forward queries/transfer refused
Barry Margolin
barmar at genuity.net
Thu Jun 28 19:32:17 UTC 2001
In article <9hfm9u$1l7 at pub3.rc.vix.com>,
Tyler Parkin <tylerp at innova.net> wrote:
>
>Hello,
>
>We have a customer who is requesting that we forward reverse zone
>queries to his dns server.
>
>In /etc/named.conf I have:
>
>zone "20.97.63.in-addr.arpa"
> { type forward;
> forward only;
> forwarders {63.82.200.21;};
>};
>
>I am receiving the following xfer errors in /var/log/messages:
>
>Jun 25 10:00:00 ns1 named[12024]: slave zone "20.97.63.in-addr.arpa"
>(IN) loaded (serial 6)
>Jun 25 10:06:07 ns1 named[12024]: secondary zone "20.97.63.in-addr.arpa"
>expired
>**Jun 25 10:06:07 ns1 named-xfer[24457]: [[208.211.173.2].3309] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa
>**Jun 25 10:16:07 ns1 named-xfer[31639]: [[208.211.173.2].3320] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa
>**Jun 25 10:26:08 ns1 named-xfer[6517]: [[208.211.173.2].3327] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa
>Jun 25 10:30:20 ns1 named[12024]: ns_resp:
>query(1.20.97.63.in-addr.arpa) contains our address
>(ns1.innova.net:208.211.173.2) learnt (A=innova.net:NS=198.6.1.83)
>[UUnet forwarding the request to us]
>**Jun 25 10:36:12 ns1 named-xfer[14055]: [[208.211.173.2].3334] transfer
>refused from [63.82.200.21], zone 20.97.63.in-addr.arpa
>
>I'm a little confused by the "transfer refused" part. Is that his
>server refusing to transfer the zone to ours, or is our server trying to
>transfer a zone (how? which one?) to his server and his is refusing it?
>I'm not dead set on doing it this way. If there is a better way to
>forward the queries to his server, let me know. I searched through the
>archives, but didn't see it. To be clear, his network is NOT part of
>ours, and he is running his own primary DNS.
These log messages don't make sense given what you've shown. Are you sure
you didn't already have:
zone "20.97.64.in-addr.arpa" {
type slave;
...
};
somewhere in your named.conf file? That would cause the "slave zone
loaded" and "transfer refused" messages.
BTW, if this reverse domain is delegated to you, then forwarding it is
*not* the right solution. If a domain is delegated, you must answer
authoritatively. But when you forward a query, you'll cache the response,
and then the next time you get a query for that record you'll return the
one in your cache, and you'll answer NON-authoritatively. This will make
you look like a lame server.
If you can't get the delegation changed to point to their nameserver, as
the other poster suggested, you should be configured as a slave. But you
need to get the customer to add you to their "allow-transfer" access list.
--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list