Designate DNS-as-a-Service Troubleshooting Prompt
Diagnose Designate issues — zones not propagating, BIND/PowerDNS backend issues, pool config, record updates not visible.
- Target user
- OpenStack DNS engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior OpenStack engineer who has operated Designate (DNSaaS) with both BIND9 and PowerDNS backends. You know the pool/zone/recordset model and how to debug update propagation. I will provide: - The symptom (zone not visible, record update not propagating, zone stuck PENDING, secondary not syncing) - `openstack zone show` and `openstack recordset list` - Pool configuration (`/etc/designate/pools.yaml`) - Designate logs and backend (BIND/PowerDNS) logs Your job: 1. **Understand the model**: - **Pool** — set of name servers; defined in `pools.yaml` - **Zone** — DNS zone; mapped to a pool - **Recordset** — record(s) in a zone - **Backend** — BIND, PowerDNS, etc. - **NS list** — what's published as authoritative for the zone 2. **For "zone stuck in PENDING"**: - Backend operation failed; check designate-worker / designate-zone-manager logs - Backend not reachable - SOA NOTIFY not delivered (secondaries don't update) 3. **For "record update not propagating"**: - DNS clients cache; check TTL - Designate updates backend → backend serves new value - For secondary NS: NOTIFY must reach secondaries; check master/slave configuration 4. **For BIND backend**: - `rndc reload` or `rndc reload <zone>` to push changes - `rndc status` for backend health - Designate uses `nsupdate` typically for dynamic updates 5. **For PowerDNS backend**: - SQL-backed; check PowerDNS database - `pdns_control bind-domain-status` for zone status 6. **For pool config (`pools.yaml`)**: - Defines `nameservers`, `targets`, `also_notify` - `designate-manage pool update` applies changes - Mismatch between pools.yaml and actual zone → updates fail silently 7. **For SOA / serial**: - Each update bumps serial - Slaves use serial to detect changes - SOA mismatch → AXFR/IXFR transfer to sync 8. **For mDNS** (mini-DNS) and NOTIFY: - `designate-mdns` serves zone data to slaves - NOTIFY tells slaves "check for updates" - Without NOTIFY, slaves only check on REFRESH interval Mark DESTRUCTIVE: deleting zone (irreversible without backup), changing pool ID on a zone (re-targets the zone), force-removing PENDING zone (state mismatch). --- Symptom: [DESCRIBE] Zone state: ``` [PASTE `openstack zone show <id>`] ``` `pools.yaml` excerpt: ```yaml [PASTE] ``` Designate logs: ``` [PASTE] ``` Backend type + status: [DESCRIBE]
Why this prompt works
Designate has a unique pool/zone/backend model that’s confusing to engineers used to plain DNS. This prompt enforces a pool-aware diagnosis.
How to use it
- Verify pool config first — most issues there.
- For propagation, check both designate AND backend logs.
- TTL matters — sometimes the issue is client cache, not Designate.
- For mass changes, lower TTL ahead of time.
Useful commands
# Zones
openstack zone list
openstack zone show <zone-id>
openstack recordset list <zone-id>
# Create / update
openstack zone create --email admin@example.com example.com.
openstack recordset create --type A --record 10.0.0.1 example.com. www
openstack recordset set --record 10.0.0.2 example.com. www
# Export / backup
openstack zone export create <zone-id>
openstack zone export show <export-id>
openstack zone export show <export-id> --raw > zone.bind
# Pool management
designate-manage pool list_config
designate-manage pool update --file /etc/designate/pools.yaml --dry-run
designate-manage pool update --file /etc/designate/pools.yaml
# Designate logs
sudo journalctl -u designate-api -n 100 --no-pager
sudo journalctl -u designate-worker -n 100 --no-pager
sudo journalctl -u designate-zone-manager -n 100 --no-pager
sudo journalctl -u designate-mdns -n 100 --no-pager
# Verify from outside
dig @<designate-ns-ip> example.com SOA
dig @<designate-ns-ip> www.example.com
# BIND check (if BIND backend)
sudo rndc status
sudo rndc reload
sudo rndc dumpdb -all
sudo journalctl -u named -n 100 --no-pager
# PowerDNS check
pdns_control list-zones
pdns_control bind-domain-status example.com.Common findings this catches
- Zone stuck PENDING > 5 min → backend unreachable; check designate-worker logs.
- DNS lookup returns old value → TTL not expired; or client cache.
- NS records mismatch pool → delegation broken; users get NXDOMAIN.
rndckey mismatch → BIND-side config; sync keys with designate.- Pool update changed nameservers but zones still reference old → re-target zones.
- PowerDNS DB drift → restore from designate.
- SOA serial not incrementing → backend not seeing updates; check designate sink.
When to escalate
- Backend DNS server crashes — engage NS team.
- Mass zone migration between pools — staged plan.
- Authoritative DNS issues at provider/registry level — outside OpenStack.
Related prompts
-
Neutron Networking Debug Prompt
Diagnose Neutron networking failures — unreachable VMs, broken security groups, missing floating IPs, OVS/OVN flow issues — from CLI output and agent logs.
-
OpenStack Request-ID Log Trace Prompt
Correlate a single API request across services (nova-api → conductor → scheduler → compute → neutron → cinder) using OpenStack request IDs.
-
OpenStack VM Troubleshooting Prompt
Diagnose Nova VM boot failures, networking issues, and stuck instances using nova/openstack CLI output.