different serial number in SOA on different interfaces

Hans Mayer isc at ma.yer.at
Sun Nov 3 10:28:57 UTC 2024 

Dear All,

I am running BIND 9.18.32-dev (Extended Support Version) <id:a3b61ad>
running on Linux x86_64 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 
6.1.106-3 (2024-08-26)

This server has several interfaces based on docker but in general a 
physical interface "eno1" and a loopback interface "lo".
Both interfaces have each an IPv4 and an IPv6 address. So in total 4 
combinations.
The named service has several dynamic zones as master in three different 
views. The server does also inline-signing for some zones. There is also 
RPZ in use to rewrite some queries.

Most of the time I get on all 4 IP address the same answer for the 
serial number doing a dig for a specific domain name and SOA record.

Doing a dynamic update for a signed master zone with "nsupdate" I have 
the situation that I get from IP "127.0.0.1" and "::1" an increased 
serial number but on real interface "eno1" with IPv4 and IPv6 the old 
serial number.
The interesting part is doing a zone-transfer with "dig axfr" from a 
remote server and therefore to the real interface "eno1" I get the 
updated serial number. Therefore all secondary DNS servers are getting 
the updates. Also a "dig" for the SOA RR from remote gives the updated 
information.

In my mind came, maybe there is an other DNS service running on the same 
machine. Checking the daemon log shows that bind has no error at start 
and is listening on all interface. To be sure I stopped "named" and 
without named I didn't get any answer at all on all interfaces. 
Therefore it is "named" which gives different answers on different 
interfaces.

A "rndc reload" doesn't help but after some time ( long time ) the 
serial numbers on all interfaces are identical.
The same with restarting the named process, it doesn't help.

Finally I assumed it has something to do with DNSSEC. I realized that 
validation for all views was disabled after reboot. So I run "rndc 
validation on".
In the first moment it looks fine. All serial numbers identical. But 
doing an update again, the serial numbers are different. So maybe it was 
a coincidence that it changed in that moment.

Any ideas where I can look deeper into this issue ?  Any help would be 
appreciated.

Kind regards
Hans

-- 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241103/f95a4b51/attachment.htm>

More information about the bind-users mailing list