nsd and SERVFAIL (whoops)

Walter Hop nsd at walter.transip.nl
Sun Aug 14 15:15:21 UTC 2005

[in reply to nsd at walter.transip.nl, 14-8-2005]


        after  doing a fresh install on a new box, we found that "nsdc
        update"  runs  successfully  even with zone files missing, and
        nsd   *does*  return  SERVFAIL  on  every  zone  that  is  not
        serviced... So this is perfect actually!

        So my previous question is irrelevant and can be ignored :)
        Kind regards,
        Walter Hop
        Transip BV

> Hello all,

> after  yet another night of BIND upgrades and waking up to BIND INSIST
> failures  (sigh),  I'm  tempted  to  move  to  NSD again, but I have a
> question left.

> I  generate nsd.zones and the zonefiles with a script. We have a setup
> with  around  20K zones where around 2K zones are slaved from customer
> servers.

> Because  of  the  number  of slave zones, inevitably there is always a
> large  number  of  them  which  can't  be  AXFR-ed because of customer
> downtime, firewall misconfigurations, incorrect ACL's, et cetera.

> Now,  BIND  handles this in a way that for broken masters it returns a
> SERVFAIL  response.  This  is useful to me because clients will get an
> informative  error and ultimately reach the customer's own master. But
> with  NSD  it  seems  that  I  only  have  the  option of not becoming
> authoritative for this zone at all. Do I understand this correctly?

> Is  there  a way to get a SERVFAIL behavior with NSD? I am thinking of
> the following:
> - writing 'failed' zone files to seed the slave zones
> - then running "nsdc update" which will try to retrieve the real zones
> - "nsdc rebuild" would always succeed and I won't have to remove any
>   zones from the nsd.zones file

> I  am  guessing this would require patching of zonec to have some kind
> of  'failed zone' token, and nsd to return SERVFAIL when it finds this
> token  in  the  db.  We are already looking at the source, but perhaps
> there a simpler way that we have missed?

> I  would rather not remove any broken zone files from my configuration
> automatically,  because  this  sounds to me like it has more potential
> for  nasty  breakage:  I'd  have to rewrite the nsd.zones file to cull
> broken  masters, and I'm afraid becoming non-authoritative could break
> lookups and generate a lot of customer confusion.

> Any input would be appreciated :)

> Kind regards,
> Walter Hop
> Transip BV


 Walter Hop <walter at lifeforms.nl> | Lifeforms | http://www.lifeforms.nl/
 Dieses Schreiben wurde mit Hilfe einer Datenverarbeitungsanlage erstellt
 und bedarf daher keiner Unterschrift.

More information about the nsd-users mailing list