Zone transfer failure

Wed Oct 17 13:34:56 UTC 2018

On Wed, Oct 17, 2018 at 7:23 AM Andreas Brandino <ampranti at gmail.com> wrote:

> Hello all,
>
> I wonder if anyone can help me to find the cause of the problem I am
> currently having.
> All servers are running on Debian and BIND 9.10.3-P4-Debian.
>
> I have a master server and 4 slaves.
> The zone is transfered from the master [ns1] to all slaves [ns3,ns4,ns5
> and ns6].
> I am also using TSIG with a different key for each server.
> Moreover, the zone file refers to the internal view.
>
> When I change the myzone.com, I always update the serial and I reload the
> zone.
>
> The problem:
> ns3 and ns4 never get the updated zone file automatically.
> On the other hand, ns4 and ns5 always get the updated zone file
> immediately.
>
> If I initialize the transfer manually from ns3 and ns4, I get no errors.
>
> Here is the config:
>
> NS1 config: (IP 1.1.1.1 - master DNS)
>
>         zone "myzone.com" {
>                 type master;
>                 file    "/etc/bind/master/myzone.com.INSIDE";
>                 allow-transfer { key ns1ns3_key; key ns1ns4_key; key
> ns1ns5_key; key ns1ns6_key; };
>                 also-notify {
>                         3.3.3.3 port 53 key ns1ns3_key;
>                         4.4.4.4 port 53 key ns1ns4_key;
>                         5.5.5.5 port 53 key ns1ns5_key;
>                         6.6.6.6 port 53 key ns1ns6_key;
>                 };
>                 notify explicit;
>                 notify-source 1.1.1.1 ;
>                 };
>
>
> NS3 config: (IP 3.3.3.3 - transfer fails)
>
>        zone " myzone .com" {
>                 file    "/etc/bind/master/myzone.com.INSIDE";
>                 type slave;
>                 allow-update { key ns1ns3_key; };
>                 masters { 1.1.1.1; };
>                 allow-notify { 1.1.1.1; };
>                 notify yes;
>                 request-ixfr no;
>                 };
>
> NS5 config: (IP 5.5.5.5, successful transfer)
>
> zone "myzone.com" {
>                 file    "/etc/bind/master/myzone.com.INSIDE";
>                 type slave;
>                 allow-update { key ns1ns5_key; };
>                 masters { 1.1.1.1; };
>                 notify yes;
>                 request-ixfr no;
>                 };
>
> Do you see any errors in the above configuration that could cause this
> problem?
>
> Best Regards
>

What you don't show is the 'match' statement for your views.  Perhaps 1
does not match the internal view on 3, so the notify packet hits the wrong
view.  Check the notify messages in the logs on 3, compared to 5.  Here is
a typical notify log message:

30-Sep-2018 23:12:37.135 general: info: zone psych.lsa.umich.edu/IN/oncampus:
notify from 141.211.147.150#38695: zone is up to date

Note the zone/class/view contains ".../IN/oncampus" - check the view in
your logs.

If you cannot find the notify, you might need to turn on logging for
category "general".  Or check routing and firewall rules if the packet is
not being received.

-- 

Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181017/42f2b65b/attachment.html>