Secondary DNS is not updated quickly from Primary

Sten Carlsen ccc2716 at vip.cybercity.dk
Sun Dec 4 17:18:30 UTC 2005 

I  was just wondering: how do you use the RNDC-key for zonetransfers?
The only thing this key is meant for is securing the communication
between the rndc-program and a BIND-server. Zone-transfers do not
normally use a key at all; if they do it is the TSIG-key. At least to my
knowledge.

Borhade Ganesh (vMoksha) wrote:

>Dear All,
>1. Zone transfer problem :  still problem
>
>   a. Secondary DNS is configured in Primary DNS named.conf & zone file with
>PTR record
>   b. I have tried with notify yes option but notification send by Primary
>DNS but zone doesn't transfer without 
>      rndc reload <zone name>
>   c. Primary is able to resolve Secondary A & PTR records
>   d. SOA MNAME match 
>
>2. patch update:  OK now 
>   OK, I have install BIND 9.2.3 on Solaris thus not to worry
>
>3. TSIG ? Still pending but OK till now
>   OK, my rndc key is working for zone transfer between Primary & Secondary,
>but i will think TSIG afterward.
>
>
>    Mark, Thanks for valuable update.
>
>Regards
>Ganesh
>91-9880537357
>
>-----Original Message-----
>From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org] 
>Sent: Sunday, December 04, 2005 1:51 PM
>To: Borhade Ganesh (vMoksha)
>Cc: 'Barry Margolin'; comp-protocols-dns-bind at isc.org
>Subject: Re: Secondary DNS is not updated quickly from Primary 
>
>
>
>  
>
>>Dear All,
>>     
>>DNS Setup: 
>>1. Primary DNS on Solaris 9 with BIND 9.2.3 ( Solaris package )
>>2. Secondary DNS is on Solaris 10 with Bind 9.2.4 ( build in of Solaris 10
>>    
>>
>)
>  
>
>>Problem :
>>
>>1. When i changed "Zone" on "Primary DNS" with updated "Serial no" in Zone
>>file & then used  "rndc reload / rndc reload 
>>   <zone name>" on Primary DNS.
>>   "Secondary DNS" zone is not updated immediately even i kept "refresh
>>    
>>
>rate
>  
>
>>as 5 min".(i uses rndc reload on 
>>    Secondary DNS) but when i uses "rndc reload <zone name>" on "Secondary
>>DNS" then zone gets transfer immediately.
>>   Is this bug in BIND 9.2.3? because i had not faced problem with "BIND
>>    
>>
>8"
>  
>
>>for Zone Transfer.   
>>    
>>
>
>	Firstly is the secondary listed in the NS RRset?
>	Secondly can the primary resolve the addresses of the secondary?
>	Thirdly is the primary sending the notify messages from the same
>	address as that listed in the masters clause on the secondary?
>	Fourthly does the SOA MNAME match the name of the primary servers?
>	Fifthly is there a firewall/NAT blocking or otherwise changing the
>	notify message.
>
>	There are ways to address most/all of the potential issues but
>	without answers to the above questions people won't be able to
>	help you.
>
>	NOTIFY is simple.  The master loads the zone.  It looks up
>	the addresses for the nameservers.  It sends the NOTIFY
>	message to the slaves (the master is identified by the SOA
>	MNAME).  The slave looks at the NOTIFY and the address the
>	NOTIFY was from and decided to accept or reject it.  It
>	then looks at any SOA record to see if the serial is greater
>	than it currently has.  If it is or there was no SOA record
>	it starts the standard refresh processing.
> 
>  
>
>>2. Is any BIND patch available for BIND 9.2.3 on Solaris 9? 
>>    
>>
>
>	A patch for what?  BIND is distributed freely in source form.
>	You can just compile and install the latest release.
> 
>  
>
>>3. If instead of rndc key if i uses tsig key then will security will
>>increase?
>>    
>>
>
>	Yes but get everything else working first before you look at
>	TSIG.
> 
>  
>
>>Best Regards
>>Ganesh Borhade
>>91-9880537357
>>
>>
>>-----Original Message-----
>>From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
>>    
>>
>Behalf
>  
>
>>Of Barry Margolin
>>Sent: Saturday, December 03, 2005 4:30 AM
>>To: comp-protocols-dns-bind at isc.org
>>Subject: Re: Secondary DNS is not updated quickly from Primary
>>
>>
>>In article <dmq2tg$cun$1 at sf1.isc.org>,
>> "Borhade Ganesh (vMoksha)" <Ganesh.Borhade at UCB-Group.com> wrote:
>>
>>    
>>
>>>Dear All,
>>>     I have configured Primary DNS Server --> Bind 9.2.3 on Solaris 9
>>>      
>>>
>with
>  
>
>>>private IP address  & Secondary DNS Server --> Bind 9 on Solaris 10 with
>>>private IP address.
>>>My zones are transfer from Primary DNS to Secondary DNS only when i
>>>      
>>>
>reload
>  
>
>>>zone from secondary  [ rndc reload <zone name > ].
>>>    I wants to make DNS Server's  live on Monday with Public IP address
>>>      
>>>
>>but
>>    
>>
>>>before that i wants to make sure that if i restart rndc service ( rndc
>>>stop/start ) on primary ( Zone updated with serial no ) then it should
>>>automatically transfer the zone  to Secondary DNS 
>>>    Can anyone help me how to resolve it?
>>>      
>>>
>>The slave should automatically refresh the zone every <refresh> seconds, 
>>where this is the Refresh parameter in the zone's SOA record.  So if you 
>>want to ensure that it updates within 15 minutes, set this to 900.
>>
>>You should also be able to use the DNS Notify mechanism.  Make sure that 
>>the slaves are listed in the NS records of the zone, and the master will 
>>send a Notify message to the slaves within a few seconds of your 
>>reloading the zone on the master.
>>
>>Of course, make sure you increment the serial number on the master after 
>>making chances.
>>
>>Are there any messages in the slave's log when it should be refreshing 
>>the zone?
>>
>>-- 
>>Barry Margolin, barmar at alum.mit.edu
>>Arlington, MA
>>*** PLEASE post questions in newsgroups, not directly to me ***
>>
>>
>>
>>--------------------------------------------------------- 
>>Legal Notice: This electronic mail and its attachments are intended solely
>>for the person(s) to whom they are addressed and contain information which
>>is confidential or otherwise protected from disclosure, except for the
>>purpose for which they are intended. Dissemination, distribution, or
>>reproduction by anyone other than the intended recipients is prohibited
>>    
>>
>and
>  
>
>>may be illegal. If you are not an intended recipient, please immediately
>>inform the sender and return the electronic mail and its attachments and
>>destroy any copies which may be in your possession. UCB screens electronic
>>mails for viruses but does not warrant that this electronic mail is free
>>    
>>
>of
>  
>
>>any viruses. UCB accepts no liability for any damage caused by any virus
>>transmitted by this electronic mail. 
>>---------------------------------------------------------
>>
>>
>>
>>    
>>
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>
>
>--------------------------------------------------------- 
>Legal Notice: This electronic mail and its attachments are intended solely
>for the person(s) to whom they are addressed and contain information which
>is confidential or otherwise protected from disclosure, except for the
>purpose for which they are intended. Dissemination, distribution, or
>reproduction by anyone other than the intended recipients is prohibited and
>may be illegal. If you are not an intended recipient, please immediately
>inform the sender and return the electronic mail and its attachments and
>destroy any copies which may be in your possession. UCB screens electronic
>mails for viruses but does not warrant that this electronic mail is free of
>any viruses. UCB accepts no liability for any damage caused by any virus
>transmitted by this electronic mail. 
>---------------------------------------------------------
>
>
>
>  
>

-- 
Best regards

Sten Carlsen

Let HIM who has an empty INBOX send the first mail.

More information about the bind-users mailing list