#5608 BIND DNS Slave servers getting incorrect TTL value

[Akira Akiyama]

We have multiple DNS servers that the Master server is hiding from the Internet where the public can only query domain information from our Slave servers. It relies on the Master server to transfer the zone details to the Slave servers so as long as we keep our Master server intact, we don't care too much about people flooding our Slave DNS servers.

However, it means that the information transferred from the Master server has to be accurate and that's what we did there. We have found that the SPF record is an independent settings whereas using TXT record and it has a TTL.

Please check the master.png where I have put a TTL of 3600 seconds to that SPF record, but when every DNS servers querying the Slave DNS servers as instructed, it gives us a TTL of 600 seconds. And we check our Slave servers and it does show that SPF record is having a TTL of 600 seconds.

We have tried the following:

• Change the TTL to something else including 3601 seconds (negative result: TTL didn't change)
• Removing the SPF record and add another one (positive result: But the TTL is still 600 seconds)
• Removing the SPF record and see if the slave removes it as well (positive result)

To reproduce:

• Use the Cluster DNS server feature by adding other Webmin servers have BIND DNS installed

Actually, not only the SPF records are affected, all TXT records are also suffering this issue. This problem is found when I didn't hide the the value of the SPF record: Microsoft told me that there is an incorrect TTL settings on the DNS record.

Please take a look and solve it as soon as it can, thank you!

[Jamie Cameron]

So the zone transfer is something that's done by BIND, not Webmin .. it just configures BIND on the slave with the master IP address.

Can you attach the actual zone files from the master and slave systems to this bug report? I'd like to see what the TTL fields are set to ..

[Akira Akiyama]

Hello Jamie,

I have attached both named.conf (trimmed) and *.hosts files from both servers. Before that I've done some tweaks that if I remove other TXT records from the .hosts file, the TTL is resolved and saved correctly for the SPF records.

[Jamie Cameron]

Thanks .. but the file Slave\ Server/test.com.hosts in the ZIP doesn't appear to be a regular zone file?

[Akira Akiyama]

Yes and I tried to open it on the Webmin slave DNS server and it returns:
This zone is in raw binary format, and so cannot be displayed as text.

This is due to the BIND 9 version change and to improve the performance of the slave servers by encrypting the .hosts file. However, I have managed to descrypt the file and temporary making the zone not encrypting the .hosts file.

You can check the decrypted file in the attachment here. And we can see it took the $ttl 300 from one of the TXT records and made itself a "template" and omitted other TTL value of the TXT records.

---

And if we want to store the master-file as text but not raw binary which needs to decrypt, I want to suggest that you allow us to store the under the "options" section of named.conf for the Master server.

options { masterfile-format text; }

and when you push/transfer the zones to the slave servers, add a line under every zone section

zone "somedomain.net" { type slave; masterfile-format text; }

and you the slave server will store the zone files as text just like the decrypted version in the attachment.

[Jamie Cameron]

Ok I see what you mean now..

Unfortunately, the records in the transferred zone file aren't under Webmin's control. It's BIND that does the zone transfer, so the TTLs is sets for those TXT records are it's decision. Unless there's a BIND setting we missed that controls this?

[Akira Akiyama]

Is there anything you can recommend me to do or ask? If there are any websites that people are familiar with BIND DNS server? Or if I can know which part of the perl code of Webmin is in charge of the zone transfers?

[Akira Akiyama]

I have checked the xfer-out and xfer-in records and the TTL was modified and grouped before xfer-out, which means the TTL is modified by the Master DNS.

I tried to give every records a different TTL

test.com.   IN  SOA master.dns.com. abuse.dns.com. (
            2023020113
            600
            300
            1209600
            3600 )
test.com.   40  IN  NS  ns1.dns.com.
test.com.   70  IN  NS  ns2.dns.com.
ftp.test.com.   35  IN  A   192.168.8.100
mail.test.com.  80  IN  A   192.168.8.100
test.com.   24  IN  A   23.236.62.147
www.test.com.   16  IN  CNAME   www193.wixdns.net.
autodiscover.test.com.  39  IN  CNAME   autodiscover.outlook.com.
test.com.   60  IN  MX  0 test-com.mail.protection.outlook.com.
test.com.   721831  IN  TXT "v=spf1 include:spf.protection.outlook.com -all"
test.com.   654321  IN  TXT "google-site-verification=z0LyqQJjbTX6D8ZsnJGGsX0_wY-o2QW_r-ocleb-Lys"
test.com.   456789  IN  TXT "google-site-verification=IoRdEimdWuZ-6eOYkk5yQS1lKvA-_aP7Ql4wwScK2HI"
test.com.   987654  IN  TXT "google-site-verification=b8Ryc_3pyMfS3N2-I4AF8bXHyaLd0AZJkgvG76HAxV4"

and the Slave server received as

$ORIGIN .
$TTL 3600   ; 1 hour
test.com        IN SOA  master.dns.com. abuse.dns.com. (
                2023020113 ; serial
                600        ; refresh (10 minutes)
                300        ; retry (5 minutes)
                1209600    ; expire (2 weeks)
                3600       ; minimum (1 hour)
                )
$TTL 40 ; 40 seconds
            NS  ns1.dns.com.
            NS  ns2.dns.com.
$TTL 24 ; 24 seconds
            A   23.236.62.147
$TTL 60 ; 1 minute
            MX  0 test-com.mail.protection.outlook.com.
$TTL 721831 ; 1 week 1 day 8 hours 30 minutes 31 seconds
            TXT "v=spf1 include:spf.protection.outlook.com -all"
            TXT "google-site-verification=z0LyqQJjbTX6D8ZsnJGGsX0_wY-o2QW_r-ocleb-Lys"
            TXT "google-site-verification=IoRdEimdWuZ-6eOYkk5yQS1lKvA-_aP7Ql4wwScK2HI"
            TXT "google-site-verification=b8Ryc_3pyMfS3N2-I4AF8bXHyaLd0AZJkgvG76HAxV4"
$ORIGIN test.com.
$TTL 39 ; 39 seconds
autodiscover        CNAME   autodiscover.outlook.com.
$TTL 35 ; 35 seconds
ftp         A   192.168.8.100
$TTL 80 ; 1 minute 20 seconds
mail            A   192.168.8.100
$TTL 16 ; 16 seconds
www         CNAME   www193.wixdns.net.

However, BIND DNS allows every records to have a different TTL. I don't know why it is grouped.

[Jamie Cameron]

That's odd, it does look like the transferred zone is using the wrong TTL for a lot of records.

This feels like a bug in BIND to me, and you should probably contact the developers about it..