zone tranfer denied
Kevin Darcy
kcd at daimlerchrysler.com
Wed Apr 7 23:24:48 UTC 2004
SingSong wrote:
>Apr 7 01:29:29 ns1 named[72]: client 206.228.179.10#40953: zone transfer
>'mydomain.com/IN' denied
>Apr 7 01:40:17 ns1 named[72]: client 144.228.254.10#56920: zone transfer
>'mydomain.com/IN' denied
>Apr 7 01:56:07 ns1 named[72]: client 144.228.255.10#34335: zone transfer
>'mydomain.com/IN' denied
>
>Is this mean that my provider (Sprint) is trying to update their DNS server
>from mine? They are our secondary, so I should allow the transfer?
>
If they are to be a functional AXFR/IXFR-based slave for the
mydomain.com zone, then you *must* open up zone transfers for them.
>But
>then, do I have to add their IP to all of my zone records? i.e.
>
>zone "1.yy.xx.in-addr.arpa" {
> type master;
> file "isot-xx.yy.1.rev";
> allow-query { any; };
> allow-transfer {
> internals;
> 206.228.179.10;
> 144.228.254.10;
> 144.228.255.10;
> };
>};
>
>zone "2.yy.xx.in-addr.arpa" {
> type master;
> file "isot-xx.yy.2.rev";
> allow-query { any; };
> allow-transfer {
> internals;
> 206.228.179.10;
> 144.228.254.10;
> 144.228.255.10;
> };
>};
>
>and on and on?
>
No, only the zones that you want them to be able to transfer. If you
find that you're repeating the same set of servers in most of your
per-zone allow-transfer clauses, you might want to consider instead
putting those servers in a global ("options" statement) allow-transfer
clause. You'd still have the option to override that list on a
zone-by-zone basis, of course.
- Kevin
More information about the bind-users
mailing list