DNS Cluster - unexpected sync between web hosts

[MHFraser]

Hi Everyone,
I'm a bit confused about how mu DNS cluster is behaving in regards to sync zone files.
I have been using this page as a reference https://support.cpanel.net/hc/en-us/articles/360053742353-cPanel-DNS-Cluster-Guide

I have had a cpanel server sync to a dns cluster for some time like this:

webserver1.host
↳ dnsonly1.host
↳ dnsonly2.host
↳ dnsonly3.host

* Each dnsonly host is added with sync role
* reverse relationship is set as standalone back to the WebHost (confirmed by checking /var/cpanel/cluster/root/config)
* dns clustering is not enabled on the dnsonly servers

Things went awry when I added a second web server like this

webserver2.host
↳ dnsonly1.host
↳ dnsonly2.host
↳ dnsonly3.host

again
* Each dnsonly host is added with sync role
* reverse relationship is set as standalone back to the WebHost (confirmed by checking /var/cpanel/cluster/root/config)
* dns clustering is not enabled on the dnsonly servers
* new api keys were created

When I did this all zones files on the cluster were synced with both web hosts. (webhost2 has all webhost1 zones and vice versa). this is not supposed to happen!

I cannot find a log that explains why zones are getting pushed up to the WebHost from the cluster.

The Reverse Trust relationships (** See below) prevent Webserver-01 from creating/editing a zone that already exists on Webserver-02 and vice-versa.

When ServerA has a synchronize relationship configured to ServerB, and ServerB also has a synchronize relationship configured back to ServerA. This is not ideal because zones will be distributed out to WHM servers that do not own those zones in a multi WHM cluster. While technically not a problem, managing these zones properly can quickly become confusing, and can easily result in problems from user error due to the complexity of the setup.

 

[cPRex]

Hey there! It sounds like you have everything configured properly on all the machines, so I wouldn't expect that to happen. However, instead of "sync" you could use "write only" to ensure things only get moved in one direction.

If you'd like us to take a look, this issue would likely be better addressed through a ticket so we can see the configuration of all the moving parts at once.

 

[MHFraser]

Hi cPRex,

I did a lot more investigation and came to the conclusion that some dns functions in WMH do not just look at the local name.conf file for local zones but rather seem to be grabbing a list of the zones off the cluster. I didn't delve into code to prove this though.

It was most apparent with web server 2 (the new one) as some DNS management pages show 200+ domains (eg DNS zone manager) and others showed 2 - the host had 2 zones in the named.conf. The pages showing 200+ let me do what I wanted to the other hosts domains & those changes did flow back up to the other host (in theory not possible with a sync<->standalone setup)

I trialed some different scenarios and ended up deciding that it wasn't for me and have moved to 'write only' mode and now each server can only see its own zones which I am happy with.

I noticed a subtly on this page that I think needs to be made clearer

DNS Zone Manager | cPanel & WHM Documentation

This feature allows you to edit the records in a domain's DNS zone file.

docs.cpanel.net

DNS zones that reside on other Write-only DNS servers in a DNS cluster do not appear in this interface.

ie the implication being that DNS zones that reside on other types of dns cluster members do show up.

I can see the benefit in being able to manage zones on a cluster directly without having to remember what web server is ultimately responsible for them but would like to see a toggle that switches between 'Local' and 'Cluster' on pages like the DNS zone manager so I know what the context is.

anyway I'm happy with the write only setup, just need to make sure zones are unique to a web host.

cheers,
F

 

[cPRex]

I'm glad you found a workable solution. I believe if the issue you experienced didn't happen, those zones wouldn't show up, which would make that toggle you mention useless, if I'm understanding the situation correctly. It still might be worth submitting a ticket to our team if you'd like to us to research why this happened.