Hi Christian, On startup, BIND9 will start sending SOA serial number queries for all of the zones it knows about. In the case of Designate, that means BIND9 will send out requests to the miniDNS instances to check if the serial number in Designate is newer than the one in BIND9. If the serial number in Designate is newer, BIND9 will initiate a zone transfer from the miniDNS in Designate. BIND9, by default, will do 20 SOA serial number queries at a time (less on older versions of BIND). See the serial-query-rate setting in the rate limiter knowledge base article[1]. The tuning knowledge base article[2] also discusses settings that can be adjusted for secondary servers that may also help speed up a cold startup. Off my head, I don't know of a way to tell BIND9 to not answer queries via rdnc or such. I usually block network access to a new BIND9 instance until the "rdnc status" shows the "soa queries in progress" and "xfers running" drop to 0 or a low number. Maybe others will have different approaches? As for runtime of a full resync in BIND9, that really depends on the number and size of the zones as well as the configuration settings I mentioned above. The performance of the host running the miniDNS instances and database will also have an impact. Michael [1] https://kb.isc.org/v1/docs/rate-limiters-for-authoritative-zone-propagation [2] https://kb.isc.org/docs/aa-00726#options-for-tuning-secondary-servers On Tue, May 10, 2022 at 2:02 AM Christian Rohmann <christian.rohmann@inovex.de> wrote:
Hello openstack-discuss,
I have a designate setup using bind9 as the user-serving DNS server.
When starting a machine with either very old or no zones at all, NXDOMAIN or other actually stale data is sent out to clients as designate is not done doing an initial full sync / reconciliation.
* What is the "proper" way to tackle this cold-start issue and to keep the bind from serving wrong data? ** Did I miss on any options to handle this startup case?
* What is the usual runtime for an initial sync that you observe in case the backend DNS server has no zones at all anymore?
Regards
Christian