Transfers denied.
Danny Mayer
mayer at gis.net
Sat Jan 28 23:27:58 UTC 2006
nocturnal wrote:
> Hi
>
> I was working on the DNS setup yesterday and today at work i notice one
> of the slaves denying transfers from the master. I have no idea what
> i've done. All the clocks are synced with ntpdate twice each week. The
> following is part of my named.conf for the master with the ip-address
> replaced for an internal one.
Please don't use ntpdate and certainly twice a week is insufficient.
Install ntpd and you can keep your clock reliable. We have deprecated
ntpdate. We recommend people use ntpd -g and iburst on the server lines.
>
> options {
> directory "/etc/namedb";
> version "975.4.2";
> allow-transfer { slave1; slave2; };
> pid-file "/var/run/named.pid";
> dump-file "s/named_dump.db";
> listen-on { master; };
> also-notify { slave1; slave2; };
> };
>
> Here is also part of the named.conf for one of my slaves. I have
> replaced the ip-addresses.
> options {
> directory "/etc/namedb";
> version "975.4.2";
> allow-transfer { slave2; master; };
> pid-file "/var/run/named.pid";
> dump-file "s/named_dump.db";
> listen-on { slave1; };
> also-notify { master; slave2; };
> allow-notify { master; };
> };
>
> I did not have the also-notify in the slaves before, it was added today
> out of desperation. I doubt i need it in slaves?
>
> This is the error i get in the system messages of slave1. The name of
> the zone and the ip-address of the master have been replaced.
> Jan 27 15:10:54 ns1 named[26532]: transfer of 'zone1/IN' from master#53:
> failed to connect: connection refused
Connection refused does not mean what it sounds like. It means that it
got no response at all from the master. Did you close 53/TCP on your
firewall? zone transfers require TCP port 53 to be available. You also
need it for normal DNS operation but that's another issue.
Danny
>
> The nameservers have worked fine for a while, had some errors yesterday
> but got those fixed thanks for Mark Andrews here on the list so this is
> not a new setup. My company has used BIND9 for quite a while but that
> does not prevent us from doing stupid mistakes. ;)
>
> master = my master dns
> slave1 = the first slave dns and also the one that is generating errors
> slave2 = another slave which is supposed to be an almost exact mirror of
> slave1 except for maybe allow-transfer
More information about the bind-users
mailing list