Does "allow-transfer" work properly?

Kevin Darcy kcd at daimlerchrysler.com
Wed Oct 4 19:51:25 UTC 2006 

AM wrote:
> Hi guys,
>
> I have a nameserver with the IP address = 15.113.159.60 and the following named.conf
>
> ## named.conf - configuration for bind
> #
> # Generated automatically by bindconf, alchemist et al.
> controls {
>          inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };
>
> include "/etc/rndc.key";
>
> options {
>          directory "/var/named/";
> };
>
> [CUT]
>
> zone "rcs.xt" {
>          type slave;
>          file "rcs.xt.zone";
>          masters { 112.124.16.162; };
>          allow-transfer { 15.113.159.60; };
> };
>
>
> I didn't write the named.conf but it seems to me that the master can allow transfers only from itself. Obviously it's 
> not required to ask the zone rcs.xt from itself but from the master. That rule applies just for that zone. The others 
> can be pulled by anyone (ok it's not securing and I'm about to put a full stop to this behavior). For me the rule 
> written above doesn't make sense.
>
> Then, there is another server that acts as total backup for all the zones of 15.113.159.60 (included rcs.xt)
> What it's weird to me is that the second one gets always an update list of the zone even if shouldn't! (I check it 
> looking at the timestamp of the file on the second server). I didn't checked by adding or removing hosts in that zone on 
> 112.124.16.162.
> BTW I can not access 112.124.16.162.
>
> Am I using the wrong method to see if "allow-transfer" does its job properly or is there anything I'm missing?
>   
You can't go by just the timestamp alone. Check the serial number, check 
the logs on both boxes, check whether the "downstream" slave is actually 
answering without an error response and authoritatively (AA flag set to 
1) for the zone: if it's not, that may be an indication that the zone 
has expired on it.

Also, are you absolutely sure that the "downstream" slave is getting its 
data from 15.113.159.60? Is there a possibility that it's getting it 
directly from 112.124.16.162? Maybe it has *both* addresses in its 
"masters" clause and it's continually failing over.

- Kevin

More information about the bind-users mailing list