NLnetLabs / nsd

The NLnet Labs Name Server Daemon (NSD) is an authoritative, RFC compliant DNS nameserver.
https://nlnetlabs.nl/nsd
BSD 3-Clause "New" or "Revised" License
460 stars 103 forks source link

Uncleanly closed recreated database does not force transfer all secondary zones or report the true zone status #120

Open nomis opened 4 years ago

nomis commented 4 years ago

nsd is abandoning its database and starting with an empty database:

2020-09-03T12:41:53.918+01:00 nsd[1601]: /var/lib/nsd/nsd.db: not cleanly closed 0
2020-09-03T12:41:53.927+01:00 nsd[1601]: can not use /var/lib/nsd/nsd.db, will create anew
2020-09-03T12:41:55.473+01:00 nsd[1601]: nsd started (NSD 4.1.17), pid 1571

It doesn't retransfer any zones (and is using potentially out of date copies of zones that have been committed to files).

The zone status is "ok" but all queries return SERVFAIL.

Restarting nsd causes the missing zone content to be transferred again:

There is no zonefile configured for this zone.

It looks like nsd is using the content of /var/lib/nsd/xfrd.state to decide not to transfer any zones on startup, ignoring that /var/lib/nsd/nsd.db is then unusable.

The primary server could be unavailable, so it would be better if nsd didn't delete all its secondary zone data.

nomis commented 4 years ago

I've made a PR to raise the log level of the recreated database message, because warning is not enough: https://github.com/NLnetLabs/nsd/pull/121

wcawijngaards commented 4 years ago

I think you should try to upgrade, it looks like perhaps the fix for eg. #25 could be relevant. 4.1 is a long time ago.

Apart from that we advise people to run with database: "" setting. Then there is no database. If needed, associate a zonefile with the zone, the data is then written to the zonefile once in a while after it has updated. If you do not set a zonefile, or set "", then the zone is kept in memory and updated from there.

With the database: "" if one zonefile does not work, it should pick up the other ones that work and transfer the missing zones.

nomis commented 4 years ago

I will try migrating to using zone files instead of the database.

Even the latest version of nsd only uses the xfrd state information for the zonestatus command, when I'd really like to know if any zone is returning SERVFAIL without having to query all of the zones via DNS.