Can't get zone to xfer to secondary server

Chris Buxton cbuxton at menandmice.com
Thu Aug 16 22:39:40 UTC 2007 

What you're seeing shows that there is something higher up in the  
namespace tree that the Windows master thinks it should be  
authoritative for. (That is, unless there's something horribly wrong  
with MS DNS in Windows 2000 in how it handles having a CNAME record  
with the same name as a zone - always possible, I suppose.)

Try these commands:

dig @172.20.11.237 familiesla.com axfr
dig @172.20.11.237 com soa

What are the results?

Chris Buxton
Men & Mice

On Aug 16, 2007, at 3:20 PM, Ryan McCain wrote:

> Chris,
>
> Thanks for the response.
>
> Here is the output from the dig command:
>
> ; <<>> DiG 9.3.4 <<>> familiesla.com soa +norec @172.20.11.237
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20783
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;familiesla.com.                        IN      SOA
>
> ;; ANSWER SECTION:
> familiesla.com.         3600    IN      CNAME   www.dss.state.la.us.
>
> ;; Query time: 0 msec
> ;; SERVER: 172.20.11.237#53(172.20.11.237)
> ;; WHEN: Thu Aug 16 17:15:15 2007
> ;; MSG SIZE  rcvd: 65
>
> The DNS server is whatever Windows version is on Windows 2000.   
> Also, there is no domain called .com.  I will check with the  
> Windows side of the house on this.  Any other suggestions based on  
> the output above?
>
> Thx..
>
>>>> On Thu, Aug 16, 2007 at  3:42 PM, in message
> <CEA4C10F-BCE5-4E0C-8AC6-0B8151D3A9F6 at menandmice.com>, Chris Buxton
> <cbuxton at menandmice.com> wrote:
>> The problem is shown in the error messages at the end.
>>
>> When trying to get a zone transfer, the slave first requests an SOA
>> record from the master. It expects an SOA record in response to the
>> query, but in this case, it's getting a CNAME record. Which indicates
>> that either the master server is not running BIND (nor any other
>> server that enforces the CNAME and other data rule), or else the
>> master server actually has a zone named "com" on it (which it
>> probably shouldn't) and has a CNAME record named familiesla.com
>> inside that zone.
>>
>> Check the configuration of the master. We on the list can't, from the
>> outside, because the master is on a private address. However, if we
>> were able to, the shell command would look like this:
>>
>> dig familiesla.com soa +norec @172.20.11.237
>>
>> Chris Buxton
>> Men & Mice
>>
>> On Aug 16, 2007, at 1:34 PM, Ryan McCain wrote:
>>
>>> I'm attempting to install a secondary DNS server using BIND 9.3.2
>>> on SLES 10.  It should host multiple zones 2 of which are
>>> 'dss.state.la.us' and 'familiesla.com'.
>>>
>>> The primary DNS server is a Windows server and I have given the
>>> secondary server permission to do zone xfers for both of these
>>> domains, however, only 'dss.state.la.us' comes down. The zone file
>>> for 'familiesla.com' is never created.  I'm not sure why.
>>>
>>> Here is the log:
>>>
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: found 1 CPU, using 1
>>> worker thread
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: loading configuration
>>> from '/etc/named.conf'
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: listening on IPv6
>>> interfaces, port 53
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: listening on IPv4
>>> interface lo, 127.0.0.1#53
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: listening on IPv4
>>> interface eth0, 10.120.9.246#53
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: command channel listening
>>> on 127.0.0.1#953
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: command channel listening
>>> on ::1#953
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: zone 0.0.127.in-addr.arpa/
>>> IN: loaded serial 42
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: zone localhost/IN: loaded
>>> serial 42
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: slave/dss.state.la.us:42:
>>> gc._msdcs.dss.state.la.us: bad owner name (check-names)
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: slave/dss.state.la.us:43:
>>> gc._msdcs.dss.state.la.us: bad owner name (check-names)
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: slave/dss.state.la.us:
>>> 128: btr_cluster.dss.state.la.us: bad owner name (check-names)
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: slave/dss.state.la.us:
>>> 1003: ipat_ocs.dss.state.la.us: bad owner name (check-names)
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: slave/dss.state.la.us:
>>> 1076: ocs_nt_3.dss.state.la.us: bad owner name (check-names)
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: zone dss.state.la.us/IN:
>>> loaded serial 11146
>>> Aug 16 15:09:47 dss-cs99la14 named[8126]: running
>>> Aug 16 15:09:48 dss-cs99la14 named[8126]: zone familiesla.com/IN:
>>> refresh: CNAME at top of zone in master 172.20.11.237#53 (source
>>> 0.0.0.0#0)
>>> Aug 16 15:11:01 dss-cs99la14 named[8126]: zone familiesla.com/IN:
>>> refresh: CNAME at top of zone in master 172.20.11.237#53 (source
>>> 0.0.0.0#0)
>>> Aug 16 15:12:20 dss-cs99la14 named[8126]: zone familiesla.com/IN:
>>> refresh: CNAME at top of zone in master 172.20.11.237#53 (source
>>> 0.0.0.0#0)
>>> Aug 16 15:15:25 dss-cs99la14 named[8126]: zone familiesla.com/IN:
>>> refresh: CNAME at top of zone in master 172.20.11.237#53 (source
>>> 0.0.0.0#0)
>>>
>>>
>>> ... That didn't tell me too much as to why the familiesla.com zone
>>> isn't being added to the secondary DNS server.
>>>
>>> Any ideas?
>>>
>>> Thanks, Ryan
>>>
>>>
>>>
>>>
>
>

More information about the bind-users mailing list