Help needed tying second nameserver to different IP

[Strator]

Hi all - it's THAT time of the year again. To point a German domain to my server, I need to briefly assign a second IP to my other nameserver (if both nameservers point to the same IP, the update will fail).

I've done this idiotic exercise multiple time with the old DirectAdmin interface, but after being forced to switch to the new layout, I am stuck this time. Completely.

What I did is I tried to use the "IP Management" and "Nameservers" buttons on the main page. I thought I was successful, but after two days waiting for propagation, I ran "host ns2.mydomain.com" on my server and it seems the change didn't work at all.

Now I tried to change things up, only to make it even worse: It seems like this part of Evo/Directadmin is bug-ridden. After clicking on "Clear NS" I can do nothing to set up the second nameserver again. To delete the entry, I need to "free" it first, that however doesn't work because directadmin tells me the IP isn't tied to my reseller account (even though it is). The "remove from reseller" option has no effect, however, so it seems obvious that "assign" doesn't work properly either (hence the error).

I'm quite desperate because the site MUST go online by Tuesday, but with all these issues I just can't see this happening.

Thanks!

 

[Strator]

This is all very weird. After logging out and in again, I was finally able to unassign my reseller account. Deleted the entry for the IP and tried again. This time, the device is eth0 instead of eth0:0 even though I did nothing differently.

Next problem: When creating new namerservers, the "virtual" box cannot be unchecked.

 

[floyd]

I think really for what you are trying to do is to just simply update the dns record. You don't have to do of what you are doing. And don't forget you also have to change the ip at the registrar.

 

[Richard G]

I need to briefly assign a second IP to my other nameserver (if both nameservers point to the same IP, the update will fail).

Like @floyd says. Update the ip for the NS2 at your registrar.
Then do -not- add this external ip in the ip manager of DA. Just update your ns2 A record(s), that should be enough.

Be aware that these kind of changes can take up to 4-8 hours to synchronise amonst world nameservers.

 

[Strator]

Those were my thoughts as well... probably getting old, not remembering what I did last time, etc. So yesterday I tried just going for the ns2 A records only. Seems I got lucky, because the domain I needed to update badly slipped through, even though there was a warning.

RESULT: success
WARNING: 33300102912 Predelegation Check warning [WARNING: 110 Retry value out of range (expected, found, nameserver, ip) ([450..1200], 3600, ns1.mydomain.com, 111.111.111.111)]
STID: 62cb7043-64af-4a19-8ea3-cec0c588cadd

This is great, removes the time pressure from the issue. But since I'm at it, I also tried to update two other domains that I registered last year. and now I'm getting this:

RESULT: failed
STID: 77b5f474-1b65-490a-8fe8-acee04c82483
ERROR: 53300102912 Nameserver error [ERROR: 133 Answer must be authoritative (nameserver, ip, proto, record) (ns1.mydomain.com, 111.111.111.111, udp, NS)]
ERROR: 53300102912 Nameserver error [ERROR: 901 Unexpected RCODE (nameserver, ip, proto, record) (ns1.mydomain.com, 111.111.111.111, udp, NS)]
ERROR: 53300102912 Nameserver error [ERROR: 902 Timeout (nameserver, ip, protocol) (ns2.mydomain.com, 222.222.222.222, udp)]
ERROR: 53300102912 Nameserver error [ERROR: 901 Unexpected RCODE (target, entity, rcode) (111.111.111.111, SOA, REFUSED)]
WARNING: 33300102912 Predelegation Check warning [WARNING: 902 Timeout (nameserver, ip, protocol) (ns2.mydomain.com, 222.222.222.222, tcp)]

[IPs and domain names have been replaced by placeholders]

To me, it might as well be Chinese, never ran into issues like this before.

To rule out that I'm getting this because of stuff *I* did... the problem is that I'm unable to restore the IP manager settings and the nameserver settings to the state they were before. The other problem is that I stored this in short term memory (in my mind , because I thought it would be quick as usual, so I'm not even 100% sure anymore what the settings were in the first place.

At this point, I only have one line in the IP manager - it has my primary IP and ns1 under "Name Server".
Under "Name Servers" there is also one line only for ns1 (linking it to my primary IP).
There is no way to add ns2 here, as "create nameservers" will only allow me to add virtual nameservers (this box cannot be unchecked).

PS: It is impossible to change the IP at the registrar. You just enter the nameservers. Like I said - different country, different procedure. Trust me, this is not the problem.

 

[floyd]

You have to have the ip setup on the actual nameserver and the dns record updated first.

Make sure the ip for ns2.mydomain.com works and update the dns record for ns2.mydomain.com on your end. You may have to wait 24 hours and then update at the registrar.

 

[Strator]

Not sure if I understand you correctly. This is a single VPS hosting my websites. There is no seperate physical nameserver.

If this was a simply propagation problem, I would expect the error to be:

RESULT: failed
STID: cd341203-b96b-4bf5-b8c2-713886ded784
ERROR: 53300102912 Nameserver error [ERROR: 107 Insufficient diversity of nameserver' s IPaddresses (expected, found) (1, 0)]

...as it was originally. But the error mentions both IPs, which seems to indicate that the change has propagated already. There are no less than three error codes: 133, 901, 902 - not sure if they need to be fixed separately or if one is leading to the other, but the most notable is:

Error 902 - Domain update failed. Timeout (target)
Solution: check that the nameservers are online and respond to requests

Since the registrar is already resolving ns2 to the new IP. it seems obvious that something is set up incorrectly on my server, as it cannot handle the request.

 

[Strator]

I still believe that I need to fix the fact that I can't add the new IP as a nameserver. You guys are saying that it isn't necessary - which may be true - but the fact that I CAN'T do it, although it was possible before, indicates to me that something is wrong.

I did this originally: There were two lines one with the original IP and ns1 and the other with the new IP and ns2. Now, when I add the new IP again, I can do it virtually only. It seems obvious that something broke, and if something isn't working and you don't exactly know why, the best bet is usually to fix what you already know is broken and hope the problem will go away.

Btw. I hit "clear NS" on the line with the new IP. That's how it went away. One would expect that, after doing that, the nameserver can be re-added, no?

 

[Richard G]

Now, when I add the new IP again, I can do it virtually only.

Again, logically because that ip does -not- belong to your vps so you can't (and shouldn't) add it in the ip manager.

Advise: Change your skin/theme to the Enhanced skin, makes things a lot easier, at least I work a lot easier with that skin.

Nameservers are added in the domain as A and NS records if using external ip's, not in the nameserver or ip manager section.

 

[Strator]

Again, logically because that ip does -not- belong to your vps so you can't (and shouldn't) add it in the ip manager.

Advise: Change your skin/theme to the Enhanced skin, makes things a lot easier, at least I work a lot easier with that skin.

Nameservers are added in the domain as A and NS records if using external ip's, not in the nameserver or ip manager section.

Actually it belongs to my VPS specifically. I pay 2 USD/month for it.

I'm usually very reluctant to claim something *should* be working, but if it did previously but then doesn't anymore it is usually a strong case.

EDIT: I think I found the problem...

 

[Richard G]

Actually it belongs to my VPS specifically. I pay 2 USD/month for it.

Oh I'm sorry. I was under the impression you had an external ip address extra.
In that case you are correct, you should add the ip as Admin under ip management.

EDIT: I think I found the problem...

I hope so. Please let us know how you fixed it and what was the cause.

 

[Strator]

Well, I forgot that the Germans will also check if there's actually a site (i.e. DNS Zone) set up on the other end. That's why one domain worked and the other didn't.

Switching to enhanced skin was good advice, I wasn't aware it's still possible. So now that the domains updated, I'm ready to revert everything to the way it was before.

Do you happen to be aware how the IP/Nameserver setup is supposed to look with singe IP? I could swear ns1 and ns2 were both set up for the same IP, but when I try to do it, it tells me I need two distinct IPs for this.

 

[Richard G]

I could swear ns1 and ns2 were both set up for the same IP,

You are correct, it can be done like this in Directamin itself anyway. In that case you can't use the ip manager in admin or reseller, but you can use the selection box to use nameserver 1 and 2.
And in the domain, both A records for ns1 and ns2 point to the same ip. This should still work as I recently it this way with a temporary vps which was using external nameservers for real, pointing to the VPS.

In the ealier days, this was (in spite of against all FQDN rules) this was no problem at all. But nowadays with more and more registrars it's not possible to fill in the same ip twice and indeed gives notice you need 2 seperate ip's.
I don't know if it would work if you only enter 1 nameserver at the registrar.

Some registrars still allow it.
Otherwise I would consider keeping the secondary ip as it's so easy to do things if you run your own nameservers.
It's still not completely according to the RFC's (should have different geo locations) but at least registrars will accept it and it's still cheaper then a cheap seperate VPS with Directslave for example.
Unless you have multiple servers or vps systems, then that might be a better solution.

 

[Stije]

It is always better to have different IP's for nameservers.
Also you can just add the IP to DirectAdmin so your server knows this IP is used. Don't add it to users. Don't add it to "nameservers". Just as what was said already. Update DNS records. If the IP is also active on DirectAdmin it will be used.

Just edit the nameservers by hand with ns1.domain.tld and ns2.domain.tld. Update the users/domains.

Maintaining DNS records | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

If you are using DNS on your vps do not forget to do DNSSEC signing of your zones and update keys at your registrar. Add the 257 key signing key you make with DA

 

[Richard G]

Don't add it to "nameservers".

Why not? If they are both on the same server/vps, it's imho even better to add it to the nameservers as it can't be used for anything else then anymore if I'm correct.
For user domains it doesn't matter as they only use the NS records which all will have automatically anyway.

DNSSEC is not required, but is a bit of more safety, however, that indeed also requires more work.

 

[Strator]

It is always better to have different IP's for nameservers.
Also you can just add the IP to DirectAdmin so your server knows this IP is used. Don't add it to users. Don't add it to "nameservers". Just as what was said already. Update DNS records. If the IP is also active on DirectAdmin it will be used.

Just edit the nameservers by hand with ns1.domain.tld and ns2.domain.tld. Update the users/domains.

Correct me if I am wrong, but in my humble opinion it is utterly pointless to have different IPs for nameservers if you're self-hosting it all on the same machine. When the machine hosting the nameservers is down, the website is down, too, so the whole purpose of nameserver diversity is defeated anyway.

Where can I edit this by hand? That would be great. I just restored last week's admin backup, but unfortunately, that didn't bring back the original IP/nameserver configuration either.

 

[Strator]

Otherwise I would consider keeping the secondary ip as it's so easy to do things if you run your own nameservers.

Well it's 24 USD/year for something I don't need, and virtually the only situation I ever miss it is when German Internic wants me to jump through their idiotic bureaucratic hoops.

 

[Richard G]

for something I don't need

Correct, but it saves work, no LEGO required for wildcard certificates, no need to copy stuff to the registrars (or other external DNS). With multiple domains and customes it's really a pré.

But if you don't mind that or don't need it, then indeed you can safe the money.

When the machine hosting the nameservers is down, the website is down, too, so the whole purpose of nameserver diversity is defeated anyway.

Which is why the RFC say that in fact nameserver should reside in different geological locations.

that didn't bring back the original IP/nameserver configuration either.

Try the Enhanced skin. I don't use the Evo, so I don't know where it is there.
But on restoring admin backups, you can choose to use the backup ip or the server's ip. Also you can select (tick a box) whether to use the local nameservers or nameservers from the backup.

Normaly by default the option to use the local nameservers is ticked. You can untick it and then safe.

Remember that users never require the nameservers ip, they only use NS records which are like ns1.domain.com and ns2.domain.com and nothing more.
This can easily be changed via commandline if required.

Maintaining DNS records | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

 

[Strator]

Which is why the RFC say that in fact nameserver should reside in different geological locations.

Ok, but this fixes a problem you only have with external nameservers. The idea, to my knowledge, is that the site is still reachable when one nameserver goes down. But if nameservers are on the same machine as the content, this makes no sense - if the site itself is down, all the nameservers in the world won't make it reachable.

But on restoring admin backups, you can choose to use the backup ip or the server's ip. Also you can select (tick a box) whether to use the local nameservers or nameservers from the backup.

Normaly by default the option to use the local nameservers is ticked. You can untick it and then safe.

This didn't work. Mistake on my end, I created an elaborate backup scheme for all accounts (including the admin account), but failed to include system backups. So I guess I'm out of luck here.

Remember that users never require the nameservers ip, they only use NS records which are like ns1.domain.com and ns2.domain.com and nothing more.
This can easily be changed via commandline if required.

Not sure if I understand you correctly. I'm the only admin and the only user on this server.

At the end of this, my sites are still reachable, but now there's only an ns1 defined under "Namerservers" and no "ns2" - so much for diversity.

The file to edit this info is /usr/local/directadmin/data/admin/ips/* but it seems like directadmin just reads this when you open "Nameservers", it's not like editing that file has any impact on the server.

 

[Richard G]

is that the site is still reachable when one nameserver goes down.

I'm'not sure. It could also mean when your server is down and mailservers are trying to reach you, they know by the other nameserver that the domain still is "alive" and only temporary unreachable. If both nameservers are unreachable it could also mean business stopped.
I'm not 100% sure if this would affect a sending mailserver to a domain, to put the mail in queue for later or directly send it back to the sender as being undeliverable.
But reading what you wrote later on, in your case that isn't such a big deal I guess.

So I guess I'm out of luck here.

I don't know. I don't use a system backup either. For transferring accounts I just use the included Admin backup/transfer option, which by default includes dns for the domains.

Not sure if I understand you correctly. I'm the only admin and the only user on this server.

In that case, only 1 domain then? Or multiple? Only in the main domain like domain.com in ns1.domain.com needs both A records.
Every other domain (even it's only your domains) normally only contain the NS records, so then not much needs to be adjusted.
And for sure I understand now that you don't have any need to run your own nameservers and external is enough.

Indeed editting the file in /ips/ has no impact on the server in your case as far as I can see.