Project

General

Profile

Task #3890

ns2.afraid.org is not serving dataone.org properly

Added by Chris Jones over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Support Operations
Target version:
-
Start date:
2013-08-07
Due date:
% Done:

100%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

We've been having trouble with the ns2.afraid.org server pulling updates to the dataone.org domain after changing the zone files.

Nick, will you verify the changes I made to /etc/bind/named.conf.local (described below), and if everything looks okay, re-assign this to Dave so he can look at the afraid.org configuration (unless you can check that too)?

We noticed that the ns2.afraid.org IP address had changed (from 174.37.196.55 to 208.43.71.243), and so after having trouble with ns2.afraid.org having updated DNS entries, I changed /etc/bind/named.conf.local to add 208.43.71.243 to the xferhost acl instead of 174.37.196.55. For instance, for the recent addition of ansible.dataone.org:

$ dig @ns2.afraid.org ansible.dataone.org

; <<>> DiG 9.7.6-P1 <<>> @ns2.afraid.org ansible.dataone.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6301
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ansible.dataone.org. IN A

;; Query time: 59 msec
;; SERVER: 208.43.71.243#53(208.43.71.243)
;; WHEN: Wed Aug 7 07:50:11 2013
;; MSG SIZE rcvd: 37

ns2.afraid.org continues to give a SERVFAIL status, whereas a call to 8.8.8.8 gives a NOERROR status and returns the CNAME record for ansible.dataone.org.

Here are the changes made to files in /etc/bind:

$ sudo git diff HEAD^ HEAD
diff --git a/bind/db.dataone.org b/bind/db.dataone.org
index 1b1b4a4..8c3aa34 100644
--- a/bind/db.dataone.org
+++ b/bind/db.dataone.org
@@ -5,7 +5,7 @@
;
$TTL 86400 ; changed from default 86400
dataone.org. IN SOA ns1.nceas.ucsb.edu. root.ns1.nceas.ucsb.edu. (
- 2013080200 ; serial number
+ 2013080600 ; serial number
360 ; 1 min; default refresh 1 hour (3600) (frequency secondary DNS is updated)
900 ; 1 min; default retry 15 min
3600000 ; expire 1000 hours
@@ -65,6 +65,7 @@ releases 1D IN A 129.24.0.11
ns 1D IN CNAME releases
ldap 1H IN CNAME ldap.ecoinformatics.org.
test123 IN A 128.111.220.124
+ansible 1H IN CNAME ansible.dataone.utk.edu.
;
;test subdomain
;
diff --git a/bind/named.conf.local b/bind/named.conf.local
index 946c730..1f54498 100644
--- a/bind/named.conf.local
+++ b/bind/named.conf.local
@@ -20,7 +20,7 @@ acl xferhosts {
128.111.1.1;
128.111.220.16;
128.111.220.18;
- 174.37.196.55;
+ 208.43.71.243;
localhost;
};

History

#1 Updated by Chris Jones over 9 years ago

It looks like ns2.afraid.org is still asking for transfers as 174.37.196.55. In ns1's named.conf.local, I reverted the IP address to 174.37.196.55. Dave changed the afraid.org configuration to now request transfers from ns1.

Nick, will you look at the ACLs on ns2.nceas to see if it is allowing from 174.37.196.55? The logs at afraid.org were showing a refused status?

xfer-in: error: transfer of 'dataone.org/IN' from 128.111.220.16#53: failed while receiving responses: REFUSED

Once the transfers are allowed from ns2.nceas, Dave will switch the config back.

#2 Updated by Dave Vieglais over 9 years ago

  • Status changed from New to Closed
  • translation missing: en.field_remaining_hours set to 0.0

Appears to be fixed now.

  • ns2.afraid.org now pulling from ns1.nceas.ucsb.edu
  • ACL in dataone.org zone updated to include both 174.37.196.55 and 208.43.71.243 which apparently are being used by afraid.org to make axfr requests

Correct operation verified by updating serial on zone and observing log on ns2.afraid.org with success messages.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)