Hello,
If you do not make use of BitFolk's secondary DNS service then you
can safely skip this email.
Over the last few days we've upgraded the servers used for our
secondary DNS service and also switched software from PowerDNS to
BIND. On the whole nothing changes, but there is one thing I would
like to draw your attention to.
BIND actually pays attention to the expire timers that you set
in your SOA records whereas PowerDNS does not.
An SOA record looks like this:
$ dig +multi +noall +answer -t soa
bitfolk.com
bitfolk.com. 86383 IN SOA a.authns.bitfolk.co.uk.
hostmaster.bitfolk.com. (
2023042101 ; serial
14400 ; refresh (4 hours)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
43200 ; minimum (12 hours)
)
The "expire" timer tells authoritative DNS servers how long the
records they hold are valid for, if they have not been able to
contact the primary nameservers. In the above example, should the
primary nameserver be unreachable, any secondary nameservers that
are still responding will serve the zone content for a further two
weeks. After that time they will respond with SERVFAIL. Compliant
DNS client behaviour is to retry any other servers when that
happens.
PowerDNS does not implement these "expire" semantics and always
answers queries.
In watching logs carefully over the last few days I have seen that
some of you have extremely short expire timers. I'm not sure whether
you intend for that to be the case. For example, there are many
zones currently on BitFolk's servers with an expire time of 300
seconds. That means that you are indicating that the entire zone
should not be served 5 minutes¹ after your primary server stops
responding. It doesn't seem likely to me that you really want all
authoritative servers for your domain to stop working 5 minutes into
any sort of outage.
Since the secondary servers will now really believe you on this, I
urge you to review your expire timers. If in doubt please put your
domain name into this:
https://zonemaster.net/en/run-test
and it'll advise you if any of those timers seem wrong.
Cheers,
Andy
¹ Different DNS server implementations actually behave slightly
differently here. As mentioned, PowerDNS doesn't handle expire
timers at all. BIND has a minimum of 300 seconds, or the
refresh+retry timers, whichever is larger. So in fact the shortest
expire behaviour I can see at the moment is 600 seconds (10
minutes). Which still seems unusually short.
See:
https://jpmens.net/2022/01/14/fun-with-the-dns-soa-expire-field/
for more info about how different implementations treat the expire
timer.
--
https://bitfolk.com/ -- No-nonsense VPS hosting