On 17/08/2022 14:08, Klaus Darilion wrote: Hi Klaus,> That's the weird thing. NSD knows that the version on disk is older > than the previously served one (serial is goind backwards: "1660716050 > is updated to 1660716049"). Hence it could check the serial on the > primary and fetch the latest version.Except that NSD keeps a state file as well, in which it maintains timers about when next to query the primary. For this zone, that time had not yet arrived. If you stop NSD, delete the state file, and start NSD, then it will have no memory of the timers. After loading all the zones, it will immediately query their primaries and update them if needed. But this has the downside of causing a thundering herd towards the primaries in the case where you have lots of secondary zones.> I also tried "nsd-control transfer ....", but that also did not > triggered an XFR. Only "force_transfer" triggered an XFR. From my > understanding, "transfer: try to update slave zones to newer serial" > should also trigger an XFR as the primary has a higher serial then the > current served one.Hmm. So NSD thinks the zone is up to date, because it has a newer serial in the state file, but is actually serving an old serial. Could be a subtle bug. I'll see if I can reproduce it on our test server. Regards, Anand
Hi Anand! Thanks for your help.> > I also tried "nsd-control transfer ....", but that also did not > > triggered an XFR. Only "force_transfer" triggered an XFR. From my > > understanding, "transfer: try to update slave zones to newer serial" > > should also trigger an XFR as the primary has a higher serial then the > > current served one. > > Hmm. So NSD thinks the zone is up to date, because it has a newer serial > in the state file, but is actually serving an old serial. Could be a > subtle bug. I'll see if I can reproduce it on our test server.It also confuses me, that the commited serial is higher than the served serial: root at tld-all-fam1:/home/darilion# nsd-control -c /etc/nsd/nsd-shared.conf zonestatus cy zone: cy state: ok served-serial: "2022081705 since 2022-08-17T12:07:26" commit-serial: "2022081706 since 2022-08-17T12:31:40" wait: "6845 sec between attempts" I also have in the zone settings: max-refresh-time: 300 I would expect that at least after 5 minutes NSD should perform a SOA query against the primary, detect the higher serial, and then perform the XFR. But maybe NSD is comparing the "commit-serial" with the primary-serial and this doing nothing, I checked with tcpdump: on "nsd-control transfer cy" it performs an IXFR request with serial in the SOA=2022081706. So something is going wrong here. If NSD has the 2022081706 zone local available, then it should serve it. If only the 2022081705 is available on disk, NSD should perform the serial check against the primary (IXFR request) with the serial of the local served zone, which would be 2022081705 and not 2022081706. regards Klaus