Zone Expiry of Secondary Zones¶
NSD will keep track of the status of secondary zones, according to the timing values in the SOA record for the zone. When the refresh time of a zone is reached, the serial number is checked and a zone transfer is started if the zone has changed. Each primary server is tried in turn.
Primary zones cannot expire so they are always served. Zones are interpreted
as primary zones if they have no request-xfr:
statements in the config file.
After the expire timeout (from the SOA record at the zone apex) is reached, the
zone becomes expired. NSD will return SERVFAIL
for expired zones, and will
attempt to perform a zone transfer from any of the primaries. After a zone
transfer succeeds, or if the primary indicates that the SOA serial number is
still the same, the zone returns to an operational state.
In contrast with e.g. BIND, the inception time for a secondary zone is stored on
disk (in xfrdfile: "xfrd.state"
), together with timeouts. If a secondary
zone acquisition time is recent enough, NSD can start serving a
zone immediately on loading, without querying the primary server.
If a secondary zone has expired and no primaries can be reached, but NSD
should still serve the zone, delete the xfrd.state
file, but leave the zone file for the zone intact. Make sure to stop NSD before
you delete the file, as NSD writes it on exit. Upon loading NSD will treat the
zone file that you as operator have provided as recent and will serve the zone.
Even though NSD will start to serve the zone immediately, the zone will expire
after the timeout is reached again. NSD will also attempt to confirm that you
have provided the correct data by polling the primaries. So when the primary
servers come back up, it will transfer the updated zone within <retry timeout
from SOA> seconds.
It is possible to provide zone files for both primary and secondary
zones via alternative means (say from email or rsync). Reload with SIGHUP or
nsd-control reload to read the new zone file contents into the name
database. When this is done the new zone will be served. For primary zones, NSD
will issue notifications to all configured notify:
targets. For secondary
zones the above happens; NSD attempts to validate the zone from the primary
(checking its SOA serial number).