connection between master and slave DNS server's
Kevin Darcy
kcd at daimlerchrysler.com
Mon Nov 11 23:46:59 UTC 2002
John wrote:
> Hi all,
>
> We have HP-Unix DNS BIND 8.2.5 in all DNS servers.
> Last time we have put FireWall between the DNS's, we use port 53. The
> slave DNS we have activated the next line in the option:
> query-source address 194.229.188.24 port 53;
> But not in the master DNS!!!
>
> Now the problem is comming.
>
> In our slave DNS under /var/adm/syslog/syslog.log.
> I found there continuous error messages like: "Err/To getting
> serial:........."
> It looks like the slave DNS can not get the serial from the master.
> But when I change the serial to a newer number in the master, the master
> can transfer the serial to the slave DNS...no problem.
When using the standard AXFR/IXFR protocols, masters never "push" zones to
slaves: slaves check SOA serial numbers and then request AXFR or IXFR if
necessary. So the slaves initiate everything.
> So my question is Master DNS can transfer serial number to slave without
> problem, but when the slave DNS send a request to the master it can not
> get the serial from the master?? Why??
I'm not sure. Do you have intermittent network problems? Do you have a
"stateful" firewall that might be outsmarting itself, i.e. only allowing an
SOA/AXFR transaction within a certain time window after a previous outgoing
NOTIFY from the master? There are any number of possible causes. You might
have to put on a sniffer, or enable whatever tracing utilities come with
your firewall, in order to really determine what is occuring between the
master and slave. A good review of the firewall rules might also be in
order.
> Do I need to activate port 53 on the master DNS??
What do you mean by "activate"? The master DNS is already listening on port
53 for queries, unless you've changed the default. And since the master has
no particular reason to *send* any queries to the slave for this zone,
setting your query-source should have little or no effect (except possibly
for NOTIFYs (??)). If you have a port specification in "transfer-source",
then that might be causing you problems. If you have any doubts about the
master's port usage, try just resetting everything to defaults and see if
it works then.
- Kevin
More information about the bind-users
mailing list