Zone transfer failing

Tue Jun 23 20:54:31 UTC 2009

This has been an issue for far too long, though I solved it, but it  
rears it's head again.

Example:
$dig sugardimplesdesigns.com SOA @ns1.hostwizard.com +short
ns1.hostwizard.com. scott.hostwizard.com. 2009062206 28800 7200  
2419200 3600

$dig sugardimplesdesigns.com SOA @ns0.nacio.com +short
$dig sugardimplesdesigns.com SOA @ns1.nacio.com +short
$dig sugardimplesdesigns.com SOA @ns2.nacio.com +short
$dig sugardimplesdesigns.com SOA @ns3.nacio.com +short
* Get nothing back at all on the +short, ANSWER 0 on the non +short

The colo provides secondary, I am told to use ns1 as the secondary,  
that NS0 is where the updates will be pulled from for zone transfers.   
I assume they xfer from 1, 2, and 3 off of 0.

I bump the serial, and reload:
23-Jun-2009 12:21:12.444 notify: info: zone sugardimplesdesigns.com/ 
IN: sending notifies (serial 2009062206)

options {
	directory "/var/named";
	querylog yes;
	// recursion IP's redacted
	allow-transfer { 64.84.0.26; };
	notify-source 64.84.37.14;
	transfer-source 64.84.37.14;
	also-notify { 64.84.0.26; };
};

Is there anything wrong in my options statement?  I have been working  
with support to resolve this.  Here is what they are telling me, using  
nslookup, which I never use, I use dig.

First, their event log:
	Event Type:	Error
	Event Source:	named
	Event Category:	None
	Event ID:	1
	Date:		6/22/2009
	Time:		10:24:58 PM
	User:		N/A
	Computer:	NS0
	Description:
	transfer of 'sugardimplesdesigns.com/IN' from 64.84.37.14#53: failed to
	connect: connection refused

Appears to me I am refusing them, I do not see it in my logs, what  
logs would be it in, or what logging statements would I turn on to be  
able to diagnose this?

My nest email asked them what host they were getting the above event  
log from, here is the data I got back:

> The query and errors are from 64.84.0.26.
>
> Using Microsoft Nslookup, the following output resulted:
>
>> server 64.84.37.14
> Server:  cyclone.hostwizard.com
> Address:  64.84.37.14

I do not know what the above proves, but I have included it since it  
was given to me.

>> sugardimplesdesigns.com
> Server:  cyclone.hostwizard.com
> Address:  64.84.37.14
>
> Name:    sugardimplesdesigns.com
> Address:  64.84.37.15
>
> Name:    sugardimplesdesigns.com
> Address:  64.84.37.15

So they are getting an A record, but they have to skip past their NS,  
and hit mine, or so it seems in my tests.

>> set q=any
>> ls -d sugardimplesdesigns.com
> ls: connect: No error
> *** Can't list domain sugardimplesdesigns.com: Unspecified error
> The DNS server refused to transfer the zone sugardimplesdesigns.com to
> your comp
> uter. If this
> is incorrect, check the zone transfer security settings for
> sugardimplesdesigns.
> com on the DNS
> server at IP address 64.84.37.14.
>
> We can connect, get an A record, but not the zone.

All I can think, is they have not defined their NS to be 64.84.0.26  
explicitly, so my server declines to talk to it.

I see this in my logs:
security.log:23-Jun-2009 13:21:57.358 security: info: client  
64.84.0.26#1427: query (cache) 'sugardimplesdesigns.com.nacio.com/ANY/ 
IN' denied

But that shows .26, which is what I list as well.  Stumped.

And one each for each serial bump and reload I did of these:
named.log:22-Jun-2009 11:31:55.378 notify: info: zone  
sugardimplesdesigns.com/IN: sending notifies (serial 2009062200)

Any suggestions on where the error is, and how to solve it, as well as  
what logging options I should turn on to be able to better solve  
this.  Thanks.
-- 
Scott * If you contact me off list replace talklists@ with scott@ *