DNS secondary zone transfer problems
I am trying to set up a DNS secondary. The problem is, there is no zone transfer happening. I would appreciate any help at all. I have been working on this for several days now and I'm getting nowhere. I'm using BIND v9.2.3 on Fedora2.
Here is the log sequence on the primary machine (arcturus) ----------------------------------------------------------------------------------------------------------- Feb 23 13:23:23 arcturus named[6107]: zone 42.xx.yy.in-addr.arpa/IN: loaded serial 2005022202 Feb 23 13:23:23 arcturus named[6107]: zone 43.xx.yy.in-addr.arpa/IN: loaded serial 2005022302 Feb 23 13:23:23 arcturus named[6107]: zone mydomain.com/IN: loaded serial 2005022302 Feb 23 13:23:23 arcturus named[6107]: zone myotherdomain.com/IN: loaded serial 2005022302 Feb 23 13:23:23 arcturus named[6107]: running Feb 23 13:23:23 arcturus named[6107]: zone mydomain.com/IN: sending notifies (serial 2005022302) Feb 23 13:23:23 arcturus named[6107]: zone myotherdomain.com/IN: sending notifies (serial 2005022302) Feb 23 13:23:23 arcturus named[6107]: zone 42.xx.yy.in-addr.arpa/IN: sending notifies (serial 2005022202) Feb 23 13:23:23 arcturus named[6107]: zone 43.xx.yy.in-addr.arpa/IN: sending notifies (serial 2005022302) --------------------------------------------------------------------------------------------------------- Here is the log sequence on the secondary machine --------------------------------------------------------------------------------------------------------- Feb 23 14:41:25 localhost named[12805]: received notify for zone 'mydomain.com': not authoritative Feb 23 14:41:26 localhost named[12805]: received notify for zone 'myotherdomain.com': not authoritative Feb 23 14:41:26 localhost named[12805]: received notify for zone '42.xx.yy.in-addr.arpa': not authoritative Feb 23 14:41:26 localhost named[12805]: received notify for zone '43.xx.yy.in-addr.arpa': not authoritative --------------------------------------------------------------------------------------------------------- The problem seems to be that no zone transfer is occuring because the secondary does not regard the primary as authoritative. However, when I do a dig request to the primary machine from the secondary, the aa flag is up indicating "authoritative answer". ------------------------------------------------------------------------------------------------------ ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8157 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ------------------------------------------------------------------------------------------------------ ????????????????????????? |
Could you post your configuration file. The answer I am sure lies there.
Tom |
Quote:
----------------------------------------------------------------- // generated by named-bootconf.pl acl "stuff" { {yy.xx.42.158; yy.xx.42.235; }; }; options { directory "/var/named"; /* //* If there is a firewall between you and nameservers you want //* to talk to, you might need to uncomment the query-source //* directive below. Previous versions of BIND always asked //* questions using port 53, but BIND 8.1 uses an unprivileged //* port by default. //*/ query-source address * port 53; allow-query { stuff; }; allow-recursion { stuff; }; }; // // a caching only nameserver config // controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; zone "mydomain.com" IN { type slave; file "slaves/mydomain.db"; allow-query { any; }; masters { yy.xx.42.235; }; }; zone "myotherdomain.com" IN { type slave; file "slaves/myotherdomain.db"; allow-query { any; }; masters { yy.xx.42.235; }; }; zone "42.xx.yy.in-addr.arpa" { type slave; file "slaves/db.yy.xx.42"; allow-query { any; }; masters { yy.xx.42.235; }; }; include "/etc/rndc.key"; -------------------------------------------------- Primary config file -------------------------------------------------- // generated by named-bootconf.pl // secret must be the same as in /etc/rndc.conf key "key" { algorithm hmac-md5; secret "VEIPNlYh7R1W"; }; controls { inet 127.0.0.1 allow { any; } keys { "key"; }; }; acl "stuff" { {yy.xx.42.158; yy.xx.42.235; }; }; options { pid-file "/var/run/named/named.pid"; directory "/var/named"; version "9.2.3rc2"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; allow-query { stuff; }; allow-recursion { stuff; }; }; // // a caching only nameserver config // zone "." { type hint; file "named.ca"; }; zone "mydomain.com" { type master; file "mydomain.db"; // some security allow-query { any; }; allow-transfer { yy.xx.42.158; }; }; zone "myotherdomain.com" { type master; file "myotherdomain.db"; allow-query { any; }; allow-transfer { yy.xx.42.158; }; }; zone "42.xx.yy.in-addr.arpa" { type master; file "db.yy.xx.42"; allow-query { any; }; allow-transfer { yy.xx.42.158; }; }; zone "43.xx.yy.in-addr.arpa" { type master; file "db.yy.xx.43"; allow-query { any; }; allow-transfer { yy.xx.42.158; }; }; zone "0.0.127.in-addr.arpa" { type master; file "named.local"; }; |
When you say no transfers are taking place - do you mean no files are being created inside the slaves directory?
In your slave, should the line not be zone "mydomain.com" { instead of zone "mydomain.com" IN { Clear all your transferred files inside slaves directory. Stop both name servers and start. See if you can see anything in the logs. try increasing the debug level as well. |
Same problem
I have the same problem. My slave says not authorative when it receives a notify from the master. This has nothing to do with write permissions or the IN class in named.conf.
This seems to work fine on bind version 9.2.1 but not on 9.2.4. Another problem I have with 9.2.3 is that wildcard zones does not work properly. my.test A 10.0.0.2 *.test A 10.0.0.1 I can resolve whatever.test but not my.test. If I run the same zonefile on v 9.2.1 it works fine. Morten |
Quote:
As far as the wildcard, I just tested this, and it works for me. Code:
dog.testing.com. IN A 172.16.0.2 Code:
# named -v As far as the zone transfer to the slave, I'm guessing its just a config issue. This thread is so old I wont even bother going over the original post. Can you post your configs? |
All times are GMT -5. The time now is 04:00 AM. |