zone transfer problem (newbie issue)

Mark Andrews Mark_Andrews at isc.org
Tue May 17 22:47:16 UTC 2005 

> Hi all!
> 
> I'm learning BIND by configuring a pair of servers for internal 
> corporate use. So far I've enjoyed some success along with some 
> frustration.
> 
> Here's what I have so far:
> 
> One DNS server ("diagnostics", a Mac-mini running OSX 10.3.9 and BIND 
> 9.2.2) is a master for 6 zones and a slave for 2 more. So far, this 
> seems to be working like a charm on it's own; all zones resolve without 
> issue. In fact, I have been using this as my sole DNS server for a week 
> or two on my development machine without any issues whatsoever.
> 
> One DNS server ("rusty", an IBM E-20 running AIX 5.1 and BIND 8.2.2-P5) 
> is the master for the 2 slave zones in "diagnostics" and is *supposed* 
> to be a slave for the 6 zones mastered on "diagnostics". Here's the rub 
> - the zones aren't transferring to this machine (note that 
> "diagnostics" has no problem transferring it's slave zones from 
> "rusty"; only "rusty" is having zone transfer issues from 
> "diagnostics")!
> 
> So at this point, "rusty" can only resolve the zone's it's a master 
> for, yet "diagnostics" can resolve all zones. It appears to me after a 
> week of splitting my head open on this issue (searching archives, 
> documentation, O'Reilly's online "DNS and BIND", and any and all 
> tutorials and help files I can grab:) that "diagnostics" is approving 
> the request for a zone transfer, but then not sending a response back 
> to "rusty". To check this suspicion I ran the following on "rusty" to 
> force a transfer:
> 
> # named-xfer -z ojai.aquaflo.com -f /etc/named/tmp.named.ojai.slave -s 
> 0 -d 10 -l /etc/named/tmp.xfer.ojai.log 192.168.12.25
> <30>May 13 15:08:56 named-xfer[25662]: connect(192.168.12.25) for zone 
> ojai.aquaflo.com failed: A remote host did not respond within the 
> timeout period.

	Read the diagnostic. "connect(2) to 192.168.12.25" failed.  i.e.
	the TCP connection DID NOT establish.  Named never saw the
	connection because there was no connection to see.

	The usual causes are:

	1. A typo in the address of the master.
	2. A firewall blocked the TCP handshake.  Remember many machines
	   have their own firewalls these days.

	Mark
 
> Here's what I found in the log file on "diagnostics":
> 
> ...
> May 13 15:06:40.179 client: debug 3: client 192.168.12.200#60865: UDP 
> request
> May 13 15:06:40.179 client: debug 5: client 192.168.12.200#60865: using 
> view '_default'
> May 13 15:06:40.179 security: debug 3: client 192.168.12.200#60865: 
> request is not signed
> May 13 15:06:40.179 security: debug 3: client 192.168.12.200#60865: 
> recursion available: approved
> May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: query
> May 13 15:06:40.180 queries: info: client 192.168.12.200#60865: query: 
> ojai.aquaflo.com IN SOA
> May 13 15:06:40.180 client: debug 10: client 192.168.12.200#60865: 
> ns_client_attach: ref = 1
> May 13 15:06:40.180 security: debug 3: client 192.168.12.200#60865: 
> query 'ojai.aquaflo.com/IN' approved
> May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: send
> May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: sendto
> May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: 
> senddone
> May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: next
> May 13 15:06:40.180 client: debug 10: client 192.168.12.200#60865: 
> ns_client_detach: ref = 0
> May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: 
> endrequest
> ...
> 
> I don't *think* the issue is with my zone files, at least if it is I 
> can't see it. Besides, if I had zone file issues, wouldn't 
> "diagnostics" show them up front (I'm under the impression that BIND 9 
> is pickier than BIND 8, besides when I mess up a zone file named won't 
> even start on "diagnostics")? Is there anything else that can cause 
> issues transferring zones between a BIND 9.2 and a BIND 8.2 server? 
> I've cranked up the logging for both servers, but I just don't see 
> anything that jumps out as saying "here's a problem". On the other 
> hand, I probably don't know what I'm looking for yet either ...
> 
> Note that both servers have the "allow-transfer" option set in 
> named.conf to only allow the other machine to transfer zones; 
> "diagnostics" only allows transfers from "rusty" and vice-versa.
> 
> Any thoughts as to what to try next? Funny thing is I would swear that 
> I had one zone (ojai.aquaflo.com) transferring from "diagnostics" to 
> "rusty" before I tried all 6, but now none of them will transfer. I 
> just now tried only the one slave zone on "rusty", but it doesn't seem 
> to transfer anymore either.
> 
> Feeling perpetually confused at this point and hoping for salvation 
> come Monday ...
> 
> 
> Dave Stewart
> Aqua~Flo Supply (Goleta CA)
> dstewart at aquaflo dot com
> 
> Duct tape is like the force;
> 	it has a light side and a dark side
> 	and it holds the universe together.
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list