PDNS Received NOTIFY but slave support is disabled in the configuration

[Metro2]

I have a rather strange issue and after tons of searching for a solution / correct actions to take I still haven't been able to find out what I can do to safely correct this.

I'm hoping that someone here can help provide some guidance.

In the information below, example.ca was a hosting account that I terminated quite some time ago and example.com was an Addon Domain under that account, and the xx.xx.xx.xx is the IP address of an OVH Canada server that the customer moved to (since they wanted to have all their services based in Canada and my service is based in the US).

Here is the issue / notice, which seems to indicate that my WHM DNS Cluster thinks that the Addon Domain is still supposed to be here when it is not:

[~]# grep example /var/log/messages
May 2 01:58:01 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:55921 but slave support is disabled in the configuration
May 4 09:37:40 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:40275 but slave support is disabled in the configuration
May 4 10:13:39 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:51749 but slave support is disabled in the configuration
May 4 10:21:40 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:44749 but slave support is disabled in the configuration


So I did a basic locate of the Master domain and can see the server is still storing data about it, and I don't even run PHP 7.2 anymore:

[~]# locate example.ca
/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
/root/saved.vfilters/example.ca
/usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
/usr/share/cagefs-skeleton/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
/usr/share/cagefs-skeleton/usr/local/apache/domlogs/ftp.example.ca-ftp_log.offsetftpbytes
/var/log/apache2/domlogs/ftp.example.ca-ftp_log.offsetftpbytes

I did a basic locate of the Account username and some of the remnant data is still being backed-up during my nightly cPanel backups, and something else strange I noticed is that there is an extra E added to the old deleted account's username:

[~]# locate username
/backup/.meta/username.db
/backup/2022-05-03/system/dirs/_var_cpanel/notificationsdb/username
/backup/2022-05-03/system/dirs/_var_cpanel/users.cache/usernameE
/var/cpanel/notificationsdb/username
/var/cpanel/users.cache/usernameE

And a basic locate of the old deleted Addon domain that is indicated in the "Received NOTIFY" alerts:

[~]# locate example.com
/backup/2022-05-03/system/dirs/_var_cpanel/getmx/cache/example.com
/backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com
/backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/certificates
/backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/certificates.cache
/backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/combined
/backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/combined.cache
/root/saved.vfilters/example.com
/var/cpanel/getmx/cache/example.com
/var/cpanel/ssl/domain_tls/mail.example.com
/var/cpanel/ssl/domain_tls/mail.example.com/certificates
/var/cpanel/ssl/domain_tls/mail.example.com/certificates.cache
/var/cpanel/ssl/domain_tls/mail.example.com/combined
/var/cpanel/ssl/domain_tls/mail.example.com/combined.cache

Can anyone please point me to the proper / safe way that I can resolve this?

Ultimately I would love it if cPanel didn't hang on to old deleted accounts info, but it always has in various locations, but at least the dozens of other deleted accounts that cPanel is still storing data for on the servers are not generating the "Received NOTIFY for" "but slave support is disabled in the configuration" entries in the logs.

Many thanks for any input!

 

[cPRex]

Hey there! It looks like there's two separate issues - the account cruft, and the DNS notification.

If you do a "whois" check on the domain, is it possible they still have your nameservers listed? This would generate a DNS query to your machine even though the record doesn't exist.

The first 8 files in your "locate" command seem normal to me, as those are backups or cached data that doesn't often get regenerated. certificates.cached and combined.cached also seem normal as well.

As far as the actual /var/cpanel/ssl/domain_tls/mail.example.com/ data, we don't immediately remove these in order to keep the Dovecot mail server happy and reduce the number of restarts on that service. However, you may see additional data in the /var/cpanel/ssl/domain_tls/.pending_delete directory depending how long it's been since the domains are removed.

The main thing that cPanel cares about in regards to if a domain "exists" on the system or not would be entries in /var/cpanel/userdata. If there aren't entries there, it's likely safe to manually remove any cruft you find.

If you can reliably reproduce this problem on your machine when you remove a domain, it would be worth submitting a ticket to our support team so we can check this out, and get a case filed with the developers if necessary.

 

[Metro2]

@cPRex - Thank you so much for taking the time to give your detailed response and explaining why some data is retained even after an account is deleted, I very much appreciate it. You really do an awesome job at handling forum responses here and you're always very helpful!

Quick note before I go in and try to do some cleanup - the account (and it's Addon) were deleted long ago, last year in fact, and the nameservers for both domains were changed to their new hosting provider last year. I always check Whois / IntoDNS / MXtoolbox in strange scenarios.

I'll SSH in now to take a closer look based on the info you provided. Will update this with any findings of note.

 

[Metro2]

Nothing at all in /var/cpanel/ssl/domain_tls/.pending_delete (aside from usual empty ./ and ../)

Nothing in /var/cpanel/userdata referencing the domains / account in question

In /var/cpanel/ssl/domain_tls there are quite a few directories of subdomains that were terminated long ago, including mail.example.ca and mail.example.com in this case. I've removed the ones pertaining to this case / domain, and restarted dovecot and pdns. Waiting for the other shoe to drop

 

[cPRex]

Let us know how it goes! I do feel like we shouldn't be leaving cruft though, so it still might be worth a ticket.

 

[Metro2]

Unfortunately this is still occurring, and only with the one domain / account that is long gone:

/var/log/messages:

May 24 00:36:28 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:54136 but slave support is disabled in the configuration
May 24 00:36:38 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:37082 but slave support is disabled in the configuration
May 24 00:36:39 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:37082 but slave support is disabled in the configuration
May 24 00:37:26 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:45579 but slave support is disabled in the configuration

 

[cPRex]

At this point we'll need a ticket to do some more investigation - can you get one submitted to our team?