A Zone Transfer Question
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Sat Feb 20 00:12:53 UTC 2016
Look at your "allow-query". It appears your master isn't letting your slave query it. Query access is a prerequisite for zone-refresh transactions.
- Kevin
-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of David Li
Sent: Friday, February 19, 2016 7:09 PM
To: John W. Blue
Cc: BIND Users
Subject: Re: A Zone Transfer Question
Hi John,
Well, I was wrong about the log. I did find some info about why zone transfer failed. On one server running zone rack1.com, I see:
Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
(rack1.com): query 'rack1.com/SOA/IN' denied Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
(rack1.com): transfer of 'rack1.com/IN': IXFR ended
Any idea why it's denied?
David
On Fri, Feb 19, 2016 at 11:19 AM, John W. Blue <john.blue at rrcic.com> wrote:
> "kick off" as in update the zone and not by using dig.
>
> John
>
> Sent from Nine
>
> From: "John W. Blue" <john.blue at rrcic.com>
> Sent: Feb 19, 2016 1:17 PM
> To: David Li
>
> Cc: BIND Users
> Subject: Re: A Zone Transfer Question
>
> Nothing in the logs, eg? Well so much for getting an easy resolution.
> :D
>
> If you trust your conf files and logs are clean, I personally next to
> turn to tcpdump. You really need to know what (if anything) is being
> placed on the wire. Something like this should get you started:
>
> tcpdump -i eth0 -n port domain
>
> Kick off a transfer and see what happens.
>
> John
>
> Sent from Nine
>
> From: David Li <dlipubkey at gmail.com>
> Sent: Feb 19, 2016 1:04 PM
> To: John W. Blue
> Cc: BIND Users
> Subject: Re: A Zone Transfer Question
>
> Hi John,
>
> Nothing in the /var/log/messages indicates transfer problems. In fact
> I don't think the transfer ever started by itself for some reason
> until I manually used "dig" to initiate.
>
> David
>
> On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue <john.blue at rrcic.com> wrote:
>> Hello David,
>>
>> You can get started by checking your log files to see if named is
>> complaining about anything it might not like that is preventing the
>> transfer.
>>
>> John
>>
>> Sent from Nine
>>
>> From: David Li <dlipubkey at gmail.com>
>> Sent: Feb 19, 2016 10:46 AM
>> To: BIND Users
>> Subject: A Zone Transfer Question
>>
>> This is my first time to try master slave configuration. Here is a
>> brief description:
>>
>> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
>> master for zone1 and slave for zone2. VM2 is master for zone2 and
>> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
>> servers on the same VM
>> to update the A records in their zone files. No DNSSEC configured.
>>
>>
>> To start, everything seems to be working fine. I have one host in each
>> zone and they can resolve each other fine.
>>
>> Now I add a new host to zone1 and its sequence number has been bumped
>> up. I read that when the zone1 file changes, it will automatically
>> notify its slave zone (ie. zone2) to start a zone transfer after 15
>> min. This never happened. Then I restarted named on VM2 and hoped it
>> would pull the new zone1 file. This didn't happened either.
>> Eventually I have to either restart the VM2 or use dig to start the
>> zone transfer.
>>
>> Can anyone spot anything obviously wrong here? Do I need to post my
>> zone file and named.conf?
>>
>>
>> Thanks.
>>
>> David
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list