[nSLUG] Bind 9.9 very particular about serial numbers
D G Teed
donald.teed at gmail.com
Thu May 10 09:19:25 ADT 2018
We recently upgraded our main DNS server to Bind 9.9 from 9.8.
There were occasional reports of a new host not being known to
other DNS servers, which receive zone transfers via "also-notify".
This failure on downstream NS servers seemed to go along with warnings in
zone serial (XXXXXXXXXX) unchanged. zone may fail to transfer to slaves.
Our configuration isn't built around master and slave, but that is the
Our serial was set to increment, but it was based around YYYYMMDDHH
so for some reason in the newer Bind 9.9 we were not going to get
more than one zone transfer per hour. I decided we needed a new
scheme, and given the serial number limits I would need to lose 2 digits
from the year and add two for the minute: YYMMDDHHMM.
So that would mean a serial going from something like 2018050911
to 1805091130. Bind doesn't like that change as the number would
be going backwards. Research reveals there are some rules
about the serial number incrementing. Essentially we need to
get the odometer to roll over so we can introduce the smaller
numerical serial number.
Here are the rules of the Bind serial number game:
- The equivalent of 99999999 on the odometer is 2^32 - 1 , or 4294967295
- Serial number must go forward, never backward
- Serial number can never advance more than 2147483647 at a time
- Wait for all secondary DNS to get the transferred zone before
In our case we have d-zone.ca as an additional DNS service,
and they have an unknown number of round robin DNS servers
behind one hosted NS like ns1.d-zone.ca.
That required help from their support to get zone updates forced
through with a target serial number. Checking repeatly with
"host -t soa example.com ns1.d-zone" allowed confirmation
all the ghost NS behind that name were giving the same answer.
To get from our serial starting with 2018 to one starting with 1805
I used this sequence of serial number updates with waiting and checking
between each update:
Hopefully that might be useful to someone. I found a lot of
the information on stack exchange and so on, but it was fragmented
and some answers used broken links.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG