A Zone Transfer Question

David Li dlipubkey at gmail.com
Mon Feb 22 23:47:55 UTC 2016 

Barry and others:

Thanks for the help!
It's my bad that the slave zone's subnet range was missing from
allow-query. I also added the slave IP explicitly to the
allow-transfer option. Now it's seems to be working.


Another issue that I haven't quite figured out is the errors in the
syslog. I have no idea where these are coming from:



Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:503:c27::2:30#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:7fd::1#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:500:1::803f:235#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:503:c27::2:30#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:7fd::1#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:dc3::35#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:7fe::53#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:dc3::35#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/


I don't have a zone file that have these records defined. Any idea?

David




> ------------------------------
>
> Message: 3
> Date: Fri, 19 Feb 2016 21:25:43 -0500
> From: Barry Margolin <barmar at alum.mit.edu>
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: A Zone Transfer Question
> Message-ID: <barmar-B6877F.21254319022016 at 88-209-239-213.giganet.hu>
>
> In article <mailman.269.1455926963.73610.bind-users at lists.isc.org>,
>  David Li <dlipubkey at gmail.com> wrote:
>
>> Hi John,
>>
>> Well, I was wrong about the log. I did find some info about why zone
>> transfer failed. On one server running zone rack1.com, I see:
>>
>> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
>> (rack1.com): query 'rack1.com/SOA/IN' denied
>> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
>> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
>>
>> Any idea why it's denied?
>
> VM1 has the option:
>
>     allow-query {
>        10.4.1/24;
>        127.0.0.1;
>     };
>
> 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the
> master.
>
> --
> Barry Margolin
> Arlington, MA
>
>
> ------------------------------
>

More information about the bind-users mailing list