zone transfer problem (newbie issue)

Dave Stewart dstewart at aquaflo.com
Fri May 13 23:51:51 UTC 2005


Hi all!

I'm learning BIND by configuring a pair of servers for internal 
corporate use. So far I've enjoyed some success along with some 
frustration.

Here's what I have so far:

One DNS server ("diagnostics", a Mac-mini running OSX 10.3.9 and BIND 
9.2.2) is a master for 6 zones and a slave for 2 more. So far, this 
seems to be working like a charm on it's own; all zones resolve without 
issue. In fact, I have been using this as my sole DNS server for a week 
or two on my development machine without any issues whatsoever.

One DNS server ("rusty", an IBM E-20 running AIX 5.1 and BIND 8.2.2-P5) 
is the master for the 2 slave zones in "diagnostics" and is *supposed* 
to be a slave for the 6 zones mastered on "diagnostics". Here's the rub 
- the zones aren't transferring to this machine (note that 
"diagnostics" has no problem transferring it's slave zones from 
"rusty"; only "rusty" is having zone transfer issues from 
"diagnostics")!

So at this point, "rusty" can only resolve the zone's it's a master 
for, yet "diagnostics" can resolve all zones. It appears to me after a 
week of splitting my head open on this issue (searching archives, 
documentation, O'Reilly's online "DNS and BIND", and any and all 
tutorials and help files I can grab:) that "diagnostics" is approving 
the request for a zone transfer, but then not sending a response back 
to "rusty". To check this suspicion I ran the following on "rusty" to 
force a transfer:

# named-xfer -z ojai.aquaflo.com -f /etc/named/tmp.named.ojai.slave -s 
0 -d 10 -l /etc/named/tmp.xfer.ojai.log 192.168.12.25
<30>May 13 15:08:56 named-xfer[25662]: connect(192.168.12.25) for zone 
ojai.aquaflo.com failed: A remote host did not respond within the 
timeout period.

Here's what I found in the log file on "diagnostics":

...
May 13 15:06:40.179 client: debug 3: client 192.168.12.200#60865: UDP 
request
May 13 15:06:40.179 client: debug 5: client 192.168.12.200#60865: using 
view '_default'
May 13 15:06:40.179 security: debug 3: client 192.168.12.200#60865: 
request is not signed
May 13 15:06:40.179 security: debug 3: client 192.168.12.200#60865: 
recursion available: approved
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: query
May 13 15:06:40.180 queries: info: client 192.168.12.200#60865: query: 
ojai.aquaflo.com IN SOA
May 13 15:06:40.180 client: debug 10: client 192.168.12.200#60865: 
ns_client_attach: ref = 1
May 13 15:06:40.180 security: debug 3: client 192.168.12.200#60865: 
query 'ojai.aquaflo.com/IN' approved
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: send
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: sendto
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: 
senddone
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: next
May 13 15:06:40.180 client: debug 10: client 192.168.12.200#60865: 
ns_client_detach: ref = 0
May 13 15:06:40.180 client: debug 3: client 192.168.12.200#60865: 
endrequest
...

I don't *think* the issue is with my zone files, at least if it is I 
can't see it. Besides, if I had zone file issues, wouldn't 
"diagnostics" show them up front (I'm under the impression that BIND 9 
is pickier than BIND 8, besides when I mess up a zone file named won't 
even start on "diagnostics")? Is there anything else that can cause 
issues transferring zones between a BIND 9.2 and a BIND 8.2 server? 
I've cranked up the logging for both servers, but I just don't see 
anything that jumps out as saying "here's a problem". On the other 
hand, I probably don't know what I'm looking for yet either ...

Note that both servers have the "allow-transfer" option set in 
named.conf to only allow the other machine to transfer zones; 
"diagnostics" only allows transfers from "rusty" and vice-versa.

Any thoughts as to what to try next? Funny thing is I would swear that 
I had one zone (ojai.aquaflo.com) transferring from "diagnostics" to 
"rusty" before I tried all 6, but now none of them will transfer. I 
just now tried only the one slave zone on "rusty", but it doesn't seem 
to transfer anymore either.

Feeling perpetually confused at this point and hoping for salvation 
come Monday ...


Dave Stewart
Aqua~Flo Supply (Goleta CA)
dstewart at aquaflo dot com

Duct tape is like the force;
	it has a light side and a dark side
	and it holds the universe together.



More information about the bind-users mailing list