zone transfer problem (newbie issue)
Dave Stewart
dstewart at aquaflo.com
Fri May 13 23:51:51 UTC 2005
Hi all!
I'm learning BIND by configuring a pair of servers for internal
corporate use. So far I've enjoyed some success along with some
frustration.
Here's what I have so far:
One DNS server ("diagnostics", a Mac-mini running OSX 10.3.9 and BIND
9.2.2) is a master for 6 zones and a slave for 2 more. So far, this
seems to be working like a charm on it's own; all zones resolve without
issue. In fact, I have been using this as my sole DNS server for a week
or two on my development machine without any issues whatsoever.
One DNS server ("rusty", an IBM E-20 running AIX 5.1 and BIND 8.2.2-P5)
is the master for the 2 slave zones in "diagnostics" and is *supposed*
to be a slave for the 6 zones mastered on "diagnostics". Here's the rub
- the zones aren't transferring to this machine (note that
"diagnostics" has no problem transferring it's slave zones from
"rusty"; only "rusty" is having zone transfer issues from
"diagnostics")!
So at this point, "rusty" can only resolve the zone's it's a master
for, yet "diagnostics" can resolve all zones. It appears to me after a
week of splitting my head open on this issue (searching archives,
documentation, O'Reilly's online "DNS and BIND", and any and all
tutorials and help files I can grab:) that "diagnostics" is approving
the request for a zone transfer, but then not sending a response back
to "rusty". To check this suspicion I ran the following on "rusty" to
force a transfer:
# named-xfer -z ojai.aquaflo.com -f /etc/named/tmp.named.ojai.slave -s
0 -d 10 -l /etc/named/tmp.xfer.ojai.log 192.168.12.25
<30>May 13 15:08:56 named-xfer[25662]: connect(192.168.12.25) for zone
ojai.aquaflo.com failed: A remote host did not respond within the
timeout period.
Here's what I found in the log file on "diagnostics":
...
May 13 15:06:40.179 client: debug 3: client 192.168.12.200#60865: UDP
request
May 13 15:06:40.179 client: debug 5: client 192.168.12.200#60865: using
view '_default'
May 13 15:06:40.179 security: debug 3: client 192.168.12.200#60865:
request is not signed
May 13 15:06:40.179 security: debug 3: client 192.168.12.200#60865:
recursion available: approved
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: query
May 13 15:06:40.180 queries: info: client 192.168.12.200#60865: query:
ojai.aquaflo.com IN SOA
May 13 15:06:40.180 client: debug 10: client 192.168.12.200#60865:
ns_client_attach: ref = 1
May 13 15:06:40.180 security: debug 3: client 192.168.12.200#60865:
query 'ojai.aquaflo.com/IN' approved
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: send
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: sendto
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865:
senddone
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: next
May 13 15:06:40.180 client: debug 10: client 192.168.12.200#60865:
ns_client_detach: ref = 0
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865:
endrequest
...
I don't *think* the issue is with my zone files, at least if it is I
can't see it. Besides, if I had zone file issues, wouldn't
"diagnostics" show them up front (I'm under the impression that BIND 9
is pickier than BIND 8, besides when I mess up a zone file named won't
even start on "diagnostics")? Is there anything else that can cause
issues transferring zones between a BIND 9.2 and a BIND 8.2 server?
I've cranked up the logging for both servers, but I just don't see
anything that jumps out as saying "here's a problem". On the other
hand, I probably don't know what I'm looking for yet either ...
Note that both servers have the "allow-transfer" option set in
named.conf to only allow the other machine to transfer zones;
"diagnostics" only allows transfers from "rusty" and vice-versa.
Any thoughts as to what to try next? Funny thing is I would swear that
I had one zone (ojai.aquaflo.com) transferring from "diagnostics" to
"rusty" before I tried all 6, but now none of them will transfer. I
just now tried only the one slave zone on "rusty", but it doesn't seem
to transfer anymore either.
Feeling perpetually confused at this point and hoping for salvation
come Monday ...
Dave Stewart
Aqua~Flo Supply (Goleta CA)
dstewart at aquaflo dot com
Duct tape is like the force;
it has a light side and a dark side
and it holds the universe together.
More information about the bind-users
mailing list