forward queries/transfer refused

Barry Margolin barmar at genuity.net
Thu Jun 28 19:32:17 UTC 2001 

In article <9hfm9u$1l7 at pub3.rc.vix.com>,
Tyler Parkin  <tylerp at innova.net> wrote:
>
>Hello,
>
>We have a customer who is requesting that we forward reverse zone
>queries to his dns server.
>
>In /etc/named.conf I have:
>
>zone "20.97.63.in-addr.arpa"
>  { type forward; 
>    forward only; 
>	forwarders {63.82.200.21;};
>};
>
>I am receiving the following xfer errors in /var/log/messages:
>
>Jun 25 10:00:00 ns1 named[12024]: slave zone "20.97.63.in-addr.arpa"
>(IN) loaded (serial 6)
>Jun 25 10:06:07 ns1 named[12024]: secondary zone "20.97.63.in-addr.arpa"
>expired
>**Jun 25 10:06:07 ns1 named-xfer[24457]: [[208.211.173.2].3309] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa
>**Jun 25 10:16:07 ns1 named-xfer[31639]: [[208.211.173.2].3320] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa
>**Jun 25 10:26:08 ns1 named-xfer[6517]: [[208.211.173.2].3327] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa
>Jun 25 10:30:20 ns1 named[12024]: ns_resp:
>query(1.20.97.63.in-addr.arpa) contains our address
>(ns1.innova.net:208.211.173.2) learnt (A=innova.net:NS=198.6.1.83)
>[UUnet forwarding the request to us]
>**Jun 25 10:36:12 ns1 named-xfer[14055]: [[208.211.173.2].3334] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa     
>
>I'm a little confused by the "transfer refused" part.  Is that his
>server refusing to transfer the zone to ours, or is our server trying to
>transfer a zone (how? which one?) to his server and his is refusing it? 
>I'm not dead set on doing it this way.  If there is a better way to
>forward the queries to his server, let me know.  I searched through the
>archives, but didn't see it.  To be clear, his network is NOT part of
>ours, and he is running his own primary DNS.

These log messages don't make sense given what you've shown.  Are you sure
you didn't already have:

zone "20.97.64.in-addr.arpa" {
  type slave;
  ...
};

somewhere in your named.conf file?  That would cause the "slave zone
loaded" and "transfer refused" messages.

BTW, if this reverse domain is delegated to you, then forwarding it is
*not* the right solution.  If a domain is delegated, you must answer
authoritatively.  But when you forward a query, you'll cache the response,
and then the next time you get a query for that record you'll return the
one in your cache, and you'll answer NON-authoritatively.  This will make
you look like a lame server.

If you can't get the delegation changed to point to their nameserver, as
the other poster suggested, you should be configured as a slave.  But you
need to get the customer to add you to their "allow-transfer" access list.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list