zone transfers fail

Mark_Andrews at isc.org Mark_Andrews at isc.org
Mon Feb 3 01:34:59 UTC 2003


> I've set up a primary & secondary BIND9 server box using bind v9.2.1.
> 
> named-confcheck and named-checkzone check out ok.
> 
> but when i do a 'rndc reload' on the slave server, the zone transfers
> fail.  here is a log snippet from the slave:
> 
> Feb  1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 207.
> 177.51.227#53: failed while receiving responses: REFUSED
> Feb  1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 207.
> 177.51.227#53: end of transfer
> 
> a log snippet from the master:
> 
> Feb  2 04:10:58 lists named[210]: client 207.177.51.228#1234: zone transfer 'ho
> spitalpage.com/IN' denied
> 
> the relevant parts of the master named.conf (i left out the acl definitions),

	You left out the part that needs to be checked.  You are not allowing
	207.177.51.228 to transfer zones.
 
> options {
> 	directory "/var/cache/bind";
> 	
> 	listen-on       { my-dns-ip; };
> 	listen-on-v6    { none; };
> 	blackhole       { RFC1918; };
> 	forwarders      { 207.177.74.118; 207.177.74.108; };
> 	allow-query     { local-ips; natel-dns-ips; };
> 	allow-recursion { local-ips; };
> 	allow-transfer  { localhost; primary-dns-ip; secondary-dns-ips; };
> 	auth-nxdomain yes;    # conform to RFC1035
> };
> 
> zone "hospitalpage.com" {
>            type master;
> 	file "/etc/bind/zones/hospitalpage.com";
> 	allow-query     { any; };
> 	allow-update    { none; };
> };
> 
> and relevant parts of the slave's named.conf (and again no acl definitions)
> 
> options {
>            directory "/var/cache/bind";
> 	
> 	listen-on       { my-dns-ip; };
> 	forwarders      { 207.177.74.118; 207.177.74.108; };
> 	allow-query     { local-ips; };
> 	allow-recursion { local-ips; };
> 	blackhole       { RFC1918; };
> 	listen-on-v6    { none; };
> 	auth-nxdomain yes;    # conform to RFC1035
> };
> 
> zone "hospitalpage.com" {
>            type slave;
> 	file "hospitalpage.com.db";
> 	masters         { 207.177.51.227; };
> 	allow-notify    { primary-dns-ip; };
> 	allow-transfer  { none; };
> 	allow-query     { any; };
> };
> 
> AFAIK, the problem is with the master.  I've never gotten it to do zone
> transfers, i've had to set up my DNS as 2 masters, which is the usual
> PITA.  but now I'm wanting to exchange secondaries with someone else,
> and I think that setting them up as a master would be the proverbial
> BAD THING (TM).
> 
> A related question: why does bind force me to put an explicit IP address
> for forwarders and masters?  i'd much rather use acls for everything ...

	Because they are not Access Control Lists.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list