0

So I was testing my DNS using http://www.intodns.com/mydomain.com

And it gave me a warning about the serials of my two nameservers not matching. So I changed the serials to match and restarted bind on both servers.

Then it breaks and nothing resolves.

I changed back to my old serials and restarted bind, it works.

Why can't I change the serials without things breaking, the increment isn't by one but should that matter? Is there a matter of wait for it to propagate?

Here are the old zone files that worked.

ns3.mydomain.com

//etc/bind/zones

$ORIGIN .
$TTL 38400      ; 10 hours 40 minutes
mydomain.com             IN SOA  ns3.mydomain.com. admin.mydomain.com. (
                                2880848856 ; serial
                                28800      ; refresh (8 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                38400      ; minimum (10 hours 40 minutes)
                                )
                        NS      ns3.mydomain.com.
                        NS      ns4.mydomain.com.
                        A       66.33.205.241
$ORIGIN mydomain.com.
$TTL 10 ; 10 seconds
client1                 A       75.119.214.193
$TTL 38400      ; 10 hours 40 minutes
ns3                     A       64.111.115.3
ns4                     A       67.205.9.225
www                     A       66.33.205.241

ns4.mydomain.com

$ORIGIN .
$TTL 38400      ; 10 hours 40 minutes
mydomain.com             IN SOA  ns4.mydomain.com. admin.mydomain.com. (
                                2006071806 ; serial
                                28800      ; refresh (8 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                38400      ; minimum (10 hours 40 minutes)
                                )
                        NS      ns3.mydomain.com.
                        NS      ns4.mydomain.com.
                        A       66.33.205.241
$ORIGIN mydomain.com.
$TTL 10 ; 10 seconds
client1                 A       75.119.214.193
$TTL 38400      ; 10 hours 40 minutes
ns3                     A       64.111.115.3
ns4                     A       67.205.9.225
www                     A       66.33.205.241

Here are my new zone files that broke it

ns3.mydomain.com 

$ORIGIN .
$TTL 1800       ; 10 hours 40 minutes
mydomain.com             IN SOA  ns3.mydomain.com. admin.mydomain.com. (
                                2880848862 ; serial
                                28800      ; refresh (8 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                1800      ; minimum (10 hours 40 minutes)
                                )
                        NS      ns3.mydomain.com.
                        NS      ns4.mydomain.com.
                        A       66.33.205.241
$ORIGIN mydomain.com.
$TTL 10 ; 10 seconds
client1                 A       75.119.214.193
$TTL 1800       ; 10 hours 40 minutes
ns3                     A       64.111.115.3
ns4                     A       67.205.9.225
www                     A       66.33.205.241

ns4.mydomain.com

$ORIGIN .
$TTL 1800       
mydomain.com             IN SOA  ns4.mydomain.com. admin.mydomain.com. (
                                2880848862 ; serial
                                28800      ; refresh (8 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                1800     ; minimum (10 hours 40 minutes)
                                )
                        NS      ns3.mydomain.com.
                        NS      ns4.mydomain.com.
                        A       66.33.205.241
$ORIGIN mydomain.com.
$TTL 10 ; 10 seconds
client1                 A       75.119.214.193
$TTL 1800       
ns3                     A       64.111.115.3
ns4                     A       67.205.9.225
www                     A       66.33.205.241

Does anyone have any idea of what went wrong and how I can fix it?

Thanks in advance for any help!

Thuy
  • 107
  • 1
  • 2
  • 6
  • The zone files should be *identical*. They should not have different `SOA` records. (Ideally, you would use some form of replication so that you only have to modify them in one place.) – David Schwartz Nov 13 '12 at 08:36
  • Yes though with my previous zone files even though they weren't identical it worked and it resolved but when I made them identical and restarted bind, everything broke and I don't know what happened, any ideas? – Thuy Nov 13 '12 at 08:41
  • 2
    Fix everything you know is wrong first. Then try to troubleshoot. – David Schwartz Nov 13 '12 at 08:44
  • Okay well, I changed back to the old serials and it works. Why does it break when I change the serials? One of the serials are incremented a lot more than one of course but would that matter? If I change them do they need time to propagate to my registrar and the root servers? – Thuy Nov 13 '12 at 08:48
  • You never want to decrement a serial number unless you follow the specific procedure for doing so. You should probably set all servers to a serial number slightly greater than any serial number the zone has ever had. (4294967295 is the maximum legal serial number, but you cannot increment by more than 2147483647 at a time.) – David Schwartz Nov 13 '12 at 08:55
  • Okay thanks for pointing that out but unless my morning coffee is failing me. If I change both SOA serials to say 2880848857. Then I increment ns3 by 1 and ns4 by 874777051. I'm not decrementing and the increment is lower than 2147483647. Should that work then? – Thuy Nov 13 '12 at 09:21
  • Yes, it should. – David Schwartz Nov 13 '12 at 09:28
  • 1
    How about deleting the secondary zone on the slave server and recreating it. That should get the zone files in sync between the primary and the slave, including the SOA serial numbers. – joeqwerty Nov 13 '12 at 14:35

1 Answers1

0

First of all, your problem is not caused by serial numbers. Maybe while editing you mistyped something, or restarted bind without root privilegies, or something like that. Any valid serial number (1 ..4294967295) will work. Try again, or to find the real cause, look at bind logs (or syslog).

Second, from your question I see that both your DNS server are masters, and you have no slaves (i.e. each have a copy of the zone file, and neither is getting it's zone file from the other one). In this setup all those numbers in the SOA record, including serial, mean absolutelly nothing (except the last one which is now NXDOMAIN cache time).

It's absolutelly OK to have different serial numbers in this setup. That's what we do for all domains hosted on net-me.net. (We use proprietary replication mechanism not relying on master/slave topology, and it's side effect is the SOA serial numbers disagreement), and nobody comlains.

intodns and others warn about it because they assume your setup is the usual master/slave, and in this case different serials mean there's a replication problem and possibly slaves serve outdated data. You can safely ignore this warning.

Third, usually it's a good idea to use master/slave instead of maintaining two separate zone files.

Sandman4
  • 4,077
  • 2
  • 21
  • 27