servfail only for a zone

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Mon Jul 13 17:51:01 UTC 2015


Expiration values should be set long enough to detect the zone-transfer problems, and react to them, but not so long that if the zone does eventually expire after being deliberately removed from the master (but not the slaves), everyone is not sitting around, scratching their heads, going “what zone was that again? I don’t even remember that being in our config. Maybe it was something my predecessor added and never documented…”

A week is pretty much the bare minimum I’d want to see an EXPIRE set to, but typically I’ve set it to 1000 hours (3,600,000 seconds), which is more than 41 days.

Half an hour is ridiculous, to be honest. Unless you have 24x7x365 eyes-on-glass looking for zone transfer failures constantly and ready and able to instantly pounce on any such problems and fix them within minutes.

                                                                                                                                - Kevin

From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of John Miller
Sent: Monday, July 13, 2015 1:33 PM
To: Lucio Crusca
Cc: bind-users
Subject: Re: servfail only for a zone

Something I'm noticing is that your SOA record fields are quite small:

aquilacorde.com<http://aquilacorde.com>.    3600    IN    SOA    ns1.virtualbit.it<http://ns1.virtualbit.it>. info.aquilacorde.com<http://info.aquilacorde.com>. 2015070601 1200 180 3600 3600
Specifically, your expiration time (first of the 3600s) is set to one hour.  This means that if ns2 hasn't contacted ns1 in an hour, the zone will be invalid on ns2.  If you're making a whole ton of updates, then the small times make sense, but for the zone you posted, that doesn't seem to be the case.  Normally it's not a problem, but if you can't respond to a communication outage between the two nameservers within an hour, the second will stop working.
This is just a guess, but network communication/failed zone transfer seems the most likely culprit for something like this (entire zone returns SERVFAIL).
John
--
John Miller
Systems Engineer
Brandeis University
johnmill at brandeis.edu<mailto:johnmill at brandeis.edu>
On Mon, Jul 13, 2015 at 1:19 PM, Lucio Crusca <lucio at sulweb.org<mailto:lucio at sulweb.org>> wrote:

And here is the aquilacorde.com<http://aquilacorde.com> zonefile at the master ns1:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150713/17b48c16/attachment-0001.html>


More information about the bind-users mailing list