Contents x
Rate-limiters for authoritative zone propagation
  • 12 Oct 2021
  • 2 Minutes to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Contents

Rate-limiters for authoritative zone propagation

  • Updated on 12 Oct 2021
  • 2 Minutes to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Article Summary

Please ensure that you are running an up-to-date version of BIND 9
Visit https://www.isc.org/downloads to verify that you are running a supported version of BIND 9.

This article applies to all versions of BIND from 9.11.0 and newer and supersedes an older document in which we explained how these rate limiting options were evolved: serial-query-rate, notify-rate and startup-notify-rate: how they impact zone transfers in different versions of BIND

Along with other options for preventing too many concurrent zone updates, BIND provides three independent rate-limiters for the inter-server communications used to automatically trigger zone refreshes. These are notify messages (sent by authoritive servers that provide outbound zone transfers) and refresh queries (sent from authoritative servers who may as a result of the query responses received, request inbound zone transfers).

serial-query-rate (default 20) controls the rate of zone refresh (SOA) queries if many zones hosted by the server need to confirm that they are serving the most current version available.

notify-rate (default 20) controls the rate of normal notifies (those sent out by the server when a zone has been updated).

startup-notify-rate allows the administrator to configure independently the rate at which notifies are sent out after restarting or reloading.

Why does named provide an independent option for rate-limiting start-up notifies?

named will, after loading the zone files, send out notifications for all of them.  This is because although the human DNS administrator may know that nothing has changed in the zone data, named itself doesn't know this.  With a backlog of start-up notifies inter-mingled with normal zone updates, it could otherwise take some time for zone updates that occurred soon after restarting, to propagate to the secondaries.

Although all of the above limits are expressed as a per-second rate, it is the actions that are being limited, not the network packets needed to complete the action.  So for example, in the case of a zone refresh, there may multiple queries sent as named retries if no response is received, or tries different authoritative servers.

In the past, BIND 9 managed notifies and SOA refresh queries in a single queue (which sometimes caused problems for secondaries that are also primaries for other servers).  This has been remedied in all up-to-date BIND versions by creating and maintaining separate queues as well as rate-limiting options.

For all three of these, the default limit remains at 20, which may be too low for many production environments.  Administrators however are encouraged to increase the values of serial-query-rate and notify-rate gradually to find the levels that meet their production
environment's requirements.  For more advice on tuning configurations for high volume propagation of zone updates, we recommend: Tuning your BIND configuration effectively for zone transfers (particularly with many frequently-updated zones)

Other administrators may wish to disable start-up notifies entirely.  This is currently not possible, but a startup-notify-rate of 1 (a setting of 0 will be silently increased to 1) will slow the rate of these notifications to an insignificant trickle.  They will also, in any case, be removed from the start-up notify queue, if their zone is updated as part of regular zone maintenance.

In addition, standard notifies always take precedence over server start-up notifies.

What's Next

Cookie consent

We use our own and third-party cookies to understand how you interact with our Knowledgebase. This helps us show you more relevant content and ads based on your browsing and navigation history.