Hello all. A brief summary of my problem is that we have started a DNS server upgrade here at my facility. We currently have 2 internal dns servers and 2 external dns servers. We are upgrading to new equipment and merging our servers so we have 1 master and 1 slave that will take care of both internal and external dns. Both servers have two NIC's that have been IP'd with one address in the public external network and one in the internal network. On my master I have setup an Internal view that is only accessible from our internal network ranges and an external view that is allowed to be queried by anyone. I have everything setup and DNS resolution works fine. The problem I am getting though is that that when I configured the slave and set it up, the slave will only inherit updates for zones listed in the Internal view. All external view zones give an error of <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> IN AXFR 43.96.32.in-addr.arpa @129.yy.yy.10 ;; global options: +cmd ; Transfer failed. I have been googling like crazy and cannot find a solution hopefully someone on here might have an idea of why this is occuring.

Below I will give the samples of my master / slave named.conf files. My system is currently running RHEL 6.6 and Bind DNS 9.8.2.


Master - Named.conf

acl internal_hosts { 10.101.0.0/16; 172.21.0.0/16;
10.2.0.0/16; 169.254.0.0/16;
172.23.0.0/16; 32.0.0.0/8;
12.109.164.0/24; 12.109.165.0/24;
63.79.18.0/24; 63.88.0.0/16;
129.42.0.0/16; 4.30.26.0/24;
4.28.188.0/24; 172.21.131.248/29;};
acl internal_slave { 10.xx.xx.2; };
acl external_slave { 129.yy.yy.11; };
acl internal_master { 10.xx.xx.1; };
acl external_master { 129.yy.yy.10; };

options {
directory "/etc";
pid-file "/var/run/named/named.pid";
dnssec-enable no;
query-source port 53;
forward only;
notify yes;
allow-query { any; };
listen-on {
10.xx.xx.1;
127.0.0.1;
129.yy.yy.10;
};
forwarders {
129.34.20.80;
198.4.83.35;
4.2.2.2;
8.8.8.8;
};
allow-transfer {127.0.0.1; };
};


server 10.xx.xx.2 {
transfer-format many-answers;
transfers 10000;
};
server 129.yy.yy.11 {
transfer-format many-answers;
transfers 10000;
};

view "Internal" {

match-clients { internal_hosts; !external_slave; internal_slave; };
also-notify { 10.xx.xx.2; };
allow-transfer { internal_slave; };
recursion yes;
allow-recursion { internal_hosts; };
transfer-source 10.xx.xx.1;


zone "64.2.10.in-addr.arpa" {
type master;
also-notify { 10.xx.xx.2; };
notify yes;
allow-transfer { internal_slave; };
file "/var/named/10.2.64.rev";
};

view "External" {

match-clients { !internal_slave; external_slave; any; };
recursion no;
allow-transfer { external_slave; };
also-notify { 129.yy.yy.11; };
transfer-source 129.yy.yy.10;

zone "50.146.204.in-addr.arpa" {
type master;
notify yes;
also-notify {129.yy.yy.11;};
allow-transfer {external_slave;};
file "/var/named/204.146.50.rev";
};



Slave - Named.conf


acl internal_hosts { 10.101.0.0/16; 172.21.0.0/16;
10.2.0.0/16; 169.254.0.0/16;
172.23.0.0/16; 32.0.0.0/8;
12.109.164.0/24; 12.109.165.0/24;
63.79.18.0/24; 63.88.0.0/16;
129.42.0.0/16; 4.30.26.0/24;
4.28.188.0/24; 172.21.131.248/29;
};
acl internal_slave { 10.xx.xx.2; };
acl external_slave { 129.yy.yy.11; };
acl internal_master { 10.xx.xx.1; };
acl external_master { 129.yy.yy.10; };

options {
directory "/etc";
pid-file "/var/run/named/named.pid";
dnssec-enable no;
query-source port 53;
forward only;
allow-query { any; };
listen-on port 53 {
127.0.0.1;
10.xx.xx.2;
129.yy.yy.11;
};
forwarders {
129.34.20.80;
198.4.83.35;
4.2.2.2;
8.8.8.8;
};
allow-transfer {127.0.0.1; };
};


server 10.xx.xx.1 {
transfer-format many-answers;
transfers 10000;
};

server 129.yy.yy.10 {
transfer-format many-answers;
transfers 10000;
};

view "Internal" {
match-clients { internal_hosts; !external_master; internal_master; };
recursion yes;
allow-recursion {internal_hosts;};
allow-transfer { internal_master; };
transfer-source 10.xx.xx.2;
allow-notify {10.xx.xx.1;};

zone "64.2.10.in-addr.arpa" {
type slave;
masters {10.xx.xx.1;};
allow-transfer {internal_master;};
allow-update {internal_master;};
file "/var/named/slaves/10.2.64.Internal.rev";
};

view "External" {
allow-transfer {external_master;};
allow-notify {129.yy.yy.10;};
transfer-source 129.yy.yy.11;
match-clients {!internal_master; external_master; internal_hosts; any;};
recursion no;

zone "50.146.204.in-addr.arpa" {
type slave;
masters {129.yy.yy.10;};
allow-transfer {external_master;};
allow-update {external_master;};
file "/var/named/slaves/204.146.50.External.rev";
};

Have you checked you logs for any startup errors? How about using the named-checkconf and named-checkzone to check your configurations?

Hi,

You may follow the instructions here for zone transfers based on views

Regards

Named-checkconf and named-checkzone find no errors. I do have this show up in /var/log/messages for errors when I try to do a DIG on the external zone brsbld.ihost.com

Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR started
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR started
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR ended
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR ended
Apr 17 09:32:56 bbridns01 named[1717]: client 129.42.206.11#41783: view Internal: bad zone transfer request: 'brsbld.ihost.com/IN': non-authoritative zone (NOTAUTH)
Apr 17 09:32:56 bbridns01 named[1717]: client 129.42.206.11#41783: view Internal: bad zone transfer request: 'brsbld.ihost.com/IN': non-authoritative zone (NOTAUTH)

---------- Post added 04-18-15 at 05:41 AM ----------

He guys just wanted to update this to let you know what I found out for the solution. Under my Internal view the match-clients argument was messing me up.

match-clients { internal_hosts; !external_slave; internal_slave; };

The internal_hosts acl includes the range 129.42.0.0/16. This was listed before the !external_slave; argument so it was picking that up first because the slave server is 129.42.206.11 and putting it into the internal view. I rearranged it so that it excludes the external_slave first then it was properly being picked up by the external view.

match-clients { !external_slave; internal_hosts; internal_slave; };[COLOR="Silver"]