[dns-operations] BIND, Knot and NSD behaviour when serial number goes backwards

Mark Andrews marka at isc.org
Mon Feb 20 21:06:20 UTC 2017

In message <CAM1xaJ9pA01Z+DOcuUeB-DvFd8iX50xJ1Je7VnxZuCAYGM83Sg at mail.gmail.com>
, =?UTF-8?B?SmFuIFbEjWVsw6Fr?= writes:
> Hello Anand.
> There is a difference because Knot DNS is an optimist, BIND is a
> pragmatist, and NSD is a pessimist. ;-)
> I was aware of the difference in behaviour between BIND and Knot DNS.
> But I had no idea what NSD does in this particular case. I remember
> talking to you when I was refactoring refresh scheduling in Knot DNS
> few months ago. And your suggesting was to treat the older serial as a
> successful refresh because there could be a load balancer in front of
> the master. But I understand that this may not be desired in all
> situations, for instance in the one you have encountered.
> I wonder what people on this list think about receiving an older
> serial in SOA. Is that a successful refresh or a failed one? I haven't
> found the answer in RFCs, I think it's a bit underspecified.

You can only have a successful refresh if the serial match.  That
should be obvious.  You are not up-to-date if the serial does not

Whether to attempt a zone transfer depend on whether you are in
front of, or behind the serial.  The only thing that is not easy
to determine what to do is when the serial is opposite the current
serial (serial number comparison gets you 4 states instead of the
usual 3. Those are equal, greater than, less than and opposite.)

With EDNS EXPIRE your expire timer also doesn't always reset to the
full value of the SOA expire field.  This prevents slaves transfering
from each other keep a zone alive indefinitely.  You need to transfer
or refresh from a true source to keep a zone alive.

The expire count on a successful refresh with EDNS EXPIRE get reset like

	MAX(current, MIN(edns expire, soa expire))


> And I
> agree that it might be better to make Knot DNS handle the situation
> the same way as BIND does.
> Cheers,
> Jan
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list