converting from firewall based nameserver

Jim Reid jim at rfc1035.com
Thu Nov 2 18:00:31 UTC 2000


>>>>> "Michael" == Michael Rasmussen <mikeraz at patch.com> writes:

    Michael> We are changing firewalls, from Raptor to Cisco PIX.  The
    Michael> Raptor insisted that it be the authority for our zones,
    Michael> that it be the master name server.

    Michael> I have installed bind, notified the Internic, and made
    Michael> every other change necessary to implement this move.
    Michael> However, when my new name server sends out the NOTIFY
    Michael> messages the secondaries (rightly) ignore the update and
    Michael> log:

    Michael> Nov 2 06:14:27 barley named[343]: NOTIFY from non-master server (zone mydomain.com), from [xxx.xxx.xxx.xxx].1040

This message means that your slave servers don't expect to be getting
NOTIFY messages from the IP address that you unhelpfully obliterated.
Try adding xxx.xxx.xxx.xxx to the masters{} list for mydomain.com.

And in future, provide the error messages *exactly* as they
appear. Don't ever hide relevant data like the actual domain name or
IP address of the server. If your teeth hurt, would you send samples
of them to the dentist?

    Michael> Anyone have suggestions on how to get around this?

Reconfigure your slave servers to only go to the new master server. ie
They don't slave off the to-be-replaced Raptor's name server. That is
left as a master with no slaves. With a bit of luck the zone files on
that server can be left alone until you switch off the box. If not,
you will have a period of double zone administration which could be a
nuisance. You'd have to make zone changes on the new "real" master as
well as the old one on the Raptor box. This could lead to inconsistent
zone contents which could be a problem. But provided the SOA MNAME
field and the zone's NS records don't point at the Raptor box, all
should be well. [The delegation in .com or whereever should be updated
to no longer point at this Raptor firewall.] The Raptor's name server
will send NOTIFYs when it is reloaded. But your other servers could
just ignore them during the migration, or better still, the Raptor
name server could be reconfigured not to send NOTIFYs.



More information about the bind-users mailing list