PowerDNS SOA serial is not updated after a zone change in Opera DNS UI

Written by Claudio Kuenzler - 0 comments

Published on May 16th 2019 - last updated on May 17th 2019 - Listed in PowerDNS DNS

---

When I added some changes to a domain in our PowerDNS authoritative DNS server through Opera DNS UI, I was quite surprised that the changes were not automatically applied on the slave servers. As I wrote in a previous article, I had set up a DNS replication between the master and two slaves.

After further investigation I saw that the SOA serial was not increased when I changed the zone in the Opera DNS UI.

A notify was sent to the slaves, but due to the unchanged serial, no AXFR (DNS transfer) happened.

May 16 14:42:45 inf-dns01a-p pdns_server[23659]: Queued notification of domain 'example987.com' to 10.10.100.53:53
May 16 14:42:45 inf-dns01a-p pdns_server[23659]: Queued notification of domain 'example987.com' to 10.10.100.153:53
May 16 14:42:45 inf-dns01a-p pdns_server[23659]: Queued notification of domain 'example987.com' to 10.10.100.253:53
May 16 14:42:45 inf-dns01a-p dnsui: client_ip=192.168.88.19;uid=claudio;zone=example987.com.;object=zone;action=update;status=succeeded
May 16 14:42:45 inf-dns01a-p pdns_server[23659]: Received NOTIFY for example987.com from 10.10.100.53 but slave support is disabled in the configuration
May 16 14:42:46 inf-dns01a-p pdns_server[23659]: Received unsuccessful notification report for 'example987.com' from 10.10.100.53:53, error: Not Implemented
May 16 14:42:46 inf-dns01a-p pdns_server[23659]: Removed from notification list: 'example987.com' to 10.10.100.53:53 Not Implemented
May 16 14:42:46 inf-dns01a-p pdns_server[23659]: Removed from notification list: 'example987.com' to 10.10.100.153:53 (was acknowledged)
May 16 14:42:46 inf-dns01a-p pdns_server[23659]: Removed from notification list: 'example987.com' to 10.10.100.253:53 (was acknowledged)

Note: You can see that both slaves (10.10.100.153 and 10.10.100.253) have acknowledged the notify, but they did not initiate a AXFR.

When I first evaluated the user interface, being able to change DNS records and DNS slave replication was of course one of the main checks on my checklist. What changed?

It turns out that when a domain/zone is created in the DNS UI, a new database entry is added into the table "domainmetadata" in the PowerDNS database:

mysql> select * from domainmetadata;
+----+-----------+--------------+---------------------+
| id | domain_id | kind         | content             |
+----+-----------+--------------+---------------------+
|  2 |         1 | SOA-EDIT-API | INCEPTION-INCREMENT |
|  4 |       105 | SOA-EDIT-API | INCEPTION-INCREMENT |
|  6 |       139 | SOA-EDIT-API | INCEPTION-INCREMENT |
|  8 |       140 | SOA-EDIT-API | INCEPTION-INCREMENT |
| 10 |       141 | SOA-EDIT-API | INCEPTION-INCREMENT |
| 12 |       173 | SOA-EDIT-API | INCEPTION-INCREMENT |
+----+-----------+--------------+---------------------+
6 rows in set (0.00 sec)

Only a couple of entries exist, yet this authoritative DNS server holds more than 200 domains:

mysql> select count(*) from domains;
+----------+
| count(*) |
+----------+
|      209 |
+----------+
1 row in set (0.00 sec)

What's the difference between the domains added in domainmetadata and the other domains which didn't get an entry? All the domains which appear in the domainmetadata table were added manually in the DNS UI. All the other domains were created through a script which uses the pdnsutil command line.

I manually inserted a domain into domainmetadata:

mysql> insert into domainmetadata (domain_id, kind, content) VALUES (214, 'SOA-EDIT-API', 'INCEPTION-INCREMENT');
Query OK, 1 row affected (0.01 sec)

mysql> select * from domainmetadata;
+----+-----------+--------------+---------------------+
| id | domain_id | kind         | content             |
+----+-----------+--------------+---------------------+
|  2 |         1 | SOA-EDIT-API | INCEPTION-INCREMENT |
|  4 |       105 | SOA-EDIT-API | INCEPTION-INCREMENT |
|  6 |       139 | SOA-EDIT-API | INCEPTION-INCREMENT |
|  8 |       140 | SOA-EDIT-API | INCEPTION-INCREMENT |
| 10 |       141 | SOA-EDIT-API | INCEPTION-INCREMENT |
| 12 |       173 | SOA-EDIT-API | INCEPTION-INCREMENT |
| 13 |       214 | SOA-EDIT-API | INCEPTION-INCREMENT |
+----+-----------+--------------+---------------------+
7 rows in set (0.00 sec)

And then did some changes through the DNS UI for that domain with domain id 214. Result: It worked! The SOA serial finally increased and the slaves launched their AXFR commands.

TL;DR

Updating domains/zones through PowerDNS's API requires an entry in the PowerDNS table domainmetadata, for each domain!

I will now adapt my Infoblox2PDNS migration script to create this table entry when creating a new domain through the cli.

Update May 17th, 2019

The following bash one-liner will set the SOA-EDIT-API to INCEPTION-INCREMENT for every domain found in the domains table which has no SOA-EDIT-API in the domainmetadata table yet. Assuming here, the database name is "powerdns":

# for id in $(mysql -Bse "select id from powerdns.domains"); do exists=$(mysql -Bse "select count(domain_id) from powerdns.domainmetadata where domain_id = $id and kind = 'SOA-EDIT-API'"); if [[ $exists -gt 0 ]]; then echo "There is already a SOA-EDIT-API setting for this domain id $id, ignoring"; else echo "Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id $id"; mysql -e "insert into powerdns.domainmetadata (domain_id, kind, content) values ($id, 'SOA-EDIT-API', 'INCEPTION-INCREMENT')"; fi; done
[...]
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 203
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 205
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 206
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 207
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 208
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 209
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 210
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 211
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 212
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 213
There is already a SOA-EDIT-API setting for this domain id 140, ignoring
There is already a SOA-EDIT-API setting for this domain id 141, ignoring
Setting SOA-EDIT-API to INCEPTION-INCREMENT for domain id 31
[...]

More recent articles:

• Login using Active Directory in Atlassian Jira fails with LDAP: error code 1

• Fix a broken python3.5 package upon Ubuntu upgrade to Bionic

• Debian Wheezy LXC container not running on Stretch host with Kernel 4.18 bpo anymore (a vsyscall story)

• Hard drive to SSD upgrade on a HP 250 G5 notebook

• check_esxi_hardware now supports regular expressions for elements in ignore list

• Nginx socket() failed (24: Too many open files)

• Create an animated gif image from still images on the cli using imagemagick

• Monitoring plugin check_es_system 1.4 released

• Elasticsearch: Shards fail to allocate due to maximum number of retries exceeded

• Monitoring plugin check_es_system 1.3 released

• Docker logging with GELF using tcp: The good, the bad, the ugly

• PowerDNS Master Slave DNS Replication with MySQL backend

• PowerDNS Authoritative DNS Server 4.1 with MySQL backend on Ubuntu 18.04

• How to install and use check_netapp_ontap plugin to monitor NetApp filer

• Letsencrypt certificate renewal behind http proxy fails with unexpected error: bad handshake