[conspire] AWS & DNS SOA serial numbers

Rick Moen rick at linuxmafia.com
Tue Oct 11 04:16:06 PDT 2016


Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> Then, when DNS data in the zone is changed, ... uhm, yeah, AWS doesn't
> update the SOA serial number.  I've noticed this for a while.  Finally
> checked into it a bit further, and found:
> https://forums.aws.amazon.com/message.jspa?messageID=221157
> 
> So ... kind'a funky & different?  Definitely.
> Technically (in)correct?  Not fully sure, I might have to recheck some
> RFCs to definitively answer that.

It's technically correct -- but irritating.  

Usually, this is a sign of the provider using PowerDNS Authoritative
Server = pdns (or one of the proprietary packages of similar design), in
which everything's in an SQL back-end database.  I've admined pdns for a
living, and that's one of its main peculiarities.  Because all changes 
are implemented in atomic fashion via database row updates, and because
records are shared around the pdns cluster via SQL replication rather
than AXFR/IXFR, the SOA S/N is deemed superfluous and normally goes
unchanged and disregarded.

pdns has some sort of optional facility do do AXFR/IXFR to and from
external non-pdns nameservers, in which case I assume and hope it then
pays closer attention to SOA S/N, but I've never had occasion to look up
details.

(Greetings from the Gare de Lyon, Paris.)





More information about the conspire mailing list