zone transfer problem (newbie issue)
Dave Stewart
dstewart at aquaflo.com
Tue May 17 19:15:45 UTC 2005
First off, thanks for the quick responses. My apologies for the delay
in my response to them, it's kinda busy around here lately. That said
...
Begin forwarded message:
> From: Brad Knowles
> Date: May 13, 2005 6:25:17 PM PDT
> To: Dave Stewart
> Cc: bind-users at isc.org
> Subject: Re: zone transfer problem (newbie issue)
>
> At 4:51 PM -0700 2005-05-13, Dave Stewart wrote:
>
>> So at this point, "rusty" can only resolve the zone's it's a master
>> for, yet "diagnostics" can resolve all zones. It appears to me after
>> a
>> week of splitting my head open on this issue (searching archives,
>> documentation, O'Reilly's online "DNS and BIND", and any and all
>> tutorials and help files I can grab:) that "diagnostics" is approving
>> the request for a zone transfer, but then not sending a response back
>> to "rusty". To check this suspicion I ran the following on "rusty" to
>> force a transfer:
>
> One thing to check is the firewall settings on both machines, as well
> as on all the network equipment between them. Most DNS queries happen
> over UDP, but zone transfers are done over TCP.
Good thought here, I didn't realize that the transfers would happen
over TCP. But unfortunately for me, this isn't the issue. Everything
I'm playing with here is behind the firewall.
> Another thing to check is the zone transfer format.
I've seen the discussion that questioned this, but I had to try it
anyway (in fact, you'll note this option in diagnostic's named.conf
file below). Still no love for rusty.
> See the ISC BIND FAQ and search the page for " Zone transfers from my
> BIND 9 master". While this particular entry is aimed towards the
> Windows 2000 DNS server, you may be facing the same problem.
>
> There's lots of other good stuff in the ISC BIND FAQ. I highly
> recommend you read the whole thing.
I wholeheartedly concur with this, but haven't found my answer here (or
in the docs) just yet.
Since there doesn't seem to be any known issues transferring between
8.2 and 9.2, the only thing left is to assume I have a problem with my
zones that I'm just not seeing. Hopefully someone will notice the issue
and find a nice way to call me an idiot.
;-)
This zone is working fine, mastered on rusty and slaved properly on
diagnostics:
> **********start goleta.aquaflo.com zone file**********
> ;
> ; zone file for the goleta.aquaflo.com zone
> ; (deploy on primary master DNS - rusty)
> ;
> ; created on 4/2005 by Dave Stewart
> ;
> $TTL 3D ; Time To Live
> = 3 days
> @ IN SOA rusty.aquaflo.com.
> dstewart.aquaflo.com. (
> 1 ; Serial number
> 12H ; Refresh
> after 12 hours (43200 seconds)
> 1H ; Retry after
> 1 hour (3600 seconds)
> 2W ; Expire after
> 14 days (1209600 seconds)
> 1D ; Minimum TTL
> of 1 day (86400 seconds)
> )
>
> IN NS rusty.aquaflo.com.
>
> localhost IN A 127.0.0.1
>
> ;
> ; other dns servers
> ;
> diags IN A 192.168.12.25
>
> ;
> ; equipment section
> ;
> digi IN A 192.168.12.100
> switch IN A 192.168.12.221
>
> **********end goleta.aquaflo.com zone**********
(Note I do have a blank line at the end of these files, that's not a
problem is it?)
The pertinent parts of rusty's named.conf file:
> **********start rusty's named.conf**********
> # named.conf
> #
> # configuration file for primary master DNS server
> # should be deployed on "rusty"
> #
> # responsibilities of this server:
> # - primary (master) server of "central" (goleta) zone
> # - secondary (slave) server of all other zones
> #
> # created 4/2005 by Dave Stewart
>
> # "internal" defines all IP addresses within
> # Aqua~Flo's internal LAN
> acl internal { localhost; //obviously ;-)
> 192.168.11.0/24; //ojai domain
> 192.168.12.0/24; //goleta domain (central)
> 192.168.13.0/24; //sc domain
> 192.168.14.0/24; //sb domain
> 192.168.15.0/24; //wla domain
> 192.168.16.0/24; //vta domain
> 192.168.17.0/24; //tor domain
> };
>
> # "spoof" defines all IP addresses that are simply
> # blacklisted (untrusted addresses from RFC1918 space)
> acl spoof { 0.0.0.0/8;
> 1.0.0.0/8;
> 2.0.0.0/8;
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.0.2.0/24;
> 224.0.0.0/3;
> };
>
> # this is where the options for the BIND server
> # are configured. Some notes:
> # 1. only "internal" addresses are allowed to
> # query this server and
> # 2. all addresses from RFC1918 space are blacklisted
> # (they are often used to spoof DNS servers)
> options {
> directory "/etc/named";
> allow-query { internal; };
> allow-transfer { 192.168.12.25; };
> # query-source { 192.168.12.25; };
> # notify-source { 192.168.12.25; };
> # transfer-source { 192.168.12.25; };
> blackhole { spoof; };
> };
>
> # mapping to goleta devices
> zone "goleta.aquaflo.com" {
> type master;
> file "named.goleta.hosts";
> };
>
> # reverse mapping for corporate machines (central)
> zone "12.168.192.in-addr.arpa" {
> type master;
> file "named.rev";
> };
>
> # slave mapping for ojai zone
> zone "ojai.aquaflo.com" {
> type slave;
> file "named.ojai.slave.hosts";
> masters { 192.168.12.25; };
> };
>
> # slave reverse mapping for ojai zone
> zone "11.168.192.in-addr.arpa" {
> type slave;
> file "named.ojai.slave.rev";
> masters { 192.168.12.25; };
> };
>
> **********end rusty's named.conf**********
Diagnostics has no problem slaving goleta.aquaflo.com, but rusty won't
slave ojai.aquaflo.com. That zone file looks a lot like goleta's
though, here's what I have for ojai.aquaflo.com on diagnostics:
> **********start ojai.aquaflo.com zone**********
> ;
> ; zone file for the ojai.aquaflo.com zone
> ; (deploy on secondary master DNS - diags)
> ;
> ; created on 4/2005 by Dave Stewart
> ;
> $TTL 3D ; Time To Live
> = 3 days
> @ IN SOA diags.aquaflo.com.
> dstewart.aquaflo.com. (
> 2 ; Serial number
> 12H ; Refresh
> after 12 hours (43200 seconds)
> 1H ; Retry after
> 1 hour (3600 seconds)
> 2W ; Expire after
> 14 days (1209600 seconds)
> 1D ; Minimum TTL
> of 1 day (86400 seconds)
> )
> IN NS diags.aquaflo.com.
>
> localhost IN A 127.0.0.1
> rusty IN A 192.168.12.200
> diags IN A 192.168.12.25
>
> ;
> ; equipment section
> ;
> digi IN A 192.168.11.100
> switch IN A 192.168.11.221
>
> **********end ojai.aquaflo.com zone**********
And, of course the named.conf file from diagnostics:
> **********start diagnostics named.conf**********
> # named.conf
> #
> # configuration file for secondary master DNS server
> # should be deployed on "diags"
> #
> # responsibilities of this server:
> # - secondary (slave) server of "central" (goleta) zone
> # - primary (master) server of all other zones
> #
> # created 4/2005 by Dave Stewart
>
> # "internal" defines all IP addresses within
> # Aqua~Flo's internal LAN
> acl internal { localhost; //obviously ;-)
> 192.168.11.0/24; //ojai domain
> 192.168.12.0/24; //goleta domain (central)
> 192.168.13.0/24; //sc domain
> 192.168.14.0/24; //sb domain
> 192.168.15.0/24; //wla domain
> 192.168.16.0/24; //vta domain
> 192.168.17.0/24; //tor domain
> };
>
> # "aquaflodns" defines all IP addresses that are
> # allowed to do zone-transfers (all other DNS servers)
> acl aquaflodns { localhost;
> 192.168.12.200;
> 192.168.12.210;
> };
>
> # "spoof" defines all IP addresses that are simply
> # blacklisted (untrusted addresses from RFC1918 space)
> acl spoof { 0.0.0.0/8;
> 1.0.0.0/8;
> 2.0.0.0/8;
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.0.2.0/24;
> 224.0.0.0/3;
> };
>
> # this is where the options for the BIND server
> # are configured. Some notes:
> # 1. only "internal" addresses are allowed to
> # query this server and
> # 2. all addresses from RFC1918 space are blacklisted
> # (they are often used to spoof DNS servers)
> options {
> directory "/etc/named";
> allow-query { internal; };
> allow-transfer { aquaflodns; };
> transfer-format one-answer;
> blackhole { spoof; };
> };
>
> zone "goleta.aquaflo.com" {
> type slave;
> file "named.slave.goleta.hosts";
> masters { 192.168.12.200; };
> };
>
> # slave reverse mapping for corporate machines (central)
> zone "12.168.192.in-addr.arpa" {
> type slave;
> file "named.slave.goleta.rev";
> masters { 192.168.12.200; };
> };
>
> # mapping for ojai zone
> zone "ojai.aquaflo.com" {
> type master;
> file "named.ojai.hosts";
> };
>
> # reverse mapping for ojai zone
> zone "11.168.192.in-addr.arpa" {
> type master;
> file "named.ojai.rev";
> };
>
> **********end diagnostics named.conf**********
So, with my guts hanging out for all to see (no worries, it's all
internal stuff anyway), does anyone see why I'm sick?
Many thanks in advance for any and all suggestions. Keep in mind I'm
just learning this stuff, if there is an unrelated obvious glaring
issue with the above configurations please feel free to point it out to
me!
Dave Stewart
Aqua~Flo Supply (Goleta CA)
dstewart at aquaflo dot com
Duct tape is like the force;
it has a light side and a dark side
and it holds the universe together.
More information about the bind-users
mailing list