Hi Steve, On Mon, 15 Jan 2018 14:41:51 +0100 Steve Zeng <[email protected]> wrote:
> we are migrating our DNS master from BIND to PowerDNS. The approach we take > is to put PowerDNS in the middle of an current replication chain as below: > > BIND DNS master -> PowerDNS -> BIND DNS slaves > > It works most of the time. However, from time to time we experienced long > delay when making a DNS change. further investigation shows that the delay > seems on PowerDNS. we see lots of errors > > 2018-01-10T18:13:24.728722+01:00 pdns_server1 pdns_server[2250]: Jan 10 > 18:13:24 Notification for example.com to ip1:53 failed after retries > 2018-01-10T18:13:24.728848+01:00 pdns_server1 pdns_server[2250]: Jan 10 > 18:13:24 Notification for example.com to ip2:53 failed after retries > 2018-01-10T18:13:24.728975+01:00 pdns_server1 pdns_server[2250]: Jan 10 > 18:13:24 Notification for example.com to ip3:53 failed after retries > > ip1,ip2,ip3 are BIND slaves. > > no other errors found with regard to the root cause. it happens occasionally. > Questions are: It looks like that, for whatever reason, the BIND-slaves do not acknoledge the NOTIFY message multiple times. Or perhaps they are not received at all. Do the BIND logs indicate a NOTIFY was received (you might need to bump verbosity)? If they are not received, _something_ on the networkpath between the servers loses these messages. If the are received (and acted upon by BIND), check if the acknoledgements reach the PowerDNS server. > 1. Is there any rate limit as far as PowerDNS is concerned? before PowerDNS > is put in the middle, there is no such delay There is no rate-limiting in PowerDNS. > 2. Is it configurable to set how many retries? This is not configurable. > Should PowerDNS should ensure the notifications going through rather than > drop after a certain times of retry? A lost NOTIFY can mean anything, e.g. server is no longer a nameserver, network is broken, server is overloaded. Re-trying (and keeping this data indefinetely) would take up too much resources. Slaves will also check the SOA serial the master at some point and notice they are out of date and initiate an AXFR. If replication-lag is an issue for you and you want to use PowerDNS as the non-hidden nameservers, it would make sense to use NATIVE zones[1]. These rely on database-replication instead of DNS-based replication of the data. Best regards, Pieter 1 - https://doc.powerdns.com/authoritative/modes-of-operation.html#native-replication -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
