Decrementing Your Zone Serial

Categories: DNS

How to lower the zone serial in Secondary DNS

The Problem

When using the Secondary DNS service, it is possible that your most recent zone serial may become a lower value than the zone serial currently available on our nameservers. For example, if your zone serial uses a timestamp format, such as 2007103101, and you change to a Unix epoch-based format, such as 1193788800, the new serial is much lower than the old serial; since secondary nameservers will only transfer zones with a higher serial, the new zone file will not be retrieved by our nameservers. Furthermore, due to the nature of secondary nameservers, it is not possible to simply decrement their stored zone serials to match the desired value.

The Solution

Example

1. Current serial: 2007103101
New serial: 1193788800
2007103101+ 2147483647 = 4154586748
2. Change serial to 4154586748, reload, transfer
3. Change serial to 1193788800, reload, transfer
4. New serial in Secondary DNS is 1193788800

Fortunately, the solution is relatively simple. Please follow these steps to decrement your zone serial in Secondary DNS:

  1. Check the current zone serial in use by the Secondary DNS service. This can be done with a simple dig command like so:
    ~$ dig domain.com soa +short @ns2.mydyndns.org
ns1.domain.com. zone-admin.domain.com. 2007103101 10800 1800 604800 1800
  2. Take this value and add 2147483647. Increment your zone serial to this number, restart BIND, and wait for our nameservers to load the new zone (again by using a dig command to check the SOA at each server).
  3. Once all of our Secondary DNS nameservers have incremented the zone to this new value, update your zone serial using the desired, lower value, restart BIND, and wait for our servers to pick up this new value.
  4. Our Secondary DNS nameservers will retrieve the new zone with the lower serial.

The Explanation

For a more in-depth explanation of how and why this works, here is an excerpt from Zytrax.com's article on the subject:

"The SOA serial number is an unsigned 32-bit field with a maximum value of 2**31, which gives a range of 0 to 4294967295, but the maximum increment to such a number is 2**(31 - 1) or 2147483647, [as] incrementing the number by the maximum would give the same number. Using the maximum increment, the serial number fix is a two-step process. First, add 2147483647 to the erroneous value, for example, 2008022800 + 2147483647 = 4155506447, restart BIND or reload the zone, and make absolutely sure the zone has transferred to all the slave servers. Second, set the SOA serial number for the zone to the correct value and restart BIND or reload the zone again. The zone will transfer to the slave because the serial number has wrapped through zero and is greater that the previous value of 4155506447! RFC 1982 contains all the gruesome details of serial number comparison algorithms if you are curious about such things."

Alternatives

If your zone serial is lower than the desired serial, it is possible for our sysadmins to flush the zone from our servers and reload the most recent available from your primary. If you wish for us to do this, please purchase a Premier Support case for each zone you need to decrement and contact our support team to request this action. (Do not open the case, as this will be resolved during the course of the operation.)