Zones-unable-update

Fajar A. Nugraha fajar at fajar.net
Mon Jan 6 09:09:34 UTC 2020


On Mon, Jan 6, 2020 at 3:16 PM MEjaz <mejaz at cyberia.net.sa> wrote:
> 1. My  primary name server,  /etc/named.conf,  and here am forcing transfer to only few trusted servers, as mentioned in the below clause.
> transfers-out 2000;
> allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};

> 2. secondary/slave  name server
> allow-transfer {"none";};
> I can't run this dig command from both dns server  " dig soa kalam.com.sa @ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data,

Ok. So you ran this on ns2, right?

> Just now again I noticed at 11:03 GMT+3,  secondary server attempt to fetch the data from master but no luck. same error as denied.

No, that might not be it.

> Jan  6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from 212.119.92.5#37487: zone is up to date
> Jan  6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from 212.119.92.5#52519: serial 2019434249
> Jan  6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
> Jan  6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
> Jan  6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started.
> Jan  6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial 2019434249
> Jan  6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050 (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied

You're pasting the logs on ns2. While that helps, we also need the
logs on ns1. What does it say?

"denied" on ns2 is expected, since you have 'allow-transfer
{"none";};' on ns2. The question is "why does your ns2 ask ns2
(itself), when it should've asked only ns1 (the master)".

Did you perhaps set named.conf (or named.conf.local, depending on the
distro) on the ns2 incorrectly? Something like

zone "kalam.com.sa" {
        type slave;
...
        masters {
                212.119.92.5;
                };
        };

How many IPs, and what IPs, did you put on the masters there? It
should only be ns1 (the master). If you put two, change it.


... then there's also the question of "why does 212.119.92.5 (ns1) ask
ns2 for zone transfer (which caused one of the denied lines), when the
master shouldn't even need to ask anyone. Not sure about this one
though.

> Do you advise simulate the setup on testing environment. Without the firewall.

In this case, only if you've setup named.conf correctly.

-- 
Fajar


More information about the bind-users mailing list