zone transfers fail
Danny Mayer
mayer at gis.net
Mon Feb 3 01:49:15 UTC 2003
At 08:15 PM 2/2/03, Christopher L. Everett wrote:
>I've set up a primary & secondary BIND9 server box using bind v9.2.1.
>
>named-confcheck and named-checkzone check out ok.
>
>but when i do a 'rndc reload' on the slave server, the zone transfers
>fail. here is a log snippet from the slave:
>
>Feb 1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from
>207.177.51.227#53: failed while receiving responses: REFUSED
>Feb 1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from
>207.177.51.227#53: end of transfer
>
>a log snippet from the master:
>
>Feb 2 04:10:58 lists named[210]: client 207.177.51.228#1234: zone
>transfer 'hospitalpage.com/IN' denied
>
>the relevant parts of the master named.conf (i left out the acl definitions),
>
>options {
> directory "/var/cache/bind";
>
> listen-on { my-dns-ip; };
> listen-on-v6 { none; };
> blackhole { RFC1918; };
> forwarders { 207.177.74.118; 207.177.74.108; };
> allow-query { local-ips; natel-dns-ips; };
> allow-recursion { local-ips; };
> allow-transfer { localhost; primary-dns-ip; secondary-dns-ips; };
> auth-nxdomain yes; # conform to RFC1035
>};
You haven't specified an ACL for secondary-dns-ips (or primary-dns-ip
for that matter). You need to put the IP address with which the secondary
will transfer the zone in the allow-transfer clause above.
Danny
>zone "hospitalpage.com" {
> type master;
> file "/etc/bind/zones/hospitalpage.com";
> allow-query { any; };
> allow-update { none; };
>};
>
>and relevant parts of the slave's named.conf (and again no acl definitions)
>
>options {
> directory "/var/cache/bind";
>
> listen-on { my-dns-ip; };
> forwarders { 207.177.74.118; 207.177.74.108; };
> allow-query { local-ips; };
> allow-recursion { local-ips; };
> blackhole { RFC1918; };
> listen-on-v6 { none; };
> auth-nxdomain yes; # conform to RFC1035
>};
>
>zone "hospitalpage.com" {
> type slave;
> file "hospitalpage.com.db";
> masters { 207.177.51.227; };
> allow-notify { primary-dns-ip; };
> allow-transfer { none; };
> allow-query { any; };
>};
>
>AFAIK, the problem is with the master. I've never gotten it to do zone
>transfers, i've had to set up my DNS as 2 masters, which is the usual
>PITA. but now I'm wanting to exchange secondaries with someone else,
>and I think that setting them up as a master would be the proverbial
>BAD THING (TM).
>
>A related question: why does bind force me to put an explicit IP address
>for forwarders and masters? i'd much rather use acls for everything ...
>
>
More information about the bind-users
mailing list