Strange zone expired in BIND problem between i-MSCP master / slave servers.

  • Hello everyone,


    I've been having problems these past few weeks with the transfer of zone files between i-MSCP 1.5.3 latest version master servers and their very old ispCP slave servers. Every week or so, the domains stop working on the slave servers (ispCP) until i manually edit the zone file on the slave and change the serial number of the zone. Then I manually restart bind and the zone transfer begins again and the domains work. Needless to say this is very bad, having to manually edit all the zone files each week is becoming a nightmare. Any ideas how to fix this ?


    Bellow is the setup :


    - All domains have ns1 & ns2 setup as NS servers.

    - ns1 & ns2 are the SLAVE servers running an outdated ispCP version.

    - All domains are setup as MASTER on the specific server where they are hosted with websites / e-mails on i-MSCP 1.5.3 latest version.


    Slave 1 /etc/bind/named.conf.options :

    Slave 1 /etc/bind/named.conf.local

    Master of a zone with problems running on i-MSCP 1.5.3 latest :


    - named.conf.options :

    Master named.conf.local on i-MSCP 1.5.3 latest :

    Code
    1. zone "blabla.com" {
    2. type master;
    3. masterfile-format raw;
    4. file "imscp/master/blabla.com.db";
    5. allow-transfer { localhost; };
    6. notify yes;
    7. };

    Logs from bind :


    Code
    1. 05-Mar-2019 12:00:01.838 zone ......../IN: expired
    2. 05-Mar-2019 12:00:01.838 zone ........./IN: expired
    3. 05-Mar-2019 12:00:01.838 zone ...../IN: expired
    4. 05-Mar-2019 12:00:01.839 zone ........./IN: expired

    The old ispCP slave servers are running on Debian 6

    The latest i-MSCP 1.5.3 2018 servers are running on Ubuntu 18.04


    Can anyone tell me what's wrong with this config and why I have to manually change the serial number of each zone in order to get it to work ?

    When the logs say that the zone is expired if I dig @localhost zone.com it doesn't resolve, if i change 1 number from the serial, restart bind and dig @localhost zone.com it rezolves without problem for about 1 week. After that it stops working and says the serial expired again.


    I'm going crazy here with this, please help!

  • jackstone


    Good evening,


    If I understand well your setup:

    1. You have the NS1 and NS2 slave DNS servers managed by an ispCP instance and which are the public DNS used by your end-users
    2. You have many i-MSCP instances running their own authoritative master DNS server for the domains they manage but which are not publicky accessible
    3. The NS1 and NS2 slave DNS servers which are managed by your ispCP instance pull zone data from various i-MSCP instances DNS servers

    Does I understood correct?


    Problem: NS1 and NS2 zones get expired after one week, right?


    The question here is how the transfer is made? As I see, transfer from your i-MSCP master DNS server is only allowed locally.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Nuxwin exactly !! 100% correct !


    I added allow transfer & notify on the i-MSCP servers in named.conf.options and it works.

    I also saw that on the master there is only { localhost } in the named.conf.local but the transfer works if I set allowed servers in named.conf.options so I didn't bother to add { localhost ; masters ; } in the named.conf.local + I wasn't sure if i-MSCP replaces that file and I would just edit it until next i-MSCP restart and than the file is overwritten.


    The thing that I cannot understand is why in God's name do the zones expire on ns1 & ns2 after one week. It's really really bad because I cannot know for sure when a zone expires and suddenly I get calls from customers that the domain is not working and it's happened 2-3 times already, people are getting frustrated and with good reason.


    Any ideas ?!

  • jackstone


    Re,


    The slave servers refresh their zones automatically by contacting the master DNS server . This is dicted by the SOA refresh value which for the i-MSCP DNS zones is set to 3 hours (default value).


    So, a slave DNS server will contact the i-MSCP master DNS server every 3 hours to check whether or not the SOA serial value (on a per zone basis) as been updated and if so, will request a new copy of the zone. However, if the slave DNS server cannot get a new copy of the zone when the SOA serial value has changed, it will still considere old zone data as valid till expiry time, as dicted by the SOA expiry value. That value is set to 2 weeks for the i-MSCP DNS zones (default value). If after two weeks, the slave DNS server still fail to get a new copy of the zone, it will no longer answer to DNS queries.


    Here, you need to make sure that:

    1. Slave DNS servers can contact the i-MSCP master DNS server to check whether or not the SOA serial value of a specific zone has been updated or not
    2. Slave DNS servers can request a new copy of the zone.

    You need of course also make sure that the slave DNS servers will get notified by the i-MSCP master DNS server when a zone is being updated. This mean that slave DNS servers must accept notifications from i-MSCP master DNS servers as well.


    Please check your configuration because it seem you miss-configured some parts. For instance, the directive allow-notify only apply to slave DNS zones. Thus, that directive shouldn't be added into the i-MSCP master DNS configuration file.


    Another thing is about the allow-transfer directive which, if added in the zone declaration, will take precedence over the global one. Thus, the following declaration in your i-MSCP master DNS server named.conf.local configuration file:

    Code
    1. zone "blabla.com" {
    2. type master;
    3. masterfile-format raw;
    4. file "imscp/master/blabla.com.db";
    5. allow-transfer { localhost; };
    6. notify yes;
    7. };

    should becomes:

    Code
    1. zone "blabla.com" {
    2. type master;
    3. masterfile-format raw;
    4. file "imscp/master/blabla.com.db";
    5. allow-transfer { localhost; slaves; };
    6. notify yes;
    7. };

    and of course, you should add the corresponding ACL in the i-MSCP master DNS named.conf.options configuration file such as:


    Code
    1. acl "slaves" {
    2. ............; // NS1 (slave)
    3. ............; // NS2 (slave)
    4. };

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Nuxwin


    Thanks for your reply!


    From what I can tell the allow-transfer { localhost; }; was the problem it was overriding the main config with allow-transfer { slaves; } I changed that in every record on all servers and now it seems to be working.


    One question remains, do I have to edit named.conf.local every time I add a new domain for a client adding { localhost ; slaves; } or is there some setting in i-MSCP that can do that automatically ?!


    Thanks for all the help!

  • One question remains, do I have to edit named.conf.local every time I add a new domain for a client adding { localhost ; slaves; } or is there some setting in i-MSCP that can do that automatically ?!

    Good evening,


    You can modify default templates which are located into the /etc/imscp/bind/parts directory:

    But the problem is that your changes would be overridden on next i-MSCP update. Thus, the right way to do is to edit the SECONDARY_DNS configuration parameter from the /etc/imscp/bind/bind.data configuration file. Value of that parameter should be the list of your slave DNS servers. For instance:

    Code
    1. # List of IP addresses for slave server(s)
    2. # Only relevant in master mode
    3. SECONDARY_DNS = 192.168.1.100,192.168.2.100

    where

    1. 192.168.1.100 would be the IP address of your NS1 slave DNS server (public)
    2. 192.168.2.100 would be the IP address of your NS2 slave DNS server (public)

    Please don't put ACL there. This wouldn't work as the backend expect list of valid IP addresses. We could maybe support ACL in later release. Feel free to open a feature request on our bug tracker if needed.


    Note that there is no need to add the localhost entry. The backend will add it automatically. The related code in the latest release look as follows:


    ./engine/PerlLib/Servers/named/bind.pm (line 894):


    See https://github.com/i-MSCP/imsc…ervers/named/bind.pm#L894 for more details.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Code
    1. # List of IP addresses for slave server(s)
    2. # Only relevant in master mode
    3. SECONDARY_DNS = 192.168.1.100,192.168.2.100

    This is EXACTLY what I was looking for but didn't know where to look, thank you very much !!!

    Nuxwin likes this.
  • This is EXACTLY what I was looking for but didn't know where to look, thank you very much !!!

    You're welcome. Please read my previous answer again as I've added note regarding the fact that value of that parameter cannot be an ACL. I prefer clarify that point before going into jungle...


    Don't forget to mark your thread as resolved too.


    Thank you for using i-MSCP.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    jackstone likes this.
  • Nuxwin

    Added the Label question (answered)