zone transfers fail

Mon Feb 3 01:49:15 UTC 2003

At 08:15 PM 2/2/03, Christopher L. Everett wrote:

>I've set up a primary & secondary BIND9 server box using bind v9.2.1.
>
>named-confcheck and named-checkzone check out ok.
>
>but when i do a 'rndc reload' on the slave server, the zone transfers
>fail.  here is a log snippet from the slave:
>
>Feb  1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 
>207.177.51.227#53: failed while receiving responses: REFUSED
>Feb  1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 
>207.177.51.227#53: end of transfer
>
>a log snippet from the master:
>
>Feb  2 04:10:58 lists named[210]: client 207.177.51.228#1234: zone 
>transfer 'hospitalpage.com/IN' denied
>
>the relevant parts of the master named.conf (i left out the acl definitions),
>
>options {
>         directory "/var/cache/bind";
>
>         listen-on       { my-dns-ip; };
>         listen-on-v6    { none; };
>         blackhole       { RFC1918; };
>         forwarders      { 207.177.74.118; 207.177.74.108; };
>         allow-query     { local-ips; natel-dns-ips; };
>         allow-recursion { local-ips; };
>         allow-transfer  { localhost; primary-dns-ip; secondary-dns-ips; };
>         auth-nxdomain yes;    # conform to RFC1035
>};

You haven't specified an ACL for secondary-dns-ips (or primary-dns-ip
for that matter). You need to put the IP address with which the secondary
will transfer the zone in the allow-transfer clause above.

Danny

>zone "hospitalpage.com" {
>            type master;
>         file "/etc/bind/zones/hospitalpage.com";
>         allow-query     { any; };
>         allow-update    { none; };
>};
>
>and relevant parts of the slave's named.conf (and again no acl definitions)
>
>options {
>            directory "/var/cache/bind";
>
>         listen-on       { my-dns-ip; };
>         forwarders      { 207.177.74.118; 207.177.74.108; };
>         allow-query     { local-ips; };
>         allow-recursion { local-ips; };
>         blackhole       { RFC1918; };
>         listen-on-v6    { none; };
>         auth-nxdomain yes;    # conform to RFC1035
>};
>
>zone "hospitalpage.com" {
>            type slave;
>         file "hospitalpage.com.db";
>         masters         { 207.177.51.227; };
>         allow-notify    { primary-dns-ip; };
>         allow-transfer  { none; };
>         allow-query     { any; };
>};
>
>AFAIK, the problem is with the master.  I've never gotten it to do zone
>transfers, i've had to set up my DNS as 2 masters, which is the usual
>PITA.  but now I'm wanting to exchange secondaries with someone else,
>and I think that setting them up as a master would be the proverbial
>BAD THING (TM).
>
>A related question: why does bind force me to put an explicit IP address
>for forwarders and masters?  i'd much rather use acls for everything ...
>
>