BIND slave expires rather than XFR?

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Mar 14 23:08:10 UTC 2000 

> 
> BIND 8.2.2-P5 on Linux kernel 2.2.7
> 
> My slave DNS (which is specified as the primary DNS for several
> domains - intended to offload processing from the master, which
> performs other tasks), doesn't appear to be sending AXFR requests to
> the master.
> 
> There's no logging that there have been attempts which have failed
> either.
> 
> SOA has reasonable TTL and expires:
> 
> 	refresh:28800s (8 hours)
> 	retry:7200s (2 hours)
> 	expire:604800s (7 days)
> 	minimum-ttl:86400s (24 hours)
> 
> (I'd of course change some of these if I were planning on moving hosts
> between servers, but for day-to-day operations, these values are
> comfortable)
> 
> nslint comes up clean (except expected warnings for CNAMEs defined
> outside of my net, multiply-assigned IPs for virtual hosts, and lack
> of locally defined PTRs for those IPs which I do not have direct
> delegation for, all of which I should put into an nslint config file,
> but haven't taken the time to do so).
> 
> Manual XFERs demonstrably work.  The named datafiles are getting
> touched at each log mark interval (I assume this is expected), and if
> I nslookup directly to the server, it does provide answers (and the
> stats update accordingly).
> 
> I reset it a couple of weeks ago and tried a number of things in the
> hopes that I'd get it to xfer, because it was reporting the following
> in the system log:
> 
> Feb 25 14:20:38 wargames named[100]: secondary zone "somedomain.net"
> expired
> 
> Needless to say, this was disturbing.  Looking back at older logs, I
> found that there have been absolutely no transfers except for when the
> primary notified the secondary that there has been changes to the
> zone(s).  I would have thought that when the zone expired, it'd have
> attempted a transfer at that time.
> 
> ndc restart  on the slave takes a couple of seconds, after which I see
> all the zones having been loaded in the message log, but none of them
> appear to have performed checks with the master to see if they were
> outdated.
> 
> Root hints are refreshed once a month by an automation script, which
> restarts the server.  That seems to work fine, but still, no XFERs
> from the master..
> 
> There's no goofy warnings like "no TTL - using SOA minimum" - named
> starts, loads the cached files and that's it.
> 
> The master is clearly performing AXFRs from the rDNS master (that is,
> my master handles forward DNS, but the rDNS (PTR) records are managed
> elsewhere, since they're part of a larger block - though I'd like to
> know how to manage that delegation).  The master has been running
> 8.2.2-P5 for some time, whereas I only just recently upgraded the
> slave (from 8.1.2), hoping that it would resolve this issue.
> 
> When I restart the master, I see the NOTIFYs to the secondary, and
> also the NOTIFY answers.  All is good - the one possible exception is 
> 
> Mar 13 14:58:46 mail named[9031]: suppressing duplicate notify
> ("somedomain.net" IN SOA)
> 
> which is probably the result of the master being one of the NS records
> in the zone, and notifying itself, and so I don't fret about it..
> 
> Pertinent bits from the slave's named.conf:
> 
> options {
>         directory "/var/named";
>         listen-on {
>                 127.0.0.1;                 /* Listen on localhost */
>                 this.server.ip.addr;    /* or ns2 IP assignment */
>         };
>         query-source address this.server.ip.addr port 53;
> };
> 
> logging {
>         category lame-servers { null; };
>         category cname { null; };
> };
> 
> zone "." in {
>         type hint;
>         file "named.cache";
> };
> 
> zone "somedomain.net" in {
>         type slave;
>         file "slaves/somedomain.net";
>         masters { master.server.ip.addr; };
>         transfer-source this.server.ip.addr;
>         allow-transfers { my.netblock/mask; };
> };
> 
> where 'this.server.ip.addr' and 'master.server.ip.addr' are really the
> dotted quads for the appropriate servers. and 'my.netblock/mask' is
> the proper netblock and bitmask (/26) for my network.  I'm doing the
> abovein this message like so  just so someone doesn't later come and
> grunge the config bit and paste it into their own config file in an
> attempt to get theirs working <g>
> 
> 
> Diagnostic analysis welcomed.
> 
> 
	Diagnostic not possible.  All diagnostic information deliberatly
	obscured.

	Mark
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list