Bind slave not receiving notifications (gentoo only)

DukeLeto · 07-07-2008, 12:49 PM

I have several bind servers (most of them are BIND 9.3.4). Several are masters for a few of my zones.

I am migrating an old BIND 8.4.6 server to a new Gentoo server (running BIND 9.4.1). I have copied over and modified it's config files/zones (to take advantage of chroot, different directory layouts, etc).

a snippet from the simple named.conf on this server (ip's removed for security):

Code:

options { 

        listen-on { 127.0.0.1; x.x.x.164; }; 
        allow-recursion  { 127.0.0.1; x.x.x.0/24; }; 
}; 

zone "mydomain.com" IN { 
        type slave; 
        masters { x.x.x.7; }; 
        file "/var/bind/pri/forward/mydomain.com.zone"; 
};

If I change the zone (I'm not forgetting to change the serial number) on the master, x.x.x.7, to all other slaves, the change is replicated, including the one from whom these config files came.

On this Gentoo slave, the transfer isn't noticed until I perform 'rndc reload'.

If I add an 'also-notify' directive to the master's named.conf, then the zone is transferred immediately, however, none of the other slaves require this, and they are a mixture of debian, redhat, and centos.

Does anyone have any ideas what I can do?

Michael

Mr. C. · 07-08-2008, 02:03 AM

Have you confirmed that the Gentoo box is not receiving the NOTIFY query?

You can enable logging of this, or use tcpdump to look for the query.

DukeLeto · 07-08-2008, 03:12 AM

Quote:

Originally Posted by Mr. C.

Have you confirmed that the Gentoo box is not receiving the NOTIFY query?

You can enable logging of this, or use tcpdump to look for the query.

I'm logging transfers, here's my logging conf:

Code:

logging {

  channel default_file { file "/var/log/named/default.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel queries_file { file "/var/log/named/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes; };

  category default { default_file; };
  category general { general_file; };
  category database { database_file; };
  category security { security_file; };
  category config { config_file; };
  category resolver { resolver_file; };
  category xfer-in { xfer-in_file; };
  category xfer-out { xfer-out_file; };
  category notify { notify_file; };
  category client { client_file; };
  category unmatched { unmatched_file; };
  category queries { queries_file; };
  category network { network_file; };
  category update { update_file; };
  category dispatch { dispatch_file; };
  category dnssec { dnssec_file; };
  category lame-servers { lame-servers_file; };

};

With all of that logging, if I look in notify.log or xfer-in.log, I do not see the notify UNLESS I perform an rndc reload <zone>. I've waited a long time, but the notify never comes, yet it does for other servers. It's something I just haven't been able to figure out.

Michael

Mr. C. · 07-08-2008, 03:26 AM

I believe Bind generates the list of slave servers by looking at all the NS records in a zone. It won't send a NOTIFY to any client that of course is its own host name, or the master server name in the SOA record. Make sure this isn't an issue.

You don't have so many zones that you're max'ing UPD I suppose.

Also, be sure the firewall rule is blocking the unsolicited inbound query.

DukeLeto · 07-08-2008, 04:57 AM

Quote:

Originally Posted by Mr. C.

I believe Bind generates the list of slave servers by looking at all the NS records in a zone. I won't send a NOTIFY to any client that of course is its own host name, or the master server name in the SOA record. Make sure this isn't an issue.

You don't have so many zones that you're max'ing UPD I suppose.

Also, be sure the firewall rule is blocking the unsolicited inbound query.

When it looks at the NS records, for instance, if I had NS records such as:

ns1.example.com
ns2.example.com
ns3.example.com

And I was the authoratize for example.com, will it determine the ip's for the ns records from the zone file, or from when I registered the nameserver with my registrar?

Michael

Mr. C. · 07-08-2008, 12:21 PM

For the zone being updated, it looks inside that zone file for any NS records, and uses those. It then strips out itself (doesn't need to notify itself) and strips out the MNAME in the SOA.

DukeLeto · 07-10-2008, 02:28 AM

Thanks, this is solved. The nameserver list in the zone was what was missing.

Michael

Mr. C. · 07-10-2008, 02:30 AM

Nice work!

Mr. C. · 07-10-2008, 02:33 AM

Oh, and be sure to update your bind software immediately!