zone transfer stopped and Bind stopped responding

Kevin Darcy kcd at chrysler.com
Fri Oct 10 05:09:52 UTC 2008 

Chris Henderson wrote:
> My slave is not updating my domain.com from my primary for the last
> one week and not responding to any DNS queries. And it's now giving me
> error:
>
> [ID 873575 daemon.warning] zone 'domain.com/ IN' expired
> [ID 866136 daemon.error] transfer of 'domain.com/IN' from <IP of
> Primary#53>  failed to connect: timed out
>
> This started happening around about a week ago when I made a silly
> change to the domain.com file on the primary - I have now commented
> out the change on the primary, updated the date and HUP'd the pid for
> named on both the primary and secondary but I am still get this error.
> I am not sure of both this is coincidental.
>   
Which error? The "failed to connect" error? That's not going to have 
anything to do with the data in the zone file on the master. The most 
that'll happen with bad data is that the master will fail to load the 
zone, and you'll get SERVFAIL responses.

"failed to connect" is a connectivity problem of some sort.
> nmap shows my secondary's port 53 is open but if I use my secondary as
> my resolver I get SERVFAIL error from nslookup - it's not resolving
> host names although it looks like it's running. 
An expired zone will return SERVFAIL for queries of names in the zone. 
This is by design.
> Nmap also shows my
> primary's port 53 is filtered but when I do nslookup I get reply back
> and tcpdump shows it's querying port 53.
>   
What does nmap mean by "is filtered"? I'm not sure what it's trying to 
denote.

Note that the query you sent may not look like the queries that your 
nameserver is sending.

Notable potential differences:
1) different source address (if you have query-source set)
2) different source port (if you a port specified in query-source)
3) use of EDNS (on by default for named, off by default for nslookup and 
dig)

I'd recommend doing a tcpdump of your *actual* refresh queries. You can 
force these via an "rndc refresh <zone>" (if rndc is set up), or, more 
drastically, by renaming or deleting the zone file and restarting the 
slave nameserver.
> Here's the named.conf snippet for domain.com from primary -
>
> view "external" {
>
> match-clients {203.75.23.0/24; !127.0.0.1;  any; };
> zone "domain.com" {
>         type master;
>         allow-update { none; };
>         allow-transfer { any; };
>         forwarders { };
>         file "external/domain.com";
>   };
>
> Here's the named.conf snippet from secondary for domain.com
>
> zone "domain.com" {
>         type slave;
>         file "bak/domain.com";
>         allow-transfer { any; };
>         forwarders { };
>         masters {
>                 <master's IP>;
>         };
> };
>
> The slave is doing zone transfers from other masters on other domains
> but not updating anything from this master server.
>
> Any way to force zone transfer or copy the zone file from somewhere else?
>   
See above for "force zone transfer".

As for copying the zone file from somewhere else, if you have another 
slave you can get the zone from, more power to you. Just point the 
"masters" clause at it.

                                                                         
                  - Kevin

More information about the bind-users mailing list