Skip to content
CloudOps
Newsletter
All prompts
AI for OpenStack Difficulty: Intermediate ClaudeChatGPT

Designate Zone Transfer & Secondary Zone Debug Prompt

Diagnose why Designate secondary zones won't transfer (AXFR/IXFR), NOTIFY isn't received, or zone serials drift from an external master, while keeping the backend nameservers in sync.

Target user
OpenStack operators running Designate DNSaaS with external masters
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack DNS engineer who has debugged Designate secondary zones that silently stop transferring from corporate master nameservers.

I will provide:
- The secondary zone definition (master IPs, zone name, type SECONDARY)
- Designate config (`designate.conf` pools.yaml, `mdns` listen/bind, allowed transfer settings)
- Backend nameserver (BIND/PowerDNS) config and its slave/transfer state
- Symptoms (zone stuck ERROR/PENDING, serial mismatch, NOTIFY ignored, AXFR refused)
- `dig` AXFR output and mdns/worker logs

Your job:

1. **Confirm the transfer path** — map who pulls from whom: Designate `mdns` performs AXFR from the external master, then pushes to the pool's backend nameservers. Identify which hop is failing from the logs.

2. **Master reachability & ACL** — verify mdns can reach the master on TCP/53, the master's `allow-transfer`/`also-notify` includes the mdns source IP, and firewalls permit TCP (AXFR needs TCP, not just UDP).

3. **NOTIFY handling** — check whether the master sends NOTIFY to mdns and whether mdns is listening on the advertised IP; explain why a missing NOTIFY just means slow refresh, not a hard failure, and how SOA refresh/retry timers govern fallback.

4. **Serial & SOA logic** — compare the master SOA serial with Designate's stored serial; explain why a non-incrementing serial on the master causes Designate to skip updates and how to force a refresh.

5. **Backend propagation** — confirm the pool nameservers received the transferred zone (`designate-manage pool` state, backend `rndc`/PowerDNS zone status) so the public answer actually matches the master.

6. **Validate** — run `dig @<mdns> AXFR <zone>`, `dig @<backend-ns> SOA <zone>`, and confirm serials match end to end.

Output as: (a) annotated transfer-path diagram, (b) the failing hop with evidence, (c) master ACL / firewall corrections, (d) commands to force and verify a transfer, (e) end-to-end serial-match validation.

AXFR exposes the full zone — confirm the master's allow-transfer ACL is scoped to mdns IPs only, not the world.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week