BIND 9.2.1 Refresh Timeout Problem

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Jul 22 17:27:25 UTC 2002 

Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
>>> On July 03 I posted:

>>>>When I start BIND 9.2.1, the zones are loaded, and I see the "running"
>>>>message.  Then I see messages
>>>>
>>>>     zone xxxxx/IN sending notifies (serial yyyyy)
>>>>
>>>>for each of the 293 zones.  Then I see messages like this one:
>>>>
>>>>     Jul  3 07:18:40 titania.ctd.anl.gov named[5037]: zone anl.gov/IN:
>>>>       refresh: failure trying master 146.137.96.100#53: timed out
>>>>
>>>>For some unknown reason the slave can not get to any of its masters.
>>>>What could cause this?  The slave server works fine with BIND 8.2.5-REL.

>>> There have been no replies on this newsgroup.  I looked at the BIND 9
>>> Users newsgroup, and there was a similar posting.  I am posting my
>>> problem here (instead of to bind9-users) because I am subscribed to
>>> this list, and I assume that the same level of expertise is available
>>> here as there.  Is there a need for two different newsgroups?
>>>
>>> The responses on bind9-users were
>>>
>>>      1) Change the firewall to accept DNS packets from a high-numbered
>>>         UDP port.
>>>      2) See transfer-source, notify-source and query-source to let BIND
>>>         not use a high-numbered UDP port.
>>>
>>> I do not have a firewall between my DNS server titania (aka 
>>> dns1.anl.gov) and some of my masters.  I ran a number of sniffer traces,
>>> and in each case I saw BIND 9.2.1 on dns1 send SOA queries from a
>>> high-numbered UDP port to port 53 on each master.  In the trace, which
>>> was taken on a router port that spanned the dns1 addresses, I saw
>>> responses for each of the SOA queries returning from port 53 on the
>>> masters to the high-numbered port on the slave dns1.  Is there any
>>> reason why BIND would not be seeing these return responses?  Do I
>>> need to change anything in the BIND configuration file?  After I have
>>> finished with my testing (when the initial set of refresh failure
>>> messages stop appearing in syslog), then I stop 9.2.1 with rndc,
>>> edit the named.conf file to comment out the rndc key statements,
>>> copy the BIND 8.2.5-REL executable back to named, and restart 8.2.5.
>>
>>> Note that dns1 is a Solaris 5.6 machine (soon to be 5.8) with three
>>> Interfaces.  Is there a problem because I have multiple interfaces?

> phn at icke-reklam.ipsec.nu replied:

>>You might gave something here.  What if you explicitly states 
>>"listen-on for all your addresses ?

> I tried

>      listen-on { 146.137.64.5; 146.139.254.5; 130.202.20.5; };

> this morning; it did not help.

Is bind listening ( will netstat -a / lsof) confirm the open socket ?



-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list