Zone Transfers Being Refused
duluxoz
duluxoz at gmail.com
Mon Jul 31 07:22:52 UTC 2023
Hi All,
Hoping someone can help with this: I've got a primary dns server on an
internal network (192.168.2.10/24) and an external secondary dns server
on the dmz network (192.168.1.10/24). The gateway for each (ie the
router) is 192.168.x.1.
The external domain is dynamic, with dnssec set up, and everything
*seems* to be working correctly.
So I did a rndc to update a record in the external zone on the primary.
The primary's logs show that the update went through and that a zone
transfer notification was sent out to the external secondary. I can also
see the updated record in the (raw) zone file on the primary.
The external secondary's logs show that it received the zone update
notification, BUT that it was coming from the gateway's IP and not the
primary server, and thus because the gateway's IP was not in the
"primaries" ACL it was/is being refused.
I don't know if its relevant but the external zone has the
`dnssec-policy default` option set.
The (what I think are the relevant) parts of the external secondary's
logs are:
~~~
31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8
192.168.1.1#36875: received notify for zone 'example.com'
31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused
notify from non-master: 192.168.1.1#36875
~~~
Can someone please point me in the correct direction to resolve this
issue? I can provide further info if required. I am reluctant to add the
gateway's IP to the "primaries" ACL because its also the external
gateway for the site, and I believe that adding the gateway's IP to the
ACL will be a (major) security issue.
Thanks in advance
Dulux-Oz
More information about the bind-users
mailing list