Implement DNS notify (sending DNS notify messages) on applying zone file changes


#1

Setup
Having a Peplink Balance 310v2 running firmware 5.3.12 build 1150 configured as hidden primary DNS server, and three slave BIND 9 DNS servers. This setup results in fastest DNS query resolving because DNS queries are sent to the colocated (and fiber connected) BIND machines which have a 20 to 40 msec lower ping time than the ADSL/VDSL connections to the Balance DNS server. Having set the zone file SOA Refresh to: 86400 (sec) as is the RIPE recommended value (http://www.ripe.net/ripe/docs/ripe-203).

Result
After “Applying changes” on the Peplink, it takes up to 24 hours before each DNS slave has propagated the changes.

Why?
Because the authorative DNS server on the Peplink device does not sent out DNS notify messages. Modern DNS software implements NOTIFY [RFC 1996] and reduces the need for frequent SOA checks.
RFC 1996 is published almost 16 years ago: August 1996.

Request
After “Applying changes” on the Peplink, and in case there are changes in any zone files (changed serial number), do for each changed zone file, sent a “DNS notify packet” to each IP adress listed under “Zone Transfer”.

Result
Almost instantenious zone file updates on slave servers after editing the zone on the PePLink device.

Sample code
Like the script below does for djbdns/tinydns server (script source http://tinydns.org/dnsnotify).


#!/usr/bin/perl -w


# usage: dnsnotify zone slave ...]
# example: dnsnotify example.org 1.2.3.4 1.2.3.5


use Net::DNS;


$zone = shift;
@master_ns = @ARGV;


$res = new Net::DNS::Resolver;


foreach $ns (@master_ns) {
	$packet = new Net::DNS::Packet($zone, "SOA", "IN");
	die unless defined $packet;


	($packet->header)->opcode("NS_NOTIFY_OP");
	($packet->header)->rd(0);
	($packet->header)->aa(1);


	$res->nameservers($ns);


	# Prints outgoing packet - the NOTIFY
	# $packet->print;


	$reply = $res->send($packet);


	if (defined $reply) {
		
			print "Received NOTIFY answer from " . $reply->answerfrom . "
";
			# Print received packet - the answer
			# $reply->print;
	
	} else {
	
		warn "\$res->send indicates NOTIFY error for $ns
";
	}
}


exit 0;


#2

An additional advantage of having DNS NOTIFY [RFC 1996] support is that PepLink Balance WAN links no longer need external dependencies. As these third party DDNS (dynamic DNS) providers like changeip.com, dyndns.org, no-ip.com or tzo.org. These dynamic DNS providers are becoming more annoying every year. They let you jump over hurdles and through more and more hoops for creating a free account. And these free accounts are more and more limited.

When there is DNS NOTIFY support built in PePLink, it should also be able to do a Dynamic DNS update on WAN IP change to its internal authorative DNS server, that as a result triggers a NOTIFY to the IP addresses that are allowed for zone transfers.

This way the colocated authorative DNS servers with fixed IP addresses are almost immediately notified of IP changes on the WAN link (faster), less dependencies on third parties (trust), where the tld can be restricted to the one used for the PepLink device (not limited to the tld’s offered by the DDNS provider).


#3

When not having fixed IP addresses (or external Authorative DNS servers/service), and you want to use the PePLink Balance as Auth DNS server with dynamic assigned IP addresses to its WAN links, it would also be nice when the PePLink would update the NS glue records at the domain name registry via EPP (Extensible Provisioning Protocol) protocol.


#4

Thanks for your suggestion and the use cases! It does make sense. We will implement DNS notify in the coming firmware. A DNS notify will be sent to a zone’s slave servers immediately whenever a change is made to a zone (e.g. for zone setting change, WAN IP address/status change, etc.).

FYI, the existing firmware already can update its own zone records for any WAN IP/status change. The serial number could also increase accordingly.

To my knowledge, EPP is typically used between registrars and is for changing a zone from one registrar to another. Could you give us some pointers for how some common registrars allow their customers to use EPP to update NS records?

Thanks,
Michael


#5

Thanks. How will zone’s slave servers be determined?

You are right, thanks for pointing me into this direction.

Indeed this EPP idea might not reach a broad audience, as we are a registrar, and most of Peplink’s customers will not.


#6

A zone’s slave servers are those on the NS record list excluding the IP address(es) that the Peplink’s DNS server is listening on.


#7

I would say that is ok, but even the IP’s which are not listed under “DNS Settings > Zone Transfer” can be excluded.
What purpose is it to NOTIFY a host which is not allowed to do a “Zone Transfer” when settings are changed?
Or isn’t this a correct assumption?


#8

Yes, your assumption is correct. IP’s which are not listed under “DNS Settings > Zone Transfer” will be excluded too. Thanks for your suggestion.


#9

Is there already beta firmware available for trying an implemented “sending DNS notify messages on applying zone file changes” feature request on Balance310v2?


#10

The feature request is already in our pipeline. When a beta firmware is available, we will let you know.


#11

It is almost end of September and there is still a need for DNS notify.


#12

We have not forgotten. :slight_smile: But we need to postpone the release to the end of October. We will let you know when it is ready.


#13

So “DNS notify” is not yet implemented in firmware release version 5.4.6


#14

Chiming in that this feature is still requested. We of course have secondary DNS servers and without notify we have to have a super low refresh interval on them in order to keep pace with the changes the Balance may make in response to link down events.


#15

Hi - Was DNS notify capability added to Peplink?
Thanks
Dana


#16

Hi,

DNS Notify feature have been rescheduled for firmware version 6.3.x and tentatively will be available for next year

Thank You


#17

Hi All,

Just to update the requested feature (Zone Transfer - DNS Notify Message) is ready for firmware 6.3.0 & above. DNS secondary server will be notify when ever Primary DNS server having changes.

DNS Notify message will be send base on the “Allowed Clients” list.

For more information, please refer to the attached screenshot.


Thank You


#18

Thanks for this, it’s been a long time coming. Now if I could only upgrade my 1350 HW1 to 6.3…