[bitfolk] Re: Secondary nameservers changed from PowerDNS to BIND - beware your expire timers

Hi Conrad, On Fri, Apr 21, 2023 at 04:50:54PM +0100, Conrad Wood via BitFolk Users wrote: Mainly that I'm a bit more comfortable with BIND and I realised that unlike in ~2007 when I last evaluated this, BIND does now have the ability to dynamically learn which zones to be secondary for ("catalog zones"), which was the only "advanced" feature of PowerDNS that we were using. The configuration of PowerDNS that we were using involved receiving notifies and doing axfr just like BIND would and there was a known deficiency there. When a PowerDNS "superslave" receives a notify it does an SOA check to get the serial number of the zone on the primary to compare with its own. When acting as a DNS client PowerDNS does not support TCP, so if the answer is truncated it treats it as no answer and refuses to do an AXFR. More details here:     https://strugglers.net/~andy/blog/2022/11/18/powerdns-truncated-soa-respons… Also, I have been investigating some very occasional incidents where a notify would get sent by a.authns but then one or more of the PowerDNS secondary servers would simply log "timeout" for that particular zone and not do the AXFR. They would then wait until their refresh timer ran out to do a check and the needed AXFR. I'm not 100% convinced that PowerDNS is the best choice for conventional DNS replication by AXFR so I decided to investigate BIND in that role. If I wanted an SQL database and the replication within that then I'd definitely still stick with PowerDNS. It is also possible that just upgrading PowerDNS would have helped but it seemed like less work to deploy BIND as I already was elsewhere. Cheers, Andy