Zone transfer failure

Andreas Brandino ampranti at gmail.com
Wed Oct 17 14:28:01 UTC 2018 

Yes!!! This was the problem!!

Thank you :-)

Στις Τετ, 17 Οκτ 2018 στις 5:16 μ.μ., ο/η Bob Harold <rharolde at umich.edu>
έγραψε:

>
> On Wed, Oct 17, 2018 at 9:56 AM Andreas Brandino <ampranti at gmail.com>
> wrote:
>
>> Both servers receive the NOTIFY message from NS1. What I see on the logs:
>>
>> *NS3:*
>> 17-Oct-2018 16:41:00.688 notify: info: client 1.1.1.1#19513/key
>> ns1ns3_key: view external: received notify for zone 'myzone.com': TSIG
>> 'ns1ns3_key'
>>
>
> Notice the "view external" in the line above, compared to ns5, which got
> the notify on the internal view.  That appears to be the issue.
> Try adding the IP of NS1 to the "match" list for the internal view on NS3.
>
> --
> Bob Harold
>
>
>> *NS5:*
>> 17-Oct-2018 16:40:56.131 notify: info: client 1.1.1.1#32586/key
>> ns1ns5_key: received notify for zone 'myzone.com': TSIG 'ns1ns5_key'
>> 17-Oct-2018 16:40:56.139 notify: info: zone myzone.com/IN: sending
>> notifies (serial 2018101910)
>>
>> The 2nd line is missing on NS3.
>> At this point NS5 starts the zone copy (*NS1 *logs):
>>
>> 17-Oct-2018 16:41:01.233 xfer-out: info: client 5.5.5.5#40909/key
>> ns1ns5_key (myzone.com): view internal: transfer of 'myzone.com/IN':
>> AXFR started: TSIG ns1ns5_key
>> 17-Oct-2018 16:41:01.234 xfer-out: info: client 5.5.5.5#40909/key
>> ns1ns5_key (myzone.com): view internal: transfer of 'myzone.com/IN':
>> AXFR ended
>>
>> At this point NS3 does nothing.
>>
>> This is not a firewall or networking problem because I can start the
>> transfer manually.
>>
>> Best Regards
>>
>> Στις Τετ, 17 Οκτ 2018 στις 4:35 μ.μ., ο/η Bob Harold <rharolde at umich.edu>
>> έγραψε:
>>
>>>
>>> On Wed, Oct 17, 2018 at 7:23 AM Andreas Brandino <ampranti at gmail.com>
>>> wrote:
>>>
>>>> Hello all,
>>>>
>>>> I wonder if anyone can help me to find the cause of the problem I am
>>>> currently having.
>>>> All servers are running on Debian and BIND 9.10.3-P4-Debian.
>>>>
>>>> I have a master server and 4 slaves.
>>>> The zone is transfered from the master [ns1] to all slaves [ns3,ns4,ns5
>>>> and ns6].
>>>> I am also using TSIG with a different key for each server.
>>>> Moreover, the zone file refers to the internal view.
>>>>
>>>> When I change the myzone.com, I always update the serial and I reload
>>>> the zone.
>>>>
>>>> The problem:
>>>> ns3 and ns4 never get the updated zone file automatically.
>>>> On the other hand, ns4 and ns5 always get the updated zone file
>>>> immediately.
>>>>
>>>> If I initialize the transfer manually from ns3 and ns4, I get no errors.
>>>>
>>>> Here is the config:
>>>>
>>>> NS1 config: (IP 1.1.1.1 - master DNS)
>>>>
>>>>         zone "myzone.com" {
>>>>                 type master;
>>>>                 file    "/etc/bind/master/myzone.com.INSIDE";
>>>>                 allow-transfer { key ns1ns3_key; key ns1ns4_key; key
>>>> ns1ns5_key; key ns1ns6_key; };
>>>>                 also-notify {
>>>>                         3.3.3.3 port 53 key ns1ns3_key;
>>>>                         4.4.4.4 port 53 key ns1ns4_key;
>>>>                         5.5.5.5 port 53 key ns1ns5_key;
>>>>                         6.6.6.6 port 53 key ns1ns6_key;
>>>>                 };
>>>>                 notify explicit;
>>>>                 notify-source 1.1.1.1 ;
>>>>                 };
>>>>
>>>>
>>>> NS3 config: (IP 3.3.3.3 - transfer fails)
>>>>
>>>>        zone " myzone .com" {
>>>>                 file    "/etc/bind/master/myzone.com.INSIDE";
>>>>                 type slave;
>>>>                 allow-update { key ns1ns3_key; };
>>>>                 masters { 1.1.1.1; };
>>>>                 allow-notify { 1.1.1.1; };
>>>>                 notify yes;
>>>>                 request-ixfr no;
>>>>                 };
>>>>
>>>> NS5 config: (IP 5.5.5.5, successful transfer)
>>>>
>>>> zone "myzone.com" {
>>>>                 file    "/etc/bind/master/myzone.com.INSIDE";
>>>>                 type slave;
>>>>                 allow-update { key ns1ns5_key; };
>>>>                 masters { 1.1.1.1; };
>>>>                 notify yes;
>>>>                 request-ixfr no;
>>>>                 };
>>>>
>>>> Do you see any errors in the above configuration that could cause this
>>>> problem?
>>>>
>>>> Best Regards
>>>>
>>>
>>> What you don't show is the 'match' statement for your views.  Perhaps 1
>>> does not match the internal view on 3, so the notify packet hits the wrong
>>> view.  Check the notify messages in the logs on 3, compared to 5.  Here is
>>> a typical notify log message:
>>>
>>> 30-Sep-2018 23:12:37.135 general: info: zone
>>> psych.lsa.umich.edu/IN/oncampus: notify from 141.211.147.150#38695:
>>> zone is up to date
>>>
>>>
>>> Note the zone/class/view contains ".../IN/oncampus" - check the view in
>>> your logs.
>>>
>>>
>>> If you cannot find the notify, you might need to turn on logging for
>>> category "general".  Or check routing and firewall rules if the packet is
>>> not being received.
>>>
>>>
>>> --
>>>
>>> Bob Harold
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181017/23cfe145/attachment-0001.html>

More information about the bind-users mailing list