Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I set up a new VPS with kloxo and I'm having some problem with my domain. My VPS came with one IP and because of the regulations of the Canadian Internet Registry Authority (CIRA), the two nameservers must have different IPs. Therefore, I set up my domain (let's call it mysite.ca) with xname as follows:
ns1.mysite.ca 72.29.xx.xx (this is the master)
ns2.xname.org (this should be the slave)
I created ns1.mysite.ca through kloxo and everything seems to be alright. I ran a trace on my domain name, and it comes out that the xname record is not authoritative, so xname doesn't know what to do with mysite.ca.
I logged into xname and saw the following when I asked it to list my zones:
Code:
Zone Name Server Serial View Status
mysite.ca (S) Logs I
ns0.xname.org. not available zone content
ns1.xname.org. not available zone content
ns2.xname.org. not available zone content
72.29.xx.xx not available zone content
So it's not getting the proper serial, which means it's not syncing property with my master. When I hit 'zone content', I saw the following for ns0/ns1/ns2.xname.org:
Code:
; <<>> DiG 9.3.4-P1.2 <<>> axfr mysite.ca @ns1.xname.org.
; (1 server found)
;; global options: printcmd
; Transfer failed.
Under 72.29.xx.xx, zone content shows the following:
Code:
; <<>> DiG 9.3.4-P1.2 <<>> axfr mysite.ca @72.29.xx.xx
; (1 server found)
;; global options: printcmd
mysite.ca. 86000 IN SOA ns1.mysite.ca. admin.mysite.ca. 2011031101 10800 3600 604800 86400
mysite.ca. 86000 IN MX 10 mail.mysite.ca.
mysite.ca. 86000 IN A 72.29.xx.xx
mysite.ca. 86000 IN NS ns1.mysite.ca.
mysite.ca. 86000 IN NS ns2.xname.org.
_domainkey.mysite.ca. 86000 IN TXT "t=y\; o=-\; r=postmaster@mysite.ca"
private._domainkey.mysite.ca. 86000 IN TXT "k=rsa\; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAMiH3K4hL3M8KMRa1UFJwHXdsN4KDZSRDAnFFw0ouJ7a8XwZ3Jait9wY+iW+Ohz0lQIDAQAB"
cp.mysite.ca. 86000 IN A 72.29.xx.xx
ftp.mysite.ca. 86000 IN A 72.29.xx.xx
lists.mysite.ca. 86000 IN A 72.29.xx.xx
mail.mysite.ca. 86000 IN A 72.29.xx.xx
ns.mysite.ca. 86000 IN A 72.29.xx.xx
ns1.mysite.ca. 86000 IN A 72.29.xx.xx
ns2.mysite.ca. 86000 IN A 72.29.xx.xx
webmail.mysite.ca. 86000 IN A 72.29.xx.xx
www.mysite.ca. 86000 IN A 72.29.xx.xx
mysite.ca. 86000 IN SOA ns1.mysite.ca. admin.mysite.ca. 2011031101 10800 3600 604800 86400
;; Query time: 115 msec
;; SERVER: 72.29.xx.xx#53(72.29.xx.xx)
;; WHEN: Fri Mar 11 23:54:24 2011
;; XFR size: 17 records (messages 1)
Lastly, I will post my kloxo.named.conf (named.conf simply includes the kloxo file) and mysite.ca zone file.
/var/named/chroot/etc/kloxo.named.conf:
Code:
zone "mysite.ca" {
type master;
file "/var/named/mysite.ca";
allow-transfer {
195.234.42.0/24;
193.218.105.144/28;
87.98.164.164;
88.191.64.64;
92.243.14.172;
88.191.64.64;
};
};
/var/named/chroot/var/named/mysite.ca
Code:
$TTL 86000
@ IN SOA ns1.mysite.ca. admin.mysite.ca. (
2011031101 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum
mysite.ca. IN NS ns2.xname.org.
mysite.ca. IN NS ns1.mysite.ca.
cp.mysite.ca. IN A 72.29.xx.xx
mysite.ca. IN A 72.29.xx.xx
ns.mysite.ca. IN A 72.29.xx.xx
ns1.mysite.ca. IN A 72.29.xx.xx
ns2.mysite.ca. IN A 72.29.xx.xx
mail.mysite.ca. IN A 72.29.xx.xx
www.mysite.ca. IN A 72.29.xx.xx
ftp.mysite.ca. IN A 72.29.xx.xx
webmail.mysite.ca. IN A 72.29.xx.xx
lists.mysite.ca. IN A 72.29.xx.xx
mysite.ca. IN MX 10 mail.mysite.ca.
_domainkey.mysite.ca. IN TXT "t=y; o=-; r=postmaster@mysite.ca"
private._domainkey.mysite.ca. IN TXT "k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQADOwxxxxxxxxxxxxxxxxxxxxxx
Any help is appreciated.
Last edited by evilmonkey; 03-11-2011 at 06:07 PM.
; <<>> DiG 9.3.4-P1.2 <<>> axfr mysite.ca @ns1.xname.org.
; (1 server found)
;; global options: printcmd
; Transfer failed.
The above usually means that the host from which you ran the query is not allowed to do AXFRs (zone transfers).
You should run the same query from ns2.xname.org against your primary dns:
Code:
dig -t axfr mysite.ca @ns1.mysite.ca
to see if the slave can transfer the zone from master.
If it fails, make sure that the IP(s) of the slave(s) are listed in the allow-transfer list of IPs in the master zone and there is no firewall in between that blocks port 53 tcp/udp.
Also in the slave's zone definition, make sure you have ns1.mysite.ca as the master:
Code:
zone "mysite.ca" {
type slave;
masters {72.29.xx.xx;};
...
}
The above usually means that the host from which you ran the query is not allowed to do AXFRs (zone transfers).
You should run the same query from ns2.xname.org against your primary dns:
Code:
dig -t axfr mysite.ca @ns1.mysite.ca
to see if the slave can transfer the zone from master.
If it fails, make sure that the IP(s) of the slave(s) are listed in the allow-transfer list of IPs in the master zone and there is no firewall in between that blocks port 53 tcp/udp.
Also in the slave's zone definition, make sure you have ns1.mysite.ca as the master:
Code:
zone "mysite.ca" {
type slave;
masters {72.29.xx.xx;};
...
}
Regards
Thanks for the response. Xname is a public DNS service that provides primary or secondary nameservers. I don't have direct access to their box, but since they have almost 200,000 zones hosted with them (including over 56,000 as secondary nameservers), I assume that everything is set up properly on their end.
Running a query on ns2.xname.org also gives me the transfer failed error. The only query that doesn't error out is the one on my VPS's IP address.
As for the IP of the slaves, I allowed it in my zone configs, as I posted above. There is no firewall that I know of.
I've read what's needed to use xname.org name servers as slaves and looks like your configuration about allow-transfer is correct.
If you're sure it's not a firewall, check the log files of the master to see if it denies AXFRs to the slave
Also you can try to resolve your domain from the internet using:
Code:
dig mysite.ca @88.191.64.64
And add ns0.xname.org and ns1.xname.org in the NS records of your zone and use this site to check your dns settings, so you can see if it's you or xname the culprit
Mar 12 10:02:14 mysite named[25767]: client 92.243.14.172#39991: transfer of 'mysite.ca/IN': AXFR started
Mar 12 10:02:14 mysite named[25767]: client 92.243.14.172#39991: transfer of 'mysite.ca/IN': AXFR ended
I also checked intodns and xname seems to be the culprit. I changed 'allow transfers' to "all", and after that, ns1.xname.org started showing the following under 'zone content':
Code:
; ; <<>> DiG 9.3.4-P1.2 <<>> axfr mysite.ca @ns1.xname.org.
; (1 server found)
;; global options: printcmd
mysite.ca. 86000 IN SOA ns1.mysite.ca. admin.mysite.ca. 2011031101 10800 3600 604800 86400
mysite.ca. 86000 IN NS ns1.mysite.ca.
mysite.ca. 86000 IN NS ns2.xname.org.
mysite.ca. 86000 IN A 72.29.xx.xx
mysite.ca. 86000 IN MX 10 mail.mysite.ca.
_domainkey.mysite.ca. 86000 IN TXT "t=y\; o=-\; r=postmaster@mysite.ca"
private._domainkey.mysite.ca. 86000 IN TXT "k=rsa\; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAMiH3K4hL3M8KMRa1UFJwHXdsN4KDZSRDAnFFw0ouJ7a8XwZ3Jait9wY+iW+Ohz0lQIDAQAB"
cp.mysite.ca. 86000 IN A 72.29.xx.xx
ftp.mysite.ca. 86000 IN A 72.29.xx.xx
lists.mysite.ca. 86000 IN A 72.29.xx.xx
mail.mysite.ca. 86000 IN A 72.29.xx.xx
ns.mysite.ca. 86000 IN A 72.29.xx.xx
ns1.mysite.ca. 86000 IN A 72.29.xx.xx
ns2.mysite.ca. 86000 IN A 72.29.xx.xx
webmail.mysite.ca. 86000 IN A 72.29.xx.xx
www.mysite.ca. 86000 IN A 72.29.xx.xx
mysite.ca. 86000 IN SOA ns1.mysite.ca. admin.mysite.ca. 2011031101 10800 3600 604800 86400
;; Query time: 165 msec
;; SERVER: 87.98.164.164#53(87.98.164.164)
;; WHEN: Sat Mar 12 20:40:30 2011
;; XFR size: 17 records (messages 1)
ns0 and ns2 are still showing transfer failed and there's no serial number on any of them. I also added ns0 and ns1 to the mysite.ca file on the master. It looks like that has yet to propogate to xname. Can I force update somehow?
Thanks!
Last edited by evilmonkey; 03-12-2011 at 01:44 PM.
but I don't think it's going to work. Better use ns1.xname.org as your slave, or contact the xname support and tell them about your problem.
In the meantime stop using "all" for allow-transfer, because anyone can fetch your domain data.
I read that allow-transfer all isn't actually a security hole because DNS information is public, so there's nothing anyone can pull from my master DNS server that isn't already in the public record. Is there any reason not to have it set to "all"?
I changed my secondary nameserver to ns1.xname.org, let's see if that solves my issues. Thank you very much for all your help!
Thank you very much for the link, incidentally, I have already read that.
Just out of curiosity, what causes the failure on the last line (this is what I see when bind starts, from /var/log/messages):
Code:
Mar 12 18:20:10 mysite named[15740]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 -u named -t /var/named/ch$
Mar 12 18:20:10 mysite named[15740]: found 4 CPUs, using 4 worker threads
Mar 12 18:20:10 mysite named[15740]: using up to 4096 sockets
Mar 12 18:20:10 mysite named[15740]: loading configuration from '/etc/named.conf'
Mar 12 18:20:10 mysite named[15740]: max open files (1024) is smaller than max sockets (4096)
Mar 12 18:20:10 mysite named[15740]: using default UDP/IPv4 port range: [1024, 65535]
Mar 12 18:20:10 mysite named[15740]: using default UDP/IPv6 port range: [1024, 65535]
Mar 12 18:20:10 mysite named[15740]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 12 18:20:10 mysite named[15740]: listening on IPv4 interface venet0:0, 72.29.xx.xx#53
Mar 12 18:20:10 mysite named[15740]: command channel listening on 127.0.0.1#953
Mar 12 18:20:10 mysite named[15740]: command channel listening on ::1#953
Mar 12 18:20:10 mysite named[15740]: the working directory is not writable
Mar 12 18:20:10 mysite named[15740]: zone mysite.ca/IN: loaded serial 2011031201
Mar 12 18:20:10 mysite named[15740]: running
Mar 12 18:20:10 mysite named[15740]: zone mysite.ca/IN: sending notifies (serial 2011031201)
Mar 12 18:20:10 mysite named[15740]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
and what can I do about it? Would it have anything to do with my problems?
Last edited by evilmonkey; 03-12-2011 at 08:29 PM.
Just out of curiosity, what causes the failure on the last line (this is what I see when bind starts, from /var/log/messages):
--snip--
Mar 12 18:20:10 mysite named[15740]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
I guess your server tries to use ipv6, while this is not supported by your network. You can disable the ipv6 module and restart bind in ipv4 mode only.
As routers already pointed out, you have also a permissions problem. Check the chroot directory permissions and maybe SELInux policy
Thanks for your help and pointing out the permission problem. The transfers failures seem to be an xname problem. I got an account with dns.he.net and everything started working immediately. I learned way more than I ever wanted to know about DNS through this experience, so thank you very much!
I have an hosting server with dns server enable as slave.
As master I use he.net name servers.
The problem is dns entries from master don't transfer to slave, even if test transfer succed
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Help with he.net dns service!
