Transfers denied.

Danny Mayer mayer at gis.net
Sat Jan 28 23:27:58 UTC 2006


nocturnal wrote:
> Hi
> 
> I was working on the DNS setup yesterday and today at work i notice one 
> of the slaves denying transfers from the master. I have no idea what 
> i've done. All the clocks are synced with ntpdate twice each week. The 
> following is part of my named.conf for the master with the ip-address 
> replaced for an internal one.

Please don't use ntpdate and certainly twice a week is insufficient.
Install ntpd and you can keep your clock reliable. We have deprecated
ntpdate. We recommend people use ntpd -g and iburst on the server lines.

> 
> options {
>          directory "/etc/namedb";
>          version "975.4.2";
>          allow-transfer { slave1; slave2; };
>          pid-file "/var/run/named.pid";
>          dump-file "s/named_dump.db";
>          listen-on { master; };
>          also-notify { slave1; slave2; };
> };
> 
> Here is also part of the named.conf for one of my slaves. I have 
> replaced the ip-addresses.
> options {
>          directory "/etc/namedb";
>          version "975.4.2";
>          allow-transfer { slave2; master; };
>          pid-file "/var/run/named.pid";
>          dump-file "s/named_dump.db";
>          listen-on { slave1; };
>          also-notify { master; slave2; };
>          allow-notify { master; };
> };
> 
> I did not have the also-notify in the slaves before, it was added today 
> out of desperation. I doubt i need it in slaves?
> 
> This is the error i get in the system messages of slave1. The name of 
> the zone and the ip-address of the master have been replaced.
> Jan 27 15:10:54 ns1 named[26532]: transfer of 'zone1/IN' from master#53: 
> failed to connect: connection refused

Connection refused does not mean what it sounds like. It means that it
got no response at all from the master. Did you close 53/TCP on your
firewall? zone transfers require TCP port 53 to be available. You also
need it for normal DNS operation but that's another issue.

Danny
> 
> The nameservers have worked fine for a while, had some errors yesterday 
> but got those fixed thanks for Mark Andrews here on the list so this is 
> not a new setup. My company has used BIND9 for quite a while but that 
> does not prevent us from doing stupid mistakes. ;)
> 
> master = my master dns
> slave1 = the first slave dns and also the one that is generating errors
> slave2 = another slave which is supposed to be an almost exact mirror of 
> slave1 except for maybe allow-transfer



More information about the bind-users mailing list