replication issue

Barry Margolin barmar at alum.mit.edu
Tue Jul 11 00:32:02 UTC 2006


In article <e8tu7n$701$1 at sf1.isc.org>, hendedav at yahoo.com wrote:

> Gang,
> 
>      I have read several many posts regarding this problem only to find
> that they are unanswered due to lack of information provided (which I
> hope will not be the case here) or they seem to be a firewall issue.  I
> will describe the situation below:
> 
> Site 1:
> master dns (master.domain.com - 192.168.0.10)
> slave dns (ns2.domain.com - 192.168.0.30)
> firewall with port 53 (both TCP and UDP) forwarded to 192.168.0.10
> 
> Site 2:
> slave dns (ns1.domain.com - 192.168.0.20)
> firewall with port 53 (both TCP and UDP) forwarded to 192.168.0.20
> 
> Site 1 has no issues with replication, but I get this in the log for
> the master server at site 1:
> 
> Jul  8 09:37:09 localhost named[6801]: zone liveoakfarm.com/IN: loaded
> serial 1
> 
> and this for site 2:
> 
> Jul  8 15:59:28 ns1 named[11598]: zone liveoakfarm.com/IN: refresh:
> failure trying master 70.119.167.222#53: timed out
> Jul  8 16:00:13 ns1 last message repeated 3 times
> Jul  8 16:00:13 ns1 named[11598]: zone liveoakfarm.com/IN: refresh:
> retry limit for master 70.119.167.222#53 exceeded

Either the Site 1 firewall isn't properly forwarding the port, or the 
Site 2 firewall isn't allowing the queries out.  Is the Site 2 server 
able to do other external DNS lookups?

What happens if you do a manual "dig liveoakfarm.com soa 
@70.119.167.222" from the Site 2 server?

> 
> I am also using the "query-source address * port 53;" directive on the
> master dns server at site 1 and on the slave dns at site 2.  I will

Why are you using port 53 in the query-source?  Do your firewalls block 
outbound DNS with random source ports?  Perhaps the firewalls are having 
some kind of problem with packets that have port 53 in the source and 
destination, so try taking that out and using the normal ephemeral ports.

> include the zone information below for both sites.  Any help that can
> be given will greatly be appreciated.
> 
> Site 1 (master dns):
> zone "liveoakfarm.com" {
>         type master;
>         file "forward.liveoakfarm.com";
>         allow-transfer { 192.168.0.30; 70.46.29.218; };
> };
> 
> 
> Site 2 (slave dns):
> zone "liveoakfarm.com" {
>         type slave;
>         file "forward.liveoakfarm.com";
>         masters { 70.119.167.222; };
> };

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***



More information about the bind-users mailing list