Skip to content

Recommended zonefile-sync: -1 zonefile-load: difference journal-content: changes configuration broken knot autoincrements and NOTIFYies SOA on reload, even if SOA in zone file unchanged

I have my zones configured with

zonefile-sync: -1
zonefile-load: difference
journal-content: changes

this is recommended by https://www.knot-dns.cz/docs/3.3/singlehtml/#example-3 for my configuration (me and my users want our pretty zone files!).

However, since the upgrade to 3.3.0, if the on-disk state changes and a reload is triggered via SIGUSR1 for the second time, knot automatically bumps the serial and triggers NOTIFYies, even if the serial is the same.

Yes, this happens on the second reload only, for some reason.

Consider this shell transcript (debug log catted in the background); starting off with a normally-loaded zone with serial 1693789777:

$ echo '_test._test            IN      TXT     test' >> nabijaczleweli.xyz.zone
$ sudo kill -USR1 "$pid"
$ 2023-09-04T03:10:02+0200 warning: [nabijaczleweli.xyz.] check, node nabijaczleweli.xyz., missing NS at the zone apex
2023-09-04T03:10:02+0200 info: [nabijaczleweli.xyz.] zone file parsed, serial 1693789777
2023-09-04T03:10:02+0200 info: [nabijaczleweli.xyz.] loaded, serial 1693789777 -> 1693789777, 2686 bytes

$ echo '_test._test            IN      TXT     test' >> nabijaczleweli.xyz.zone
$ sudo kill -USR1 "$pid"
2023-09-04T03:10:21+0200 warning: [nabijaczleweli.xyz.] check, node nabijaczleweli.xyz., missing NS at the zone apex
2023-09-04T03:10:21+0200 info: [nabijaczleweli.xyz.] zone file parsed, serial 1693789777
2023-09-04T03:10:21+0200 info: [nabijaczleweli.xyz.] changes from journal applied, serial 1693789777 -> 1693789778
2023-09-04T03:10:21+0200 info: [nabijaczleweli.xyz.] loaded, serial 1693789778 -> 1693789778, 2686 bytes
2023-09-04T03:10:21+0200 info: [nabijaczleweli.xyz.] notify, outgoing, remote 213.239.242.238@53 TCP, serial 1693789778
2023-09-04T03:10:22+0200 debug: [nabijaczleweli.xyz.] ACL, allowed, action transfer, remote 213.239.242.238@45147
2023-09-04T03:10:22+0200 info: [nabijaczleweli.xyz.] IXFR, outgoing, remote 213.239.242.238@45147 TCP, started, serial 1693789777 -> 1693789778
2023-09-04T03:10:22+0200 info: [nabijaczleweli.xyz.] IXFR, outgoing, remote 213.239.242.238@45147 TCP, finished, 0.00 seconds, 1 messages, 293 bytes

As you can see, after the second dirty reload, knot automatically bumped the serial and notified the secondaries! And indeed,

$ dig axfr @ns nabijaczleweli.xyz
nabijaczleweli.xyz.     3600    IN      SOA     ns.nabijaczleweli.xyz. nabijaczleweli/ns.nabijaczleweli.xyz. 1693789778 86400 2400 604800 3600
_test._test.nabijaczleweli.xyz. 3600 IN TXT     "test"

This makes staging changes impossible, since knot will automatically decide to publish a zone you haven't finished editing.

I see some new serial-related config keys, so I want to blame that.

AIUI, example 4, i.e.

zonefile-sync: -1
zonefile-load: difference-no-serial
journal-content: all

is what I'd need to configure if I wanted this behaviour. But I don't :/

Edited by наб