I am having what I feel will end up being a simple problem, however I am not seeing the obvious problem.
Here is an example flow first of all to get a better understanding of how things occur in order — please note that this is infrastructure that is already in place and the order of operations needs to remain intact:
- Register domain IE GoDaddy
- Point domain at our nameserver
- Create nameserver record and reload Bind
Now .. Between step 1 and 2 we start seeing this (obviously because the domain is not in our system yet:
Jun 12 15:32:40 DNSSERVER named[25262]: client 230..xxx.xxx.xx#61333 (example.com): query (cache) 'example.com/SOA/IN' denied
Next I create the zone file /var/lib/bind/example.com.hosts:
$ttl 38400
example.com. IN SOA ns1.ourdnsserver.com. some.email.com. (
1494611262
10800
3600
604800
38400 )
example.com. IN NS ns1.ourdnsserver.com.
example.com. IN A 40.xx.xx.xx
www.example.com. IN A 40.xx.xx.xx
mail.example.com. IN A 173.xx.xx.xx
webmail.example.com. IN A 173.xx.xx.xx
example.com. IN MX 10 mx1.server.com.
example.com. IN MX 20 mx2.server.com.
After this I insert the zone into the configuration /etc/bind/named.conf.local:
zone "example.com" {
type master;
file "/var/lib/bind/example.com.hosts";
};
Then I issue a restart sudo service bind9 restart
After this, I still get the
Jun 12 15:32:40 DNSSERVER named[25262]: client 230..xxx.xxx.xx#61333 (example.com): query (cache) 'example.com/SOA/IN' denied
What I have to do to resolve this is edit my file /var/lib/bind/example.com.hosts — Update the serial with a new unix timestap — re-save and restart Bind. And viola, the notifiers get sent out that the zone was updated.
EDIT
Then I get the following in the log
8377:Jun 12 14:12:57 OURSND named[25262]: zone example.com/IN: sending notifies (serial 1494611231)
END EDIT
Here is the question, why don't the notifiers get sent out when I create the zone and restart Bind? Why do I have to go back in, edit, re-save and restart Bind for the zone to be seen as "updated"? I want this to happen the first time, every time. What am I not seeing?
Best Answer
Think of the serial as a version number. You (re)start bind, it checks the version number on its data cache vs. version number in config (the serial). If the version is the same, why bother re-processing everything, and why waste network bandwidth telling secondary servers that you have zone(s) to transfer...
Always update your serial. Only rule is that it must go up. Using a unix time stamp is good, or a format like YYYYMMDDNN where NN is a revision number for that day (do you need to change it more than 99 times a day?).
The problem, as you have discovered, is remembering to update the serial when you edit the file. Use some template files, data files, and shell scripting to create a "build" process where you'd make your edits to the data, then tell it to regenerate the zone file(s) part of which would include putting out a new serial, or even go to a (way overkill) web based front end with a "service provider" control panel like ISPConfig where the data will all be in a sql database and the ispconfig software will create the zone file(s) automagically.