refresh failure despite ability to do AXFR and IXFR via command line (was Re: refresh times out from Win DNS)
Ronan Flood
ronan at noc.ulcc.ac.uk
Wed Jul 21 15:00:58 UTC 2004
On Mon, 19 Jul 2004 19:35:30 -0400 (EDT),
Mark Jeftovic <mark at jeftovic.net> wrote:
> This other case I have access to the master, it is running 8.4.1-REL via
> some "hsphere" system I'm unfamiliar with.
This? http://www.psoft.net/h_sphere2_info.html
> But the symptoms are the same, I can do an AXFR from the command line
> using host or dig and I can see it arrive in the logs on the master:
>
> Jul 19 18:16:34 cp named[2695]: approved AXFR from [192.168.40.250].47650
> for "example.com"
> Jul 19 18:16:34 cp named[2695]: zone transfer (AXFR) of "example.com" (IN)
> to [192.168.40.250].47650 serial 2004071202
>
> But when I do it via the slave with "rndc reload example.com", I just
> get this error in the logs immediately on the slave side (bind9.2.3):
>
> Jul 19 19:23:57 ds2 named[1879]: zone example.com/IN: refresh: failure
> trying master 24.227.181.110#53: timed out
>
> happens a bunch of times and then
>
> Jul 19 19:27:43 ds2 named[1879]: zone example.com/IN: refresh: retry limit
> for master 24.227.181.110#53 exceeded
>
> So on the face of it it seems as if the nameserver gets stuck on
> *something* and the request doesn't even make it to the master.
>
> (Like I said previously, this slave has about 80K zones on it, so it is
> not a system wide problem, and as I try this there are 0 xfers running and
> 9 soa queries in progress)
>
> Everything else works, i.e. AXFR and IXFR can both be obtained using host
> or dig.
One difference between dig/host and named when doing a zone transfer
is that named will do a UDP query for the SOA first, to compare the
serial number with its local copy of the zone. Can you do that?
Do you see it in the log on the master if you have query-logging on?
Have you got anything in the named.conf on the slave like query-source
or transfer-source, or allow-transfer on the master? Um, obvious
question but: you are using dig/host on the same system on which the
slave named runs?
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the bind-users
mailing list