Zone Transfers Being Refused

Ondřej Surý ondrej at isc.org
Mon Jul 31 07:29:36 UTC 2023 

Hi,

it’s hard to help you if you don’t provide your configuration (named-checkconf -px) and use example.com instead of real domain names. Are even the IP addresses real?

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 31. 7. 2023, at 9:23, duluxoz <duluxoz at gmail.com> wrote:
> 
> Hi All,
> 
> Hoping someone can help with this: I've got a primary dns server on an internal network (192.168.2.10/24) and an external secondary dns server on the dmz network (192.168.1.10/24). The gateway for each (ie the router) is 192.168.x.1.
> 
> The external domain is dynamic, with dnssec set up, and everything *seems* to be working correctly.
> 
> So I did a rndc to update a record in the external zone on the primary. The primary's logs show that the update went through and that a zone transfer notification was sent out to the external secondary. I can also see the updated record in the (raw) zone file on the primary.
> 
> The external secondary's logs show that it received the zone update notification, BUT that it was coming from the gateway's IP and not the primary server, and thus because the gateway's IP was not in the "primaries" ACL it was/is being refused.
> 
> I don't know if its relevant but the external zone has the `dnssec-policy default` option set.
> 
> The (what I think are the relevant) parts of the external secondary's logs are:
> 
> ~~~
> 
> 31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8 192.168.1.1#36875: received notify for zone 'example.com'
> 
> 31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused notify from non-master: 192.168.1.1#36875
> 
> ~~~
> 
> Can someone please point me in the correct direction to resolve this issue? I can provide further info if required. I am reluctant to add the gateway's IP to the "primaries" ACL because its also the external gateway for the site, and I believe that adding the gateway's IP to the ACL will be a (major) security issue.
> 
> Thanks in advance
> 
> Dulux-Oz
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list