RE: servfail only for a zone

Mon, 13 Jul 2015 10:52:01 -0700 

Expiration values should be set long enough to detect the zone-transfer 
problems, and react to them, but not so long that if the zone does eventually 
expire after being deliberately removed from the master (but not the slaves), 
everyone is not sitting around, scratching their heads, going “what zone was 
that again? I don’t even remember that being in our config. Maybe it was 
something my predecessor added and never documented…”

A week is pretty much the bare minimum I’d want to see an EXPIRE set to, but 
typically I’ve set it to 1000 hours (3,600,000 seconds), which is more than 41 
days.

Half an hour is ridiculous, to be honest. Unless you have 24x7x365 
eyes-on-glass looking for zone transfer failures constantly and ready and able 
to instantly pounce on any such problems and fix them within minutes.

                                                                                
                                                - Kevin

From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Miller
Sent: Monday, July 13, 2015 1:33 PM
To: Lucio Crusca
Cc: bind-users
Subject: Re: servfail only for a zone

Something I'm noticing is that your SOA record fields are quite small:

aquilacorde.com<http://aquilacorde.com>.    3600    IN    SOA    
ns1.virtualbit.it<http://ns1.virtualbit.it>. 
info.aquilacorde.com<http://info.aquilacorde.com>. 2015070601 1200 180 3600 3600
Specifically, your expiration time (first of the 3600s) is set to one hour.  
This means that if ns2 hasn't contacted ns1 in an hour, the zone will be 
invalid on ns2.  If you're making a whole ton of updates, then the small times 
make sense, but for the zone you posted, that doesn't seem to be the case.  
Normally it's not a problem, but if you can't respond to a communication outage 
between the two nameservers within an hour, the second will stop working.
This is just a guess, but network communication/failed zone transfer seems the 
most likely culprit for something like this (entire zone returns SERVFAIL).
John
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu<mailto:johnm...@brandeis.edu>
On Mon, Jul 13, 2015 at 1:19 PM, Lucio Crusca 
<lu...@sulweb.org<mailto:lu...@sulweb.org>> wrote:

And here is the aquilacorde.com<http://aquilacorde.com> zonefile at the master 
ns1:



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to