Zone Transfer problem between two Bind 9.2.2 servers

Tue Sep 28 18:27:03 UTC 2004

Thank you Ladislav for your input. I have gotten the problem solved by
first setting up rndc to work between the master and slave. Now "dig
@master axfr", zone transfer via restarting named on the slave and
"rndc -s slave reload" all work with the global "allow-transfer
{none;}" and "allow-transfer {IPadress;}" per zone. I still don't know
why the zone transfer without setting up rndc does not work with the
above configuration. Perhaps, SuSe by defaults running named that way.
I have not had time to dig any deeper.

Cheers,
Thuc

Ladislav Vobr <lvobr at ies.etisalat.ae> wrote in message news:<cjbhja$1j2i$1 at sf1.isc.org>...
> did you try to put allow-transfer { any; } per zone ? Maybe you don't 
> allow correct ip addresses. You can enable logging for zone transfer 
> requests and see from the log file, what are the ip addresses, which are 
> trying to do axfr requests.
> 
> Ladislav
> 
> Thuc Bui wrote:
> > Dear All,
> > 
> > I am having a problem to set up the zone transfer from a master to a
> > slave name server properly. They are both running SuSe 8.2 and Bind
> > 9.2.2. In the master named.conf if I set in the global option with
> > allow-transfer { any; }, zone transfer works fine. However, if I set
> > allow-transfer { none; } in the global options, and in each zone use
> > allow-transfer { slave-IP; }, zone transfer stops working. Below is
> > the conf. file on the master. This is the non-working version because
> > it is currently set to zone transfer to the slaves only. If I change
> > "none" to "any" in the allow-transfer statement in the options block
> > and comment out all other allow-transfer statements, zone transfer
> > works fine.
> > 
> > As you can see from the conf. file, both my master and slave are in
> > the same DMZ network (192.168.15.0), each has a private IP and NAT'ed
> > to a public IP. The forwarders are my ISP name servers. If any of you
> > wants to test my setup from the internet with dig for zone transfer,
> > please email me. I will then turn on allow-transfer by changing none
> > to any. I'd appreciate very much for any help any of you can provide
> > me.
> > 
> > Best regards,
> > Thuc
> > 
> > options {
> > 	directory "/var/lib/named";
> > 	pid-file "/var/lib/named/named.pid";
> > 	forwarders { 206.13.28.12; 206.13.29.12; };
> > 	forward first;
> > 	listen-on-v6 { none; };
> > 
> > 	query-source address * port 53;
> > 	transfer-source * port 53;
> > 	notify-source * port 53;
> > 
> > 	allow-query { any; };
> > #	allow-transfer { any; };
> > 	allow-transfer { none; };
> > 	allow-recursion { any; };
> > 
> > 	notify no;
> > };
> > 
> > zone "." in {
> > 	type hint;
> > 	file "db.cache";
> > };
> > 
> > zone "0.0.127.in-addr.arpa" in {
> > 	type master;
> > 	file "db.127.0.0";
> > };
> > 
> > zone "chezbui.com" in {
> > 	type master;
> > 	file "db.chezbui";
> > 	allow-transfer {192.168.15.10;206.13.28.11;206.13.29.11;};
> > 	allow-query { any; };
> > };
> > 
> > zone "48.128.115.67.IN-ADDR.ARPA" in {
> > 	type master;
> > 	file "db.67.115.128.48";
> > 	allow-transfer {192.168.15.10;206.13.28.11;206.13.29.11;};
> > 	allow-query { any; };
> > };
> > 
> > zone "4b.pri" in {
> > 	type master;
> > 	file "db.4b";
> > 	allow-transfer {192.168.15.10;};
> > 	allow-query {127.0.0.1;192.168.10/24;192.168.15/24;};
> > };
> > 
> > zone "10.168.192.IN-ADDR.ARPA" in {
> > 	type master;
> > 	file "db.192.168.10";
> > 	allow-transfer {192.168.15.10;};
> > 	allow-query {127.0.0.1;192.168.10/24;192.168.15/24;};
> > };
> > 
> > zone "15.168.192.IN-ADDR.ARPA" in {
> > 	type master;
> > 	file "db.192.168.15";
> > 	allow-transfer {192.168.15.10;};
> > 	allow-query {127.0.0.1;192.168.10/24;192.168.15/24;};
> > };
> > 
> > zone "20.23.172.IN-ADDR.ARPA" in {
> > 	type master;
> > 	file "db.172.23.20";
> > 	allow-transfer {192.168.15.10;};
> > 	allow-query {127.0.0.1;192.168.10/24;192.168.15/24;};
> > };
> >