {
type master;
masterfile-format raw;
file "imscp/master/blabla.com.db";
allow-transfer { localhost; };
notify yes;
};

should becomes:

Code

zone "blabla.com" {
type master;
masterfile-format raw;
file "imscp/master/blabla.com.db";
allow-transfer { localhost; slaves; };
notify yes;
};

and of course, you should add the corresponding ACL in the i-MSCP master DNS named.conf.options configuration file such as:

Code

acl "slaves" {
............; // NS1 (slave)
............; // NS2 (slave)
};

**jackstone** · Mar 6th 2019

Nuxwin

Thanks for your reply!

From what I can tell the allow-transfer { localhost; }; was the problem it was overriding the main config with allow-transfer { slaves; } I changed that in every record on all servers and now it seems to be working.

One question remains, do I have to edit named.conf.local every time I add a new domain for a client adding { localhost ; slaves; } or is there some setting in i-MSCP that can do that automatically ?!

Thanks for all the help!

**Nuxwin** · Mar 6th 2019

Quote from jackstone

One question remains, do I have to edit named.conf.local every time I add a new domain for a client adding { localhost ; slaves; } or is there some setting in i-MSCP that can do that automatically ?!

Good evening,

You can modify default templates which are located into the /etc/imscp/bind/parts directory:

Code

root@jessie:/etc/imscp/bind/parts# ls
cfg_master.tpl cfg_slave.tpl db_sub.tpl db.tpl
root@jessie:/etc/imscp/bind/parts# cat cfg_master.tpl
zone "{DOMAIN_NAME}" {
type master;
masterfile-format {BIND_DB_FORMAT};
file "imscp/master/{DOMAIN_NAME}.db";
allow-transfer { {SECONDARY_DNS} };
notify yes;
};

Display More

But the problem is that your changes would be overridden on next i-MSCP update. Thus, the right way to do is to edit the SECONDARY_DNS configuration parameter from the /etc/imscp/bind/bind.data configuration file. Value of that parameter should be the list of your slave DNS servers. For instance:

Code

# List of IP addresses for slave server(s)
# Only relevant in master mode
SECONDARY_DNS = 192.168.1.100,192.168.2.100

where

192.168.1.100 would be the IP address of your NS1 slave DNS server (public)
192.168.2.100 would be the IP address of your NS2 slave DNS server (public)

Please don't put ACL there. This wouldn't work as the backend expect list of valid IP addresses. We could maybe support ACL in later release. Feel free to open a feature request on our bug tracker if needed.

Note that there is no need to add the localhost entry. The backend will add it automatically. The related code in the latest release look as follows:

./engine/PerlLib/Servers/named/bind.pm (line 894):

Perl

...
if ( $self->{'config'}->{'BIND_MODE'} eq 'master' ) {
if ( $self->{'config'}->{'SECONDARY_DNS'} ne 'no' ) {
$tags->{'SECONDARY_DNS'} = join( '; ', split( /(?:[;,]| )/, $self->{'config'}->{'SECONDARY_DNS'} )) . '; localhost;';
} else {
$tags->{'SECONDARY_DNS'} = 'localhost;';
}
} else {
$tags->{'PRIMARY_DNS'} = join( '; ', split( /(?:[;,]| )/, $self->{'config'}->{'PRIMARY_DNS'} )) . ';';
}
...

Display More

See https://github.com/i-MSCP/imsc…ervers/named/bind.pm#L894 for more details.

**jackstone** · Mar 6th 2019

Quote from Nuxwin

Code

# List of IP addresses for slave server(s)

# Only relevant in master mode

SECONDARY_DNS = 192.168.1.100,192.168.2.100

This is EXACTLY what I was looking for but didn't know where to look, thank you very much !!!

**Nuxwin** · Mar 6th 2019

Quote from jackstone

This is EXACTLY what I was looking for but didn't know where to look, thank you very much !!!

You're welcome. Please read my previous answer again as I've added note regarding the fact that value of that parameter cannot be an ACL. I prefer clarify that point before going into jungle...

Don't forget to mark your thread as resolved too.

Thank you for using i-MSCP.

Strange zone expired in BIND problem between i-MSCP master / slave servers.

Nuxwin Mar 6th 2019

Share

Daily visitors