Trouble with Slave-Updates
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Sun Aug 15 17:48:44 UTC 2004
"André Höpner" <andre at hoepner.net> wrote:
> Have tried to set the slave logfiles to debug, but there was no errors
> reported then "zone is expired...".
>>>> Aug 12 13:09:55.890 general: zone n9k.de/IN: expired
> if i set it back to info no entries were logged. some people mean that
> this can be a firewall-problem so that slave could not update. but why
> it works on a notify?
> will try to post original-data. maybe something is wrong with our zonefiles
> or nameserverconfig.
> 1st nameserver: ns.ibased-one.de (62.53.168.195)
> 2nd nameserver: ns.ibased.net (217.160.210.76)
> domain: n9k.de
> ### primary config ###
> --- named.conf ---
> # internals:
> acl internals { 127.0.0.1/32; 62.53.168.195/32; };
> # externals:
> acl externals { 217.160.210.76/32; };
> server 217.160.210.76 {
> bogus no;
> transfer-format many-answers;
> };
> options {
> directory "/var/named";
> forwarders { 193.189.224.2; 62.146.22.2; 194.25.2.129; 194.246.96.59; };
> listen-on port 53 { 127.0.0.1; 62.53.168.195; };
> listen-on-v6 { none; };
> query-source address * port 53;
> transfer-source * port 53;
> notify-source * port 53;
> allow-transfer { internals; externals; };
> notify yes;
> auth-nxdomain no;
> };
> logging {
> category "default" { "default_syslog"; "default_debug"; };
> category "xfer-out" { "default_syslog"; };
> category "notify" { "default_syslog"; };
> # category panic { default_syslog; };
> # category packet { default_syslog; };
> # category eventlib { default_syslog; };
> channel "default_syslog" {
> #syslog daemon;
> file "/var/log/named.log" versions 5 size 5m;
> print-time yes;
> print-category yes;
> severity info;
> };
> };
> zone "localhost" in {
> type master;
> file "localhost.zone";
> };
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "127.0.0.zone";
> };
> zone "." in {
> type hint;
> file "root.hint";
> };
> zone "n9k.de" {
> type master;
> allow-query { any; };
> file "zones/n9k.de";
> };
> --- n9k.de ---
> $TTL 1D
> ;
> ; Zonefile for n9k.de
> ;
> @ IN SOA ns.ibased-one.de. hostmaster.ibased.de. (
> 2002042207
> 8H
> 2H
> 1W
> 1D )
> NS ns.ibased-one.de. ; 1. nameserver
> NS ns.ibased.net. ; 2. nameserver
> MX 10 mail.ibased-one.de. ; erster mailserver
> n9k.de. A 62.53.168.195
> www A 62.53.168.195
> ftp A 62.53.168.195
> ### secondary config ###
> --- named.conf ---
> ... like above, but other ips...
> zone "n9k.de" in {
> type slave;
> masters { 62.53.168.195; };
> file "slave_cache/n9k.de";
> };
> ###### end ######
> "Barry Margolin" <barmar at alum.mit.edu> schrieb im Newsbeitrag
> news:cfgvep$2pbm$1 at sf1.isc.org...
>> In article <cfg9vp$17si$1 at sf1.isc.org>,
>> "André Höpner" <andre at hoepner.net> wrote:
>>
>>> Hello bind-users,
>>>
>>> we have two nameservers for about 120 domains. both ar running
>>> bind 9.23. one is primary and one is secondary.
>>> after starting both servers all is running fine.
>>>
>>> after a few days, when mot of the zones expires, the secondary
>>> does the log-entry about expiration, but it seems, that he does not
>>> update the zones after that. some time later the secondary gives
>>> no answer about the expired zones.
>>
>> According to the SOA record you posted, your slave should be refreshing
>> every 8 hours. The zones should only expire if this fails consistently
>> every hour for a week.
>>
>>>
>>> i must stop and start the primary server. that sends notifies and
>>> only after recieving this notifies the secondary updates the zones.
>>
>> That's very strange. If there's something preventing the slaves from
>> refreshing, I would expect it to happen even after restarting the master.
>>
>> Are there any log messages on the slave when it tries to refresh the
>> zones?
>>
>> --
>> Barry Margolin, barmar at alum.mit.edu
>> Arlington, MA
>> *** PLEASE post questions in newsgroups, not directly to me ***
>>
First, the "comment" in the zonefiles " ; 1. nameserver" is invalid.
Secondly, using query-source for queries and zone-transfers might
interfere. That is removing :
> query-source address * port 53;
> transfer-source * port 53;
> notify-source * port 53;
and fix your firewall instead.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list