zone transfers fail
Christopher L. Everett
ceverett at cobalt.physemp.com
Mon Feb 3 01:15:43 UTC 2003
I've set up a primary & secondary BIND9 server box using bind v9.2.1.
named-confcheck and named-checkzone check out ok.
but when i do a 'rndc reload' on the slave server, the zone transfers
fail. here is a log snippet from the slave:
Feb 1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 207.177.51.227#53: failed while receiving responses: REFUSED
Feb 1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 207.177.51.227#53: end of transfer
a log snippet from the master:
Feb 2 04:10:58 lists named[210]: client 207.177.51.228#1234: zone transfer 'hospitalpage.com/IN' denied
the relevant parts of the master named.conf (i left out the acl definitions),
options {
directory "/var/cache/bind";
listen-on { my-dns-ip; };
listen-on-v6 { none; };
blackhole { RFC1918; };
forwarders { 207.177.74.118; 207.177.74.108; };
allow-query { local-ips; natel-dns-ips; };
allow-recursion { local-ips; };
allow-transfer { localhost; primary-dns-ip; secondary-dns-ips; };
auth-nxdomain yes; # conform to RFC1035
};
zone "hospitalpage.com" {
type master;
file "/etc/bind/zones/hospitalpage.com";
allow-query { any; };
allow-update { none; };
};
and relevant parts of the slave's named.conf (and again no acl definitions)
options {
directory "/var/cache/bind";
listen-on { my-dns-ip; };
forwarders { 207.177.74.118; 207.177.74.108; };
allow-query { local-ips; };
allow-recursion { local-ips; };
blackhole { RFC1918; };
listen-on-v6 { none; };
auth-nxdomain yes; # conform to RFC1035
};
zone "hospitalpage.com" {
type slave;
file "hospitalpage.com.db";
masters { 207.177.51.227; };
allow-notify { primary-dns-ip; };
allow-transfer { none; };
allow-query { any; };
};
AFAIK, the problem is with the master. I've never gotten it to do zone
transfers, i've had to set up my DNS as 2 masters, which is the usual
PITA. but now I'm wanting to exchange secondaries with someone else,
and I think that setting them up as a master would be the proverbial
BAD THING (TM).
A related question: why does bind force me to put an explicit IP address
for forwarders and masters? i'd much rather use acls for everything ...
More information about the bind-users
mailing list