zone transfers fail
Christopher L. Everett
ceverett at cobalt.physemp.com
Mon Feb 3 07:14:47 UTC 2003
Mark.Andrews at isc.org wrote:
>>I guess you cant leave anything unspoken anywhere you go, so I'd better put b
>>oth
>>the full configuration files frm the master and the slave on the list:
>>
>>// master server named.conf
>>
>>acl "my-dns-ip" {
>> localhost;
>
>
> I suggest that you look at the definition of the localhost
> acl. It is *not* "{ 127.0.0.1; ::1; };".
>
Thanks, a typical (and I predict very common) newbie mistake.
Putting 127.0.0.1 in place of localhost did not change matters.
FWIW, I'm using the Debian BIND 9.2.1 package on a Debian testing distro box, my
friend across town has been using using the Debian testing bind9 package for over
a year without any problems.
>> 207.177.51.227;
>>};
>>
>>acl "primary-dns-ip" {
>> 207.177.51.227;
>>};
>>
>>acl "secondary-dns-ips" {
>> 207.177.51.228;
>>};
>>
>>acl "local-ips" {
>> 207.177.51.224/28;
>> 207.177.73.224/28;
>> localhost;
>>};
>>
>>acl "natel-dns-ips" {
>> 207.177.74.108;
>> 207.177.74.118;
>>};
>>
>>acl RFC1918 {
>> 0.0.0.0/7; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
>> 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
>>};
>>
>>
>>options {
>> directory "/var/cache/bind";
>>
>> listen-on { my-dns-ip; };
>> listen-on-v6 { none; };
>> blackhole { RFC1918; };
>> forwarders { 207.177.74.118; 207.177.74.108; };
>> allow-query { local-ips; natel-dns-ips; };
>> allow-recursion { local-ips; };
>> allow-transfer { localhost; primary-dns-ip; secondary-dns-ips; };
>> auth-nxdomain yes; # conform to RFC1035
>>};
>>
>>zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>>};
>>
>>zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> allow-transfer { localhost; };
>> allow-update { none; };
>>};
>>
>>zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> allow-transfer { localhost; };
>> allow-update { none; };
>>};
>>
>>zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> allow-transfer { localhost; };
>> allow-update { none; };
>>};
>>
>>zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> allow-transfer { localhost; };
>> allow-update { none; };
>>};
>>
>>zone "hospitalpage.com" {
>> type master;
>> file "/etc/bind/zones/hospitalpage.com";
>> allow-query { any; };
>> allow-update { none; };
>>};
>>
>>// end master server named.conf
>>
>
>
>>Feb 1 22:11:14 lists named[210]: client 207.177.51.228#1234: zone transfer '
>>hospitalpage.com/IN' denied
>
>
> On the face of it I would say that named is not running the
> config you think it is running.
#find / -name named.conf
/etc/bind/named.conf
That's the only named.conf on my box. To make double sure, I put a
'-c /etc/bind/named.conf' in the /etc/init.d/bind9 script for both slave
and master to force it to use the one I want it to use, with the same
results.
> If you are running chroot then named looks in the chroot
> area. Also symbolic links may refer to different location
> when running chroot.
Not running chroot. Yet.
>
> Mark
>
>
>>And the corresponding errors in the salve server daemon.log:
>>
>>Feb 1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 20
>>7.177.51.227#53: failed while receiving responses: REFUSED
>>Feb 1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 20
>>7.177.51.227#53: end of transfer
>>
>>
>>--
>>Christopher L. Everett
>>Chief Technology Officer
>>The Medical Banner Exchange
>>Physicians Employment on the Internet
>>
>>
>
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
--
Christopher L. Everett
Chief Technology Officer
The Medical Banner Exchange
Physicians Employment on the Internet
More information about the bind-users
mailing list