nsdc update implementation details

Wouter Wijngaards wouter at NLnetLabs.nl
Mon Jul 16 08:26:16 UTC 2007

Hash: SHA1

Jelte Jansen wrote:
> David Prangnell wrote:
>> My NSD server is accepting notifications from two servers.  From my  
>> nsd.conf:
>> 	# master 1
>>          allow-notify: X.X.X.X NOKEY
>>          request-xfr: AXFR X.X.X.X NOKEY
>>          # master 2
>>          allow-notify: Y.Y.Y.Y NOKEY
>>          request-xfr: AXFR Y.Y.Y.Y NOKEY
>> Are both servers sequentially queried each time the update is run?   
>> Or is it a random one of the two servers that answers and the second  
>> one ignored?
> Subsequent master servers are queried if the previous server either
> didn't respond or had no updates. They are always queried in the order
> of the configuration file.
> So if master 1 answers, but with the same SOA serial as the current one,
> master 2 is queried too. If master 1 has a higher serial, an XFR is
> performed with master 1, and master 2 is not queried.

The algorithm is like that but slightly more complicated, with NOTIFY.

If no zone information is available at all, the above happens.
If a notify/nsdc update/zone timeout is happening, the above happens.

If a NOTIFY message is sent, and the source IP address is the IP address
of a master, that master is queried first. [mandated by NOTIFY RFC]. If
that master fails to respond, it will continue from that point in the
list, in the order from the config file; it will run through the list
several times if no masters are answering.

If a NOTIFY message is sent and it contains the new SOA serial number
inside the NOTIFY message (this is what master servers send out), then
NSD will query the source IP address if its a master and if not, it will
run through the list of masters, in order from the config file,
accepting updates, until it gets an update that brings the zone to the
new SOA serial number from the NOTIFY. So, if it knows version x is out
there, it will keep trying until it gets version x or later.

If a NOTIFY message is sent, with new SOA serial number, but its already
searching for updates, then it will update the SOA serial number it is
looking for, but only if the new serial number is newer.

Commandline (debug) tools (like dig, drill, nsd-notify and nsdc update)
do not allow including a serial number in notify messages. Master
servers, like NSD3 and Bind include a serial number in notify messages.
LDNS (svn version) example ldns-notify can accept a -s option to include
a serial version number inside the NOTIFY message.

Best regards,
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


More information about the nsd-users mailing list