Win2K3-AD Master - Bind Slave transfers fail
Barry Finkel
b19141 at achilles.ctd.anl.gov
Wed Jul 5 15:24:36 UTC 2006
"William B. Cattell" <wbcattell1.nospam at yahoo.com> wrote:
>I've been reading this newsgroup, reading DNS/BIND from O'Reilly and MS
>Technet but I'm missing something... and it's driving me nuts. Help.
>
>I have a Win2K3 server running AD as a zone master. I'm trying to set up
>a slave on a Mandriva 2006 box running bind 9.3.1.
>
>Here's a snippet from the /etc/named.conf;
>
>zone "texasflood.us" {
> type slave;
> masters {
> 192.168.0.46;
> };
> file "/etc/texasflood.us.hosts";
> check-names ignore;
> allow-update {
> 192.168.0.46;
> };
> allow-transfer {
> 192.168.0.46;
> };
> };
>zone "0.168.192.in-addr.arpa" {
> type slave;
> masters {
> 192.168.0.46;
> };
> file "/etc/192.168.0.rev";
> check-names ignore;
> };
>server 192.168.0.46 {
> };
>server 192.168.0.48 {
> };
>
>---------------------------
>
>...and entries from syslog;
>
>Jul 3 09:19:40 sam named[3229]: client 192.168.0.46#4877: received notify for zone 'texasflood.us'
>Jul 3 09:19:40 sam named[3229]: zone texasflood.us/IN: Transfer started.
>Jul 3 09:19:40 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: connected using 192.168.0.15#32799
>Jul 3 09:19:41 sam named[3229]: dumping master file: /etc/tmp-jHyQa1q7Z1: open: permission denied
>Jul 3 09:19:41 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: failed while receiving responses: permission denied
>Jul 3 09:19:41 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: end of transfer
>Jul 3 09:20:13 sam named[3229]: client 192.168.0.46#4877: received notify for zone 'texasflood.us'
>Jul 3 09:20:13 sam named[3229]: zone texasflood.us/IN: Transfer started.
>Jul 3 09:20:13 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: connected using 192.168.0.15#32800
>Jul 3 09:20:13 sam named[3229]: dumping master file: /etc/tmp-g5gixf2xhM: open: permission denied
>Jul 3 09:20:13 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: failed while receiving responses: permission denied
>Jul 3 09:20:13 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: end of transfer
>Jul 3 09:21:10 sam named[3229]: client 192.168.0.46#4877: received notify for zone '0.168.192.in-addr.arpa'
>Jul 3 09:21:10 sam named[3229]: zone 0.168.192.in-addr.arpa/IN: Transfer started.
>Jul 3 09:21:10 sam named[3229]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.46#53: connected using 192.168.0.15#32801
>Jul 3 09:21:11 sam named[3229]: dumping master file: /etc/tmp-37BqztnzJS: open: permission denied
>Jul 3 09:21:11 sam named[3229]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.46#53: failed while receiving responses: permission d
>enied
>Jul 3 09:21:11 sam named[3229]: transfer of '0.168.192.in-addr.arpa/IN'
>from 192.168.0.46#53: end of transfer
>
>----------------------------------
>
>zone transfers are working from the master to another Win2K3 server set as
>a slave, just not the bind slave. Any help / suggestions would be
>apprecaited.
>
>TIA,
>
>Bill
I do not have access to the list archives right now to see if there
have been any replies. There appear to be two problems:
a) Jul 3 09:19:41 sam named[3229]: dumping master file:
/etc/tmp-jHyQa1q7Z1: open: permission denied
b) Jul 3 09:19:41 sam named[3229]: transfer of 'texasflood.us/IN'
from 192.168.0.46#53: failed while receiving responses:
permission denied
a) It appears that the userid under which BIND is running does not
have permissions to create the temporary file
/etc/tmp-jHyQa1q7Z1
in which BIND wants to store the transferred zone. What are the
permissions on the
/etc
directory?
b) There are a number of reasons why W2k DNS could deny a zone transfer.
The denied transfers are not logged in the EventLog, if I remember
correctly. One of the MS DNS support staff told me that MS did not
want to fill up the EventLog with these denied transfer messages.
I have formally asked MS to produce these EventLog records and to
include information as to why the transfer was denied.
What do you have for the zone properties in the Zone Transfer tab?
In my case, I have six BIND slave servers, with a total of ten IP
addresses (two of the slaves have three NICs). As I did not want to
enter all ten IP addresses for each of my W2k zones, I chose to
use
Allow zone transfers to servers in the NS Tab.
Notify servers in the NS Tab.
This works except in the case where the
IP-address IN PTR DNSSlaveServer
record is not in the W2k DNS cache. When a zone transfer request
arrives from an IP address, the MS W2k DNS code checks its cache to
see if that IP address equates to a DNS server name in the NS Tab.
If that IP address is not in the cache, then the zone transfer
request is denied. One of the DNS developers told me that the code
does not do the normal DNS query to locate the PTR record because
there is a chance that the record that is returned could be from a
rogue server and contain fake information. What we do on the MS W2k
DNS Server is run a script periodically (three times a day?):
nslookup BIND-slave-name W2k-master-name
for each of the six slaves. This insures that the IP addresses of
all of the BIND slaves are always in the W2k DNS cache.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list