[designate] How to avoid NXDOMAIN or stale data during cold start of a (new) machine

Michael Johnson johnsomor at gmail.com
Tue May 10 17:04:04 UTC 2022

Hi Christian,

On startup, BIND9 will start sending SOA serial number queries for all
of the zones it knows about. In the case of Designate, that means
BIND9 will send out requests to the miniDNS instances to check if the
serial number in Designate is newer than the one in BIND9. If the
serial number in Designate is newer, BIND9 will initiate a zone
transfer from the miniDNS in Designate.

BIND9, by default, will do 20 SOA serial number queries at a time
(less on older versions of BIND). See the serial-query-rate setting in
the rate limiter knowledge base article[1].

The tuning knowledge base article[2] also discusses settings that can
be adjusted for secondary servers that may also help speed up a cold

Off my head, I don't know of a way to tell BIND9 to not answer queries
via rdnc or such. I usually block network access to a new BIND9
instance until the "rdnc status" shows the "soa queries in progress"
and "xfers running" drop to 0 or a low number.

Maybe others will have different approaches?

As for runtime of a full resync in BIND9, that really depends on the
number and size of the zones as well as the configuration settings I
mentioned above. The performance of the host running the miniDNS
instances and database will also have an impact.


[1] https://kb.isc.org/v1/docs/rate-limiters-for-authoritative-zone-propagation
[2] https://kb.isc.org/docs/aa-00726#options-for-tuning-secondary-servers

On Tue, May 10, 2022 at 2:02 AM Christian Rohmann
<christian.rohmann at inovex.de> wrote:
> Hello openstack-discuss,
> I have a designate setup using bind9 as the user-serving DNS server.
> When starting a machine with either very old or no zones at all,
> NXDOMAIN or other actually stale data is sent out to clients as designate
> is not done doing an initial full sync / reconciliation.
> * What is the "proper" way to tackle this cold-start issue and to keep
> the bind from serving wrong data?
> ** Did I miss on any options to handle this startup case?
> * What is the usual runtime for an initial sync that you observe in case
> the backend DNS server has no zones at all anymore?
> Regards
> Christian

More information about the openstack-discuss mailing list