Local DNS and outside DNS ...

Kevin Darcy kcd at daimlerchrysler.com
Fri Jan 24 18:56:14 UTC 2003 

Kamran Remin wrote:

>Hi NG,
>
>i have bind running in our local LAN. And i have a dedicated server at a
>provider which is running bind and apache. When i enter new hosts on the
>bind at our provider, it takes some time for their secondary DNS to update.
>So, the first question i have is about the serialnumber. If my last
>serialnumber was 2003012202 (which would also be last from the secondary)
>and if i update my zone-file today, then my new serial would be 2003012401,
>right? Or would it be 2003012403? I'am asking this, because sometimes it
>seems to me, that the secondary DNS of my provider isn't refreshing fast
>enough.
>
You don't have to embed the date in your serial number; you can adopt 
any serial-number you want, bearing in mind that the serial number needs 
to *increment* in order for the zone to replicate (see RFC 1982 for more 
detail about how "increment" is determined in the context of serial 
numbers).

Why are your ISP's nameservers replicating slowly? There could be any 
number of reasons: the REFRESH time on the zone may be set too high 
and/or the slave servers are not properly listed in the NS records of 
the zone, and therefore do not get NOTIFY messages; maybe the ISP has an 
"alternative" means of replicating the zone, and it doesn't run as 
frequently as you wish. Best bet probably is to talk to your ISP about 
the replication issue.

>A second question that i have, is: It should be possible to tell my local
>DNS, that it's forwader is the one i ran at my provider, right? This should
>have the benefit, that all clients on my local LAN should reach new entries
>on my outside DNS as soon as i enter them on the outside DNS. But the new
>hosts still don't answer. But this should work, or not?
>
Sort of. When your nameserver is told that the name doesn't exist 
(because it hasn't propagated yet), it'll create a "negative caching" 
entry, basically a remembrance that the name doesn't exist. This 
"negative caching" entry will stick around a configurable amount of 
time, determined by the last field of the SOA record of the zone (unless 
overridden by some global caching-control option). So, if your negative 
caching TTL is set high, it won't really matter if you use your 
provider's DNS as a forwarder, because negative caching takes precedence 
over forwarding -- your nameserver will "remember" for a long time that 
the name doens't exist and won't forward queries for it.

Your best option is probably to set your local box up as a "stealth 
slave" of the zone and make sure your ISP sends it NOTIFYs whenever the 
zone changes. If they use BIND, they can configure their nameserver(s) 
to send your nameserver NOTIFYs via the "also-notify" statement.

                                                                        
                                            - Kevin

More information about the bind-users mailing list