Slaving a dynamic zone
Kirk Strauser
kirk at strauser.com
Wed Oct 1 14:17:32 UTC 2003
--=-=-=
Content-Transfer-Encoding: quoted-printable
This is kind of long, so I'll summarize to spare some reading for those
who might not be able to help. In a nutshell, I'm having problems getting
my slave server to track dynamic updates to my master server.
My master server is running BIND 9.2.3.4 on a FreeBSD 5.1 (hostname:
kanga.honeypot.net). My slave server is running BIND 9.2.2 on a FreeBSD 4.7
server (hostname: glaaki.masonitg.com).
The setup is more complex than I'd *like* it to be, but given that I'm
supporting IPv4 and IPv6, and the master is serving split DNS (about 70
public zones and 5 private), I think I've got things fairly well under
control.
I've created a dynamic zone that's delegated out of a larger, mostly-static
zone. From named.conf on the master:
zone "honeypot.net" {
type master;
file "external/db.honeypot.net";
};
zone "infected.honeypot.net" {
type master;
file "dyn/db.infected.honeypot.net";
allow-transfer { key glaaki-kanga.masonitg.com.; };
update-policy {
grant kanga.honeypot.net. wildcard *.infected.honeypot.net. A;
grant kanga.honeypot.net. wildcard *.infected.honeypot.net. TXT;
};
};
From=20"external/db.honeypot.net":
infected 300 IN NS kanga.honeypot.net.
infected 300 IN NS glaaki.masonitg.com.
This works well; I have no problems using nsupdate to add/delete A and TXT
records to the "infected.honeypot.net" zone (it's a blackhole list for
virus-infected computers, in case you were wondering about the name).
The problem comes when trying to get the slave server to track the dynamic
updates. I can use tcpdump to watch the NOTIFY go out and come back, and
entries like the following appear in the slave's logs:
queue_soa_query: zone infected.honeypot.net/IN: enter
soa_query: zone infected.honeypot.net/IN: enter
refresh_callback: zone infected.honeypot.net/IN: enter
refresh_callback: zone infected.honeypot.net/IN: serial: new 2100000032=
, old 2100000032
The problem is that the serial is woefully out of date and never increments
on the slave, even though it's updating instantaneously on the master.
From=20the master:
root at kanga# dig -t soa 1.2.3.4.infected.honeypot.net | grep 21000 | awk=
'{print $7}'
2100000088
From=20the slave:
root at glaaki# dig -t soa 1.2.3.4.infected.honeypot.net | grep 21000 | aw=
k '{print $7}'
2100000032
I can't figure this one out. I've tried disabling IPv6 on the slave to
force an IPv4 connection, in case it was some strange IPv6 problem. I
checked that the slave wasn't using any forwarders, not that I thought it
should make any difference - but still. At one point, I added the master's
IP to the slave's "allow-recursion" option because I kept getting log
entries like the first line below:
client 208.162.254.122#60693: recursion available: denied
queue_soa_query: zone infected.honeypot.net/IN: enter
soa_query: zone infected.honeypot.net/IN: enter
refresh_callback: zone infected.honeypot.net/IN: enter
refresh_callback: zone infected.honeypot.net/IN: serial: new 2100000032=
, old 2100000032
I'm at a loss. I don't know what else to do, or how else to troubleshoot.
Any suggestions?
=2D-=20
Kirk Strauser
In Googlis non est, ergo non est.
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQA/euID5sRg+Y0CpvERAn1gAKCkRbCzft8BubtO8LhTldJE1rHdiwCfeoSs
suCqXFwHfdZKLnUcL9Bvm9M=
=LQzW
-----END PGP SIGNATURE-----
--=-=-=--
More information about the bind-users
mailing list