bind 9 zone not transferring without "service named restart"

============================================
master dns server
============================================
cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 10.0.0.101;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 10.0.0.0/24;};
allow-transfer { 10.0.0.102;};
# notify yes; # notify all secondary nameservers
recursion no;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone"test.com" IN {
type master;
file "test.fwd.zone";
allow-update { 10.0.0.102; };
notify yes;
};

zone "0.0.10.in-addr.arpa" IN {
type master;
file "test.rev.zone";
allow-update { 10.0.0.102; };
notify yes;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

============================================
slave dns server
============================================
cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 10.0.0.102;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 10.0.0.0/24;};
recursion no;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};
zone"test.com" IN {
type slave;
file "slaves/test.fwd.zone";
masters { 10.0.0.101; };
};
zone"0.0.10.in-addr.arpa" IN {
type slave;
file "slaves/test.rev.zone";
masters { 10.0.0.101; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Thanks in Advance,
Gaurav Bhatkar

Do you remember to increase the serial number after editing the zonefile?

yes, but still zones not transferring.
port 53/udp is also open on both the machines.

You didn't post the master zonefile, so we cannot tell if there is something wrong with it. Enable XFER logging and see if you get anything.

Also make sure that you list master and slave nameservers in the NS records in the zonefile of master. E.g.

Kindly refer to zone files:-

===================================================
[root@ns1 ~]# cat /var/named/test.fwd.zone
$TTL 1D
@ IN SOA ns1.test.com. root.test.com (
201803173 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns1.test.com.
@ IN NS ns2.test.com.
@ IN A 10.0.0.101
@ IN A 10.0.0.102
; machines in domain
@ IN A 10.0.0.103
@ IN A 10.0.0.104
@ IN A 10.0.0.105
@ IN A 10.0.0.106

ns1 IN A 10.0.0.101
ns2 IN A 10.0.0.102
node1 IN A 10.0.0.103
node2 IN A 10.0.0.104
node3 IN A 10.0.0.105
node4 IN A 10.0.0.106
===================================================
[root@ns1 ~]# cat /var/named/test.rev.zone
$TTL 1D
@ IN SOA ns1.test.com. root.test.com (
201803173; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
;name server
@ IN NS ns1.test.com.
@ IN NS ns2.test.com.
@ IN PTR test.com.
@ IN A 10.0.0.101
@ IN A 10.0.0.102


101 IN PTR ns1.test.com.
102 IN PTR ns2.test.com.

;machines in domain
103 IN PTR node1.test.com.
104 IN PTR node2.test.com.
105 IN PTR node3.test.com.
106 IN PTR node4.test.com.
===================================================


Thanks in Advance,
Gaurav Bhatkar

The zonefiles look good. (Just a cosmetic note: you don't need A RRs in the reverse zone).

Are you sure that you reload the zone at master after editing the zonefile and increasing the serial?
And again, enable AXFR logging and see if you get something...

Hi gauravbhatkar,

Generally zone transfer is done over TCP, instead of UDP.
Can you ensure that 53/tcp is also allowed through your firewall?

1 members found this post helpful.

Hi @bathory yes i am increasing the serial, how to enable AXFR logging? kindly help.

Hi @tshikose only udp port is open, will open tcp ports and let you know.

Thanks in Advance,
Gaurav Bhatkar

You're increasing the serial, but do you reload the zone afterwards?

In order to log AXFRs, use something like:

I have to manually restart named service for performing zone transfer.

Hi @tshikose both udp and tcp port 53 is open on both the servers.
[root@ns1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain

[root@ns2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain

also, I have changed refresh time in zone files as below:-
======================================================
[root@ns1 ~]# cat /var/named/test.fwd.zone
$TTL 1D
@ IN SOA ns1.test.com. root.test.com (
201803178 ; serial
1M ; refresh


[root@ns1 ~]# cat /var/named/test.rev.zone
$TTL 1D
@ IN SOA ns1.test.com. root.test.com (
201803178; serial
1M ; refresh

======================================================
[root@ns2 ~]# cat /var/named/slaves/test.fwd.zone
$ORIGIN .
$TTL 86400 ; 1 day
test.com IN SOA ns1.test.com. root.test.com.test.com. (
201803177 ; serial
60 ; refresh (1 minute)


[root@ns2 ~]# cat /var/named/slaves/test.rev.zone
$ORIGIN .
$TTL 86400 ; 1 day
0.0.10.in-addr.arpa IN SOA ns1.test.com. root.test.com.0.0.10.in-addr.arpa. (
201803177 ; serial
60 ; refresh (1 minute)
======================================================

Hi @bathory I have changed named.conf file as suggested, however, logs showing the same result as /var/log/message.

every time I have to manually restart named service for zone transfer.

Regards,
Gaurav Bhatkar

I'm asking you once again:
Do you reload the zone after making the changes in the zonefile?

After editing a zonefile, you need to issue a:
This will read the zonefile, will find the serial increased and will send notifies to slave(s). Then they in return will do the fresh zone transfer.
Of course the same can be done by restarting named, that is an overkill in your case.

Hi @bathory,

Sorry for late reply.

[root@ns1 ~]# rndc reload test.com
rndc: 'reload' failed: dynamic zone

Regards,
Gaurav Bhatkar

If it's a dynamic zone and you do manual changes, you need to issue the following commands

Hi @bathory,

Thanks for the solution it worked, zone transferred successfully.
However, I thought zone transfer is automatic process and triggers when the serial number changes.

Regards,
Gaurav Bhatkar

This is not the case for dynamic zones.
Updating a dynamic zone using nsupdate for example, creates a journal file that keeps the new/updated records for some time and then it updates the real zone file.
Read this to better understand the mechanism.

In your case, you are manually editing the zone file, so you need the above sequence of rndc commands in order to reload the zone for the changes to apply.


Regards