Slaving a dynamic zone

Kirk Strauser kirk at strauser.com
Wed Oct 1 14:17:32 UTC 2003 

--=-=-=
Content-Transfer-Encoding: quoted-printable
This is kind of long, so I'll summarize to spare some reading for those
who might not be able to help.  In a nutshell, I'm having problems getting
my slave server to track dynamic updates to my master server.

My master server is running BIND 9.2.3.4 on a FreeBSD 5.1 (hostname:
kanga.honeypot.net).  My slave server is running BIND 9.2.2 on a FreeBSD 4.7
server (hostname: glaaki.masonitg.com).

The setup is more complex than I'd *like* it to be, but given that I'm
supporting IPv4 and IPv6, and the master is serving split DNS (about 70
public zones and 5 private), I think I've got things fairly well under
control.

I've created a dynamic zone that's delegated out of a larger, mostly-static
zone.  From named.conf on the master:

    zone "honeypot.net" {
        type master;
        file "external/db.honeypot.net";
    };

    zone "infected.honeypot.net" {
        type master;
        file "dyn/db.infected.honeypot.net";
        allow-transfer { key glaaki-kanga.masonitg.com.; };
        update-policy {
            grant kanga.honeypot.net. wildcard *.infected.honeypot.net. A;
            grant kanga.honeypot.net. wildcard *.infected.honeypot.net. TXT;
        };
    };

From=20"external/db.honeypot.net":

    infected        300     IN      NS      kanga.honeypot.net.
    infected        300     IN      NS      glaaki.masonitg.com.

This works well; I have no problems using nsupdate to add/delete A and TXT
records to the "infected.honeypot.net" zone (it's a blackhole list for
virus-infected computers, in case you were wondering about the name).

The problem comes when trying to get the slave server to track the dynamic
updates.  I can use tcpdump to watch the NOTIFY go out and come back, and
entries like the following appear in the slave's logs:

    queue_soa_query: zone infected.honeypot.net/IN: enter
    soa_query: zone infected.honeypot.net/IN: enter
    refresh_callback: zone infected.honeypot.net/IN: enter
    refresh_callback: zone infected.honeypot.net/IN: serial: new 2100000032=
, old 2100000032

The problem is that the serial is woefully out of date and never increments
on the slave, even though it's updating instantaneously on the master.

From=20the master:

    root at kanga# dig -t soa 1.2.3.4.infected.honeypot.net | grep 21000 | awk=
 '{print $7}'
    2100000088

From=20the slave:

    root at glaaki# dig -t soa 1.2.3.4.infected.honeypot.net | grep 21000 | aw=
k '{print $7}'
    2100000032

I can't figure this one out.  I've tried disabling IPv6 on the slave to
force an IPv4 connection, in case it was some strange IPv6 problem.  I
checked that the slave wasn't using any forwarders, not that I thought it
should make any difference - but still.  At one point, I added the master's
IP to the slave's "allow-recursion" option because I kept getting log
entries like the first line below:

    client 208.162.254.122#60693: recursion available: denied
    queue_soa_query: zone infected.honeypot.net/IN: enter
    soa_query: zone infected.honeypot.net/IN: enter
    refresh_callback: zone infected.honeypot.net/IN: enter
    refresh_callback: zone infected.honeypot.net/IN: serial: new 2100000032=
, old 2100000032

I'm at a loss.  I don't know what else to do, or how else to troubleshoot.
Any suggestions?
=2D-=20
Kirk Strauser
In Googlis non est, ergo non est.

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQA/euID5sRg+Y0CpvERAn1gAKCkRbCzft8BubtO8LhTldJE1rHdiwCfeoSs
suCqXFwHfdZKLnUcL9Bvm9M=
=LQzW
-----END PGP SIGNATURE-----
--=-=-=--

More information about the bind-users mailing list