replication time for dynamic records from primary to secondary servers

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

replication time for dynamic records from primary to secondary servers

Bind-Users forum mailing list
Zone replication question.

I'm sure the answer is out there, but I'm not performing the right (google) query.

My DDNS is working wonderfully, DHCP server updating primary DNS server.

We are seeing a delay in the primary DNS server updating the secondary and would like to shorten that interval.

If someone would help me find the right switch I'd love to update my config.

Currently running bind 9.9.4 on Centos 7 (I see an Ubuntu platform in my future).

Thanks in advance,

Brian


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: replication time for dynamic records from primary to secondary servers

John Thurston

On 3/30/2021 12:30 PM, Cuttler, Brian R (HEALTH) via bind-users wrote:
> We are seeing a delay in the primary DNS server updating the secondary and would like to shorten that interval.

Can you post the pertinent bits of your primary's and secondary's config
for the zone?

In the absence of that, I pose a few questions:

How long is it taking now?
What is your target interval?

Do you have NOTIFY enabled on the primary?
How large is the zone?
If you look in the log, do you see XFRs queuing?
How many secondaries are there?
Do you have limits defined on the number of simultaneous transfers?

--
Do things because you should, not just because you can.

John Thurston    907-465-8591
[hidden email]
Department of Administration
State of Alaska
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: replication time for dynamic records from primary to secondary servers

Stuart@registry.godaddy


´╗┐On 31/3/21, 8:00 am, "bind-users on behalf of John Thurston" <[hidden email] on behalf of [hidden email]> wrote:


    On 3/30/2021 12:30 PM, Cuttler, Brian R (HEALTH) via bind-users wrote:
    > We are seeing a delay in the primary DNS server updating the secondary and would like to shorten that interval.

    Can you post the pertinent bits of your primary's and secondary's config
    for the zone?

    In the absence of that, I pose a few questions:

    How long is it taking now?
    What is your target interval?

    Do you have NOTIFY enabled on the primary?
    How large is the zone?
    If you look in the log, do you see XFRs queuing?
    How many secondaries are there?
    Do you have limits defined on the number of simultaneous transfers?

Additional question, do you have "notify-delay" defined?

Stuart

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: replication time for dynamic records from primary to secondary servers

Bind-Users forum mailing list
In reply to this post by John Thurston

Sorry, crisis (not named related)

I will post sections of the named.conf later if needed, but will answer the simple questions now.

I don't know what the propagation delay is, notifications are enabled, when the primary reloads a zone the secondary gets notified and requests a zone xfer.
When the secondary expires a zone a zone xfer request is sent to the primary.

I suspect that is happening is that when DHCPd creates/expires dynamic records in the primary we are not notifying the secondary of the change and there is no Ixfer.
That it what I was looking for and don't know where to find it, but looks to me like the button I want to press.
Is that where I should be looking?

Thanks,
Brian

-----Original Message-----
From: bind-users <[hidden email]> On Behalf Of John Thurston
Sent: Tuesday, March 30, 2021 5:00 PM
To: [hidden email]
Subject: Re: replication time for dynamic records from primary to secondary servers

ATTENTION: This email came from an external source. Do not open attachments or click on links from unknown senders or unexpected emails.


On 3/30/2021 12:30 PM, Cuttler, Brian R (HEALTH) via bind-users wrote:
> We are seeing a delay in the primary DNS server updating the secondary and would like to shorten that interval.

Can you post the pertinent bits of your primary's and secondary's config
for the zone?

In the absence of that, I pose a few questions:

How long is it taking now?
What is your target interval?

Do you have NOTIFY enabled on the primary?
How large is the zone?
If you look in the log, do you see XFRs queuing?
How many secondaries are there?
Do you have limits defined on the number of simultaneous transfers?

--
Do things because you should, not just because you can.

John Thurston    907-465-8591
[hidden email]
Department of Administration
State of Alaska
_______________________________________________
Please visit https://protect2.fireeye.com/v1/url?k=cbf0c14f-946bf86b-cbf2387a-000babd9f8b3-62a89da1cb030f18&q=1&e=c3ff9561-4520-490e-967b-7c399b0453aa&u=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://protect2.fireeye.com/v1/url?k=fd8a10c2-a21129e6-fd88e9f7-000babd9f8b3-f9d2813b6b8c4a78&q=1&e=c3ff9561-4520-490e-967b-7c399b0453aa&u=https%3A%2F%2Fwww.isc.org%2Fcontact%2F for more information.


bind-users mailing list
[hidden email]
https://protect2.fireeye.com/v1/url?k=5a41543e-05da6d1a-5a43ad0b-000babd9f8b3-9989cff63c934e23&q=1&e=c3ff9561-4520-490e-967b-7c399b0453aa&u=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: replication time for dynamic records from primary to secondary servers

Tony Finch
In reply to this post by Bind-Users forum mailing list
Cuttler, Brian R (HEALTH) via bind-users <[hidden email]> wrote:
>
> We are seeing a delay in the primary DNS server updating the secondary
> and would like to shorten that interval.

This is probably due to NOTIFY messages not working. NOTIFY is the
mechanism that allows primary servers to tell secondaries to get the
latest version of a zone promptly. I wrote some notes on debugging slow
zone transfers a couple of weeks ago:

https://lists.isc.org/pipermail/bind-users/2021-March/104278.html

Tony.
--
f.anthony.n.finch  <[hidden email]>  https://dotat.at/
Fair Isle: North 5 or 6, decreasing 3 or 4, then backing northwest 4
or 5 later. Moderate or rough, becoming slight or moderate. Mainly
fair. Good.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: replication time for dynamic records from primary to secondary servers

Bind-Users forum mailing list
Tony,

I don't think the issue I'm having is related to notify message not being reacted to nor zone transfer requests not being sent to answered.

What I think I'm seeing is DHCP updating the DNS primary, which works correctly, but I don't believe it updates the SOA serial number nor sends a notify message.

When you add a record to a zone, either by # nsupdate or via the transaction (I assume nsupdate protocol) between DHCP and DNS primary does something else need to be configured in order to get that incremental change sent to the secondary? Something that does not normally need to be set?

The issue is not that frequently noticed. The typical problem that crossed by desk looks like this.
 - Someone put a new printer online, it gets an IP from DHCP and asks DHCP to register its "name" with DNS which DHCP does on behalf of our printers
   and desktop computers (we do not allow the end points to create DHCP records).
 - I don't believe this updates the SOA serial number nor generates a Notify message, thought at could be a deficiency in the config.
 - At some point the secondary gets all of the updated records from the primary but in that interval the print server is updated to create a new print
   queue and if it queries the DNS secondary the printer name may fail to resolve.

The answers we have employed are 1) be patient 2) remove the deficient zones files from the DNS secondary and restart the DNS secondary.

Should the incremental update from the DHCP server cause DNS to update the SN and send a notify message?
Is there some other mechanism to update the secondary?

Thanks,
Brian

-----Original Message-----
From: Tony Finch <[hidden email]> On Behalf Of Tony Finch
Sent: Wednesday, March 31, 2021 11:43 AM
To: Cuttler, Brian R (HEALTH) <[hidden email]>
Cc: [hidden email]
Subject: Re: replication time for dynamic records from primary to secondary servers

ATTENTION: This email came from an external source. Do not open attachments or click on links from unknown senders or unexpected emails.


Cuttler, Brian R (HEALTH) via bind-users <[hidden email]> wrote:
>
> We are seeing a delay in the primary DNS server updating the secondary
> and would like to shorten that interval.

This is probably due to NOTIFY messages not working. NOTIFY is the
mechanism that allows primary servers to tell secondaries to get the
latest version of a zone promptly. I wrote some notes on debugging slow
zone transfers a couple of weeks ago:

https://protect2.fireeye.com/v1/url?k=9a160f3f-c58d367e-9a14f60a-000babda0106-d930663ddef913a2&q=1&e=067dcc81-1082-4e21-a672-c998f736beca&u=https%3A%2F%2Flists.isc.org%2Fpipermail%2Fbind-users%2F2021-March%2F104278.html

Tony.
--
f.anthony.n.finch  <[hidden email]>  https://protect2.fireeye.com/v1/url?k=4efddec9-1166e788-4eff27fc-000babda0106-90e4f91c3445cf30&q=1&e=067dcc81-1082-4e21-a672-c998f736beca&u=https%3A%2F%2Fdotat.at%2F
Fair Isle: North 5 or 6, decreasing 3 or 4, then backing northwest 4
or 5 later. Moderate or rough, becoming slight or moderate. Mainly
fair. Good.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: replication time for dynamic records from primary to secondary servers

Bob McDonald
In reply to this post by Bind-Users forum mailing list
Is there an entry in your server options similar to this?

notify-delay nn;

Regards,

Bob

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: replication time for dynamic records from primary to secondary servers

Tony Finch
In reply to this post by Bind-Users forum mailing list
Cuttler, Brian R (HEALTH) via bind-users <[hidden email]> wrote:
>
> I don't think the issue I'm having is related to notify message not
> being reacted to nor zone transfer requests not being sent to answered.

It's worth checking the logs to make sure that they agree with what you
expect.

> What I think I'm seeing is DHCP updating the DNS primary, which works
> correctly, but I don't believe it updates the SOA serial number nor
> sends a notify message.

The server is required (by RFC 2136 section 3.6) to update the serial
number after an UPDATE. I would not expect any delay unless the server is
in the middle of a lot of updates and has reached a notify or transfer
rate limit - the logs should tell you if that has happened, or if there
are any ACL-related problems.

Tony.
--
f.anthony.n.finch  <[hidden email]>  https://dotat.at/
Gibraltar Point to North Foreland: Northeasterly backing northwesterly
3 or 4, occasionally 5 at first, backing southwesterly 4 to 6 later.
Slight or moderate, becoming mainly slight. Fair. Good.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users