A Zone Transfer Question
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Tue Feb 23 00:01:00 UTC 2016
The Internet roots publish both A (IPv4) and AAAA (IPv6) address records.
The log noise you show is what happens when you enable IPv6 but don't have the necessary routing in place to the IPv6 Internet, either natively or through some sort of tunnel mechanism.
You could certainly turn IPv6 *off*, at the OS or the BIND level, but that's a return to the past. Maybe this is a good reminder to think about your long-term IPv6 strategy.
- Kevin
-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of David Li
Sent: Monday, February 22, 2016 6:48 PM
To: BIND Users
Subject: Re: A Zone Transfer Question
Barry and others:
Thanks for the help!
It's my bad that the slave zone's subnet range was missing from allow-query. I also added the slave IP explicitly to the allow-transfer option. Now it's seems to be working.
Another issue that I haven't quite figured out is the errors in the syslog. I have no idea where these are coming from:
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:503:c27::2:30#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:7fd::1#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:503:c27::2:30#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:7fd::1#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:dc3::35#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:7fe::53#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving './NS/
I don't have a zone file that have these records defined. Any idea?
David
> ------------------------------
>
> Message: 3
> Date: Fri, 19 Feb 2016 21:25:43 -0500
> From: Barry Margolin <barmar at alum.mit.edu>
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: A Zone Transfer Question
> Message-ID: <barmar-B6877F.21254319022016 at 88-209-239-213.giganet.hu>
>
> In article <mailman.269.1455926963.73610.bind-users at lists.isc.org>,
> David Li <dlipubkey at gmail.com> wrote:
>
>> Hi John,
>>
>> Well, I was wrong about the log. I did find some info about why zone
>> transfer failed. On one server running zone rack1.com, I see:
>>
>> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
>> (rack1.com): query 'rack1.com/SOA/IN' denied Feb 19 16:04:27
>> dli-centos7 named[13882]: client 10.4.3.101#52612
>> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
>>
>> Any idea why it's denied?
>
> VM1 has the option:
>
> allow-query {
> 10.4.1/24;
> 127.0.0.1;
> };
>
> 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query
> the master.
>
> --
> Barry Margolin
> Arlington, MA
>
>
> ------------------------------
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list