Secondary DNS: Automatic and manual zone transfers not working

C

coherentBounty801

New Member
Two days ago (2024-09-10), I updated one of my zones on my authoritative name server, but two days later, the change still isn't reflected in ZoneEdit. The domain is configured in ZoneEdit as a secondary source, with my authoritative server configured as the "primary NS". Historically, everything has worked automatically: my name server sends a notification to ZoneEdit when the SOA serial changes, then ZoneEdit performs a zone transfer request from the authoritative name server. I did not see an AXFR request in my DNS server logs, and confirmed the old entry and SOA/serial were still present for direct queries to ZoneEdit's servers.

I logged in to ZoneEdit and clicked "force retransfer" for the domain in question, but still no AXFR showed up in my server logs, and several minutes later, the cache shown through the ZoneEdit admin pages (or direct queries to ZoneEdit's NSes) still reflects the pre-2024-09-10 contents.
 
can you let me know a zone file record I can check against and on the primary can you delegate to:
dns1.zoneedit.com and dns2.zoneedit.com and remove references to ns12.zoneedit.com and ns19.zoneedit.com

regards.
 
I already updated the primary (and registrar) to use dns1.zoneedit.com and dns2.zoneedit.com instead of ns12 and ns19.

One test is to check the serial in the SOA:
Code: 
$ dig SOA @dns1.zoneedit.com <domain>
... 2021080100
$ dig SOA @primary <domain>
... 2024091200

The entry that I updated on 2024-09-10, however, was the host 'eaganfiber' to point to 50.145.x.y instead of 209.23.x.y.

In the course of this investigation (yesterday), I did also update the NS records, so doing dig NS @primary <domain> will show dns1.zoneedit.com, etc, while dig NS @dns1.zoneedit.com still shows the ns12 and ns19 entries.

Thanks!
 
I believe the problem with the zone file not loading properly is the CAA host is also a Host for a Cname.. it is not possible for a domain name to have both a CNAME and a CAA record.
 
sandy said:
I believe the problem with the zone file not loading properly is the CAA host is also a Host for a Cname.. it is not possible for a domain name to have both a CNAME and a CAA record.
Click to expand...
I can't find any reference to this requirement--are you able to point me to some info about that?

The current CAA draft standard (RFC 8659) only mentions CNAME in the context of that having been more explicitly removed from the previous standard--and that obsolete RFC draft (6844) talked about how CAs should behave with regard to present CNAMEs/aliases. My understanding of the relevant sections of each draft is that if a TLS certificate is being requested for a value that is a CNAME, then the CA should start by checking for a CAA record on the destination of the CNAME, nothing prohibiting the destination of a CNAME from having a CAA record.

Am I correct to assume you're referring to is the record 'vaughn', which has an A record and a CAA record; some other records are CNAMEs that point to 'vaughn'? It doesn't even seem like any of the "special handling" of aliases described in the CAA RFC drafts comes into play there--where I think they're saying having a CAA record for something that is also a CNAME might be ignored.

Thanks!
 
I general... if a host is a a cname you can't have any other records on that host
 
Yeah, I believe that's for an entry that is a CNAME, not an entry that is the target of a CNAME, as is the case here. To me, all of the sources you and I have linked seem to say that the target of a CNAME actually should have a CAA entry, which is the case with the entry 'vaughn': 'ftp', for example, is a CNAME pointing to 'vaughn'; 'vaughn' has records A and CAA. If I try to issue a TLS cert for ftp.<my domain>, the CA should see that 'ftp' is an alias (CNAME) pointing to 'vaughn', then do a CAA lookup for 'vaughn'.

Does that make sense?
 
Because the sub-domain is a CNAME record, you cannot add a CAA record, you must resort to using the @ as the host - it will work just the same for the CAA
 
The sub-domain (vaughn) is not a CNAME record; it's an A record. There happen to be other records that point TO vaughn, but that's immaterial.

Regardless, I even disabled the CNAME entries that point to vaughn, published the update (notifications sent) and dns1.zoneedit.com now returns SERVFAIL. I clicked the option in the ZoneEdit control panel to force re-transfer, waited 60 seconds, checked the cache, and see "No cached zonedata found."
 
can you confirm
  • 64.68.198.91 is still the IP set to receive zone updates?
  • zone "domain .com" {
    type master;
    file "domain.com.zone";
    allow-transfer { 64.68.198.91/32; };
    also-notify { 64.68.198.91; };
    };
 
You must log in or register to reply here.
Back
Top