zone transfer delay

project722 project722 at gmail.com
Fri Sep 21 14:05:04 UTC 2018


I've got two recursive dns servers running ISC 9.11 and 9.12. We are using
RPZ and I have a whitelist/blacklist exception zone file on both servers. I
need the ability to change it only on one server and have it propogate to
the other servers. My config is working, but I'm getting some delays that
i'd like to eliminate. First off, on the "master" server, when I update the
rpz-local file and run a rndc reload, it takes about 2 minutes before I see
the xfer-out in the logs. On the "slave", I also see the xfer-in at the
same time. There are no errors, just that kickoff delay.

Then, on the "slave", it takes about 15 minutes for the file to actaully
update with the new info from the time of the xfer-in. I've tried adding NS
records for the slave in the zone file and doing some things with notify,
but nothing seems to help. I'd like the changes to be almost instantaneous
from the time I run the rndc relaod. Here is the config from the "master".

/etc/named.conf
acl RPZ {
        192.168.1.100;
};

zone "rpz-local" {
        type master;
        file "db.rpz-local";
        allow-transfer { localhost; RPZ; };
        allow-query { localhost; RPZ; };
};

zone file:
$TTL 150

@        IN SOA  localhost. need.to.know.only. (
                       201707314 ; Serial number
                       10        ; Refresh every 10 seconds
                       10        ; Retry every 30 seconds
                       432000    ; Expire in 5 days
                       60 )      ; negative caching ttl 1 minute

        IN NS    ns1master.example.com
        IN NS    ns2slave.example.com

;# -------------------------------------------------------------------
;# Whitelist entries using rpz-passthru
;# -------------------------------------------------------------------

deteque.com            IN CNAME rpz-passthru.
*.deteque.com            IN CNAME rpz-passthru.


Here is the config from the slave:

/etc/named.conf
acl RPZ {
        192.168.1.101;
};

zone "rpz-local" {
        type slave;
        file "db.rpz-local";
        masters { 192.168.1.101; };
        allow-transfer { localhost; RPZ; };
        masterfile-format text;
        allow-query { localhost; RPZ; };
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180921/b7500801/attachment.html>


More information about the bind-users mailing list