[dns-operations] BIND, Knot and NSD behaviour when serial number goes backwards

Robert Edmonds edmonds at mycre.ws
Mon Feb 20 21:00:27 UTC 2017 

Jan Včelák wrote:
> There is a difference because Knot DNS is an optimist, BIND is a
> pragmatist, and NSD is a pessimist. ;-)
> 
> I was aware of the difference in behaviour between BIND and Knot DNS.
> But I had no idea what NSD does in this particular case. I remember
> talking to you when I was refactoring refresh scheduling in Knot DNS
> few months ago. And your suggesting was to treat the older serial as a
> successful refresh because there could be a load balancer in front of
> the master. But I understand that this may not be desired in all
> situations, for instance in the one you have encountered.
> 
> I wonder what people on this list think about receiving an older
> serial in SOA. Is that a successful refresh or a failed one? I haven't
> found the answer in RFCs, I think it's a bit underspecified. And I
> agree that it might be better to make Knot DNS handle the situation
> the same way as BIND does.

Hi, Jan:

I think it depends on how this sentence is interpreted from RFC 1034:

    "If the secondary finds it impossible to perform a serial check for
    the EXPIRE interval, it must assume that its copy of the zone is
    obsolete an discard it."

It could be interpreted like this to end up with BIND's behavior:

    "If the secondary finds it impossible to perform a [successful]
    serial [equality] check for the EXPIRE interval, it must assume that
    its copy of the zone is obsolete an discard it."

BIND's behavior can be justified by the previous sentence which
describes an arithmetic comparison (a check) on the serial values:

    "If the serial field in the secondary's zone copy is equal to the
    serial returned by the primary, then no changes have occurred, and
    the REFRESH interval wait is restarted."

Or it could be interpreted like this to end up with Knot's current
behavior:

    "If the secondary finds it impossible to perform a [query to the
    primary for the SOA RR of the zone] for the EXPIRE interval, it must
    assume that its copy of the zone is obsolete an discard it."

Knot's behavior can be justified by the sentence two sentences prior,
which describes the check as a poll, not an arithmetic comparison: "The
check is a simple query to the primary for the SOA RR of the zone." But
that raises the question of whether there is a difference between
"check" and "serial check" in that paragraph.

-- 
Robert Edmonds

More information about the dns-operations mailing list