zone transfers fail

Christopher L. Everett ceverett at cobalt.physemp.com
Mon Feb 3 01:15:43 UTC 2003







I've set up a primary & secondary BIND9 server box using bind v9.2.1.

named-confcheck and named-checkzone check out ok.

but when i do a 'rndc reload' on the slave server, the zone transfers
fail.  here is a log snippet from the slave:

Feb  1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 207.177.51.227#53: failed while receiving responses: REFUSED
Feb  1 22:12:25 silicon named[158]: transfer of 'hospitalpage.com/IN' from 207.177.51.227#53: end of transfer

a log snippet from the master:

Feb  2 04:10:58 lists named[210]: client 207.177.51.228#1234: zone transfer 'hospitalpage.com/IN' denied

the relevant parts of the master named.conf (i left out the acl definitions),

options {
	directory "/var/cache/bind";
	
	listen-on       { my-dns-ip; };
	listen-on-v6    { none; };
	blackhole       { RFC1918; };
	forwarders      { 207.177.74.118; 207.177.74.108; };
	allow-query     { local-ips; natel-dns-ips; };
	allow-recursion { local-ips; };
	allow-transfer  { localhost; primary-dns-ip; secondary-dns-ips; };
	auth-nxdomain yes;    # conform to RFC1035
};

zone "hospitalpage.com" {
           type master;
	file "/etc/bind/zones/hospitalpage.com";
	allow-query     { any; };
	allow-update    { none; };
};

and relevant parts of the slave's named.conf (and again no acl definitions)

options {
           directory "/var/cache/bind";
	
	listen-on       { my-dns-ip; };
	forwarders      { 207.177.74.118; 207.177.74.108; };
	allow-query     { local-ips; };
	allow-recursion { local-ips; };
	blackhole       { RFC1918; };
	listen-on-v6    { none; };
	auth-nxdomain yes;    # conform to RFC1035
};

zone "hospitalpage.com" {
           type slave;
	file "hospitalpage.com.db";
	masters         { 207.177.51.227; };
	allow-notify    { primary-dns-ip; };
	allow-transfer  { none; };
	allow-query     { any; };
};

AFAIK, the problem is with the master.  I've never gotten it to do zone
transfers, i've had to set up my DNS as 2 masters, which is the usual
PITA.  but now I'm wanting to exchange secondaries with someone else,
and I think that setting them up as a master would be the proverbial
BAD THING (TM).

A related question: why does bind force me to put an explicit IP address
for forwarders and masters?  i'd much rather use acls for everything ...















More information about the bind-users mailing list