NSD reload and restart : in-memory data

NSD
1

Hi,

I’m new to NSD and would really appreciate if someone can point me to the right direction.

I have like 8 NSD servers (secondary) serving around 30,000 zones.
Zone updates are transferred from the primary DNS servers by AXFR/IXFR.

The 8 NSD servers do not save the zones file on disk but are only held in memory.
Therefore after NSD service is restarted zone transfer requests are being send to the master DNS servers.

My questions are as follows

  1. When zone data is not saved on file and only held in memory NSD initiates zone transfer after NSD service is restarted.

Would like to know if there is a time limit from when zone transfer is requested until data gets saved in memory.

  1. When NSD service is ‘reloaded’ for example by running ‘systemctl reload nsd’ does NSD check the serial number (SOA) for each record and tries to initiate a zone transfer?

After performing a service reload the following entries are logged.

nsd[1704236]: error: xfrd: zone testnsdexp01.tk received error code SERVER NOT AUTHORITATIVE FOR ZONE from xx.xx.xx.xx
nsd[1704236]: error: xfrd: zone testnsdexp01.tk, from xx.xx.xx.xx: no tsig in first packet of reply
nsd[1704236]: info: xfrd: zone testnsdexp01.tk bad transfer 0 from xx.xx.xx.xx

The zone records for testnsdexp01.tk is not present on the master DNS servers therefore it returns error but it seems like NSD is doing some sort of checks during the reload process hence its trying to get the records for ‘testnsdexp01.tk’.

Best Regards.

2

Hi,

My questions are as follows
1) When zone data is not saved on file and only held in memory NSD
initiates zone transfer after NSD service is restarted.

Would like to know if there is a time limit from when zone transfer
is requested until data gets saved in memory.

I'm not sure if I understand your question correctly, but:

There is a reload timer, configurable through xfrd-reload-timeout, that
determines how often a reload is triggered. There is however no time
limit from when a zone is requested. When a zone transfer is received,
(triggered by the refresh timer in the SOA record expiring, through a
NOTIFY or having no zone data), a transfer for that zone is scheduled.
xfrd (transfer daemon in NSD) updates the timers with the data from the
AXFR/IXFR. How long it takes for the reload to complete depends on the
number of changes within that reload.

2) When NSD service is 'reloaded' for example by running 'systemctl
reload nsd' does NSD check the serial number (SOA) for each record
and tries to initiate a zone transfer?

After performing a service reload the following entries are logged.

nsd[1704236]: error: xfrd: zone testnsdexp01.tk received error code
SERVER NOT AUTHORITATIVE FOR ZONE from xx.xx.xx.xx
nsd[1704236]: error: xfrd: zone testnsdexp01.tk, from xx.xx.xx.xx: no
tsig in first packet of reply
nsd[1704236]: info: xfrd: zone testnsdexp01.tk bad transfer 0 from
xx.xx.xx.xx

The zone records for testnsdexp01.tk is not present on the master DNS
servers therefore it returns error but it seems like NSD is doing
some sort of checks during the reload process hence its trying to get
the records for 'testnsdexp01.tk'.

These errors are from xfrd, which is the process that keeps running and
is not recycled (unlike the server(s)). Once there's no more zone data,
either by not having it in the first place on (re)load or because it
has expired, xfrd will request new data from the primary every so
often. The messages above is merely xfrd indicating it cannot refresh
the zone.

So, to answer your question, yes, once NSD restarts it tries to request
a zone transfer for zones that have no data.

Best regards,
Jeroen

3

Hi Jeroen,

Thank you very much for the information.

Best Regards.