<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Resending because the message was over 40K... I removed most of the
    internal\external zones and logs to shorten the message.<br>
    <div class="moz-forward-container"><font face="Calibri"> We have a
        split DNS chrooted master\slave setup running on CentOS 5.11. I
        have 3 named.conf files below, Working master, working slave and
        a new CentOS 7 non-working slave that I'm trying to spin up. The
        internal zones do get transferred\updated however the</font><font
        face="Calibri"><font face="Calibri"> external zones aren't
          transferring at all, the master doesn't even have any
          mentioning of external transfers for this specific slave. I
          have a hunch that this is either happening because I don't
          have multiple network adapters configured ie split DNS for
          slave or possibly a hostname issue. I tried to basically
          mirror the setup of my new slave all except the ip address. My
          new slave is </font></font>192.168.1.224. The instructions I
      followed to set this up was from: <a moz-do-not-send="true"
        class="moz-txt-link-freetext"
href="http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps/">http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps/</a><br>
      <div class="moz-forward-container"><font face="Calibri"><font
            face="Calibri"> <br>
            Any assistance would be greatly appreciated, please let me
            know if\what other info you might need from me.<br>
          </font><br>
          Working Master (CentOS 5.11 Bind 9.3.6-25-P1) named.conf</font>:<br>
        <br>
        /* This comment tests the subversion commit */<br>
        options {<br>
                directory "/var/named";<br>
                dump-file "/var/named/data/cache_dump.db";<br>
                statistics-file "/var/named/data/named.stats";<br>
                recursive-clients 10000;<br>
                /*<br>
                 * If there is a firewall between you and nameservers
        you want<br>
                 * to talk to, you might need to uncomment the
        query-source<br>
                 * directive below.  Previous versions of BIND always
        asked<br>
                 * questions using port 53, but BIND 8.1 uses an
        unprivileged<br>
                 * port by default.<br>
                 */<br>
                 // query-source address * port 53;<br>
        #       forward only;<br>
                forwarders {<br>
        #               64.212.106.84; //dns2.jfk.gblx.net<br>
        #               209.130.136.2; //dns1.roc.gblx.net<br>
                        8.8.8.8; //google-public-dns-a.google.com<br>
                        8.8.4.4; //google-public-dns-b.google.com<br>
                };<br>
                allow-recursion { 10.0.0.0/8; 192.168.0.0/16;
        172.16.0.0/12;};<br>
        };<br>
        logging {<br>
                channel update_debug {<br>
                         file "/var/log/update-debug.log";<br>
                         severity  debug 3;<br>
                         print-category yes;<br>
                         print-severity yes;<br>
                         print-time     yes;<br>
                };<br>
                channel security_info    {<br>
                         file "/var/log/named-auth.info";<br>
                         severity  debug 3;<br>
                         print-category yes;<br>
                         print-severity yes;<br>
                         print-time     yes;<br>
                };<br>
                category update { update_debug; };<br>
                category security { security_info; };<br>
        };<br>
        controls {<br>
                inet 127.0.0.1 allow { localhost; } keys { rndckey; };<br>
        };<br>
        view "internal" {<br>
                match-clients {<br>
                         !192.168.1.4; 10.0.0.0/8; 192.168.0.0/16;
        127.0.0.0/8;<br>
                };<br>
                allow-transfer { key slave-internal; };<br>
                notify yes ;<br>
                also-notify { 192.168.1.222; 192.168.1.224;
        192.168.1.227; };<br>
                notify-source 192.168.1.221 ;<br>
                zone "simons-rock.edu." IN {<br>
                   type master;<br>
                   file "internal/simons-rock.edu.internal.db";<br>
                };<br>
                zone "southberkshireconcerts.org." IN {<br>
                   type master;<br>
                   file "internal/southberkshireconcerts.org.int.db";<br>
                };<br>
        };<br>
        view "external" {<br>
                match-clients { any; };<br>
                allow-transfer { key slave-external; };<br>
                also-notify { 192.168.1.4; 192.168.1.224; 192.168.1.227;
        };<br>
                notify yes ;<br>
                notify-source 192.168.1.3 ;<br>
                zone "simons-rock.edu." IN {<br>
                   type master;<br>
                   file "external/simons-rock.edu.ext.db";<br>
                };<br>
                zone "southberkshireconcerts.org." IN {<br>
                   type master;<br>
                   file "external/southberkshireconcerts.org.ext.db";<br>
                };<br>
        };<br>
        <br>
        #zone "." IN {<br>
        #       type hint;<br>
        #       file "named.ca";<br>
        #}<br>
        include "/etc/rndc.key";<br>
        include "/etc/transfer-internal.key";<br>
        include "/etc/transfer-external.key";<br>
        include "/etc/netreg-update.key";<br>
-------------------------------------------------------------------------------------<br>
        <br>
        Working slave <font face="Calibri">(CentOS 5.11 Bind
          9.3.6-25-P1)</font> named.conf<br>
        <br>
        /* This comment tests the subversion commit */<br>
        options {<br>
                directory "/var/named";<br>
                dump-file "/var/named/data/cache_dump.db";<br>
                statistics-file "/var/named/data/named.stats";<br>
                recursive-clients 10000;<br>
                /*<br>
                 * If there is a firewall between you and nameservers
        you want<br>
                 * to talk to, you might need to uncomment the
        query-source<br>
                 * directive below.  Previous versions of BIND always
        asked<br>
                 * questions using port 53, but BIND 8.1 uses an
        unprivileged<br>
                 * port by default.<br>
                 */<br>
        #        // query-source address * port 53;<br>
        #       forward only;<br>
                forwarders {<br>
        #               64.212.106.84; //dns2.jfk.gblx.net<br>
        #               209.130.136.2; //dns1.roc.gblx.net<br>
                        8.8.8.8; //google-public-dns-a.google.com<br>
                        8.8.4.4; //google-public-dns-b.google.com<br>
                };<br>
                allow-recursion { 10.0.0.0/8; 192.168.0.0/16;
        172.16.0.0/12;};<br>
        };<br>
        controls {<br>
                inet 127.0.0.1 allow { localhost; } keys { rndckey; };<br>
        };<br>
        view "internal" {<br>
                match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8;
        };<br>
                query-source address 192.168.1.222 ;<br>
                transfer-source 192.168.1.222 ;<br>
                allow-notify { 192.168.1.221; };<br>
                zone "simons-rock.edu." IN {<br>
                   type slave;<br>
                   masterfile-format text;<br>
                   masters { 192.168.1.221; };<br>
                   file "internal/simons-rock.edu.internal.db";<br>
                };<br>
                zone "southberkshireconcerts.org." IN {<br>
                   type slave;<br>
                   masterfile-format text;<br>
                   masters { 192.168.1.221; };<br>
                   file "internal/southberkshireconcerts.org.int.db";<br>
                };<br>
        };<br>
        view "external" {<br>
                match-clients { any; };<br>
                query-source address 192.168.1.4 ;<br>
                transfer-source 192.168.1.4 ;<br>
                allow-notify { 192.168.1.3; };<br>
                zone "simons-rock.edu." IN {<br>
                   type slave;<br>
                   masters { 192.168.1.3; };<br>
                   file "external/simons-rock.edu.ext.db";<br>
                };<br>
                zone "southberkshireconcerts.org." IN {<br>
                   type slave;<br>
                   masters { 192.168.1.3; };<br>
                   file "external/southberkshireconcerts.org.ext.db";<br>
                };<br>
        };<br>
        include "/etc/rndc.key";<br>
        include "/etc/transfer-internal.key";<br>
        include "/etc/transfer-external.key";<br>
        <br>
        server 192.168.1.221 {<br>
                keys {<br>
                        slave-internal;<br>
                };<br>
        };<br>
        <br>
        server 192.168.1.3 {<br>
                keys {<br>
                        slave-external;<br>
                };<br>
        };<br>
        <br>
------------------------------------------------------------------------------------------------------------<br>
        <br>
        <font face="Calibri">Non-working slave (CentOS 7.0 BIND
          9.9.4-RedHat-9.9.4-18.el7_1.1) named.conf</font>:<br>
        <br>
        /* This comment tests the subversion commit */<br>
        options {<br>
                directory "/var/named";<br>
                dump-file "/var/named/data/cache_dump.db";<br>
                statistics-file "/var/named/data/named_stats.txt";<br>
                memstatistics-file
        "/var/named/data/named_mem_stats.txt";<br>
                recursive-clients 10000;<br>
                /*<br>
                 * If there is a firewall between you and nameservers
        you want<br>
                 * to talk to, you might need to uncomment the
        query-source<br>
                 * directive below.  Previous versions of BIND always
        asked<br>
                 * questions using port 53, but BIND 8.1 uses an
        unprivileged<br>
                 * port by default.<br>
                 */<br>
        #        // query-source address * port 53;<br>
        #       forward only;<br>
                forwarders {<br>
        #               64.212.106.84; //dns2.jfk.gblx.net<br>
        #               209.130.136.2; //dns1.roc.gblx.net<br>
                        8.8.8.8; //google-public-dns-a.google.com<br>
                        8.8.4.4; //google-public-dns-b.google.com<br>
                };<br>
                allow-recursion { 10.0.0.0/8; 192.168.0.0/16;
        172.16.0.0/12;};<br>
        };<br>
        controls {<br>
                inet 127.0.0.1 allow { localhost; } keys { rndckey; };<br>
        };<br>
        view "internal" {<br>
                match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8;
        };<br>
                query-source address 192.168.1.224 ;<br>
                transfer-source 192.168.1.224 ;<br>
                allow-notify { 192.168.1.221; };<br>
                 zone "simons-rock.edu." IN {<br>
                   type slave;<br>
                   masterfile-format text;<br>
                   masters { 192.168.1.221; };<br>
                   file "internal/simons-rock.edu.internal.db";<br>
                };<br>
                zone "southberkshireconcerts.org." IN {<br>
                   type slave;<br>
                   masterfile-format text;<br>
                   masters { 192.168.1.221; };<br>
                   file "internal/southberkshireconcerts.org.int.db";<br>
                };<br>
        };<br>
        view "external" {<br>
                match-clients { any; };<br>
                query-source address 192.168.1.224 ;<br>
                transfer-source 192.168.1.224 ;<br>
                allow-notify { 192.168.1.3; };<br>
                zone "simons-rock.edu." IN {<br>
                   type slave;<br>
                   masters { 192.168.1.3; };<br>
                   file "external/simons-rock.edu.ext.db";<br>
                };<br>
                zone "southberkshireconcerts.org." IN {<br>
                   type slave;<br>
                   masters { 192.168.1.3; };<br>
                   file "external/southberkshireconcerts.org.ext.db";<br>
                };<br>
        };<br>
        include "/etc/rndc.key";<br>
        include "/etc/transfer-internal.key";<br>
        include "/etc/transfer-external.key";<br>
        <br>
        server 192.168.1.221 {<br>
                keys {<br>
                        slave-internal;<br>
                };<br>
        };<br>
        server 192.168.1.3 {<br>
                keys {<br>
                        slave-external;<br>
                };<br>
        };<br>
--------------------------------------------------------------------------<br>
        Some error logs from non-working slave:<br>
--------------------------------------------------------------------------<br>
        Apr  2 13:40:29 localhost named[9800]: zone
        93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
        answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
        Apr  2 13:40:31 localhost named[9800]: zone
        southberkshireconcerts.org/IN/external: Transfer started.<br>
        Apr  2 13:40:31 localhost named[9800]: transfer of
        'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
        connected using 192.168.1.224#42883<br>
        Apr  2 13:40:31 localhost named[9800]: transfer of
        'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
        failed while receiving responses: REFUSED<br>
        Apr  2 13:40:31 localhost named[9800]: transfer of
        'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
        Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs
        (0 bytes/sec)<br>
        Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: zone
        southberkshireconcerts.org/IN/external: Transfer started.<br>
        Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer
        of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
        connected using 192.168.1.224#42188<br>
        Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer
        of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
        failed while receiving responses: REFUSED<br>
        Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer
        of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
        Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs
        (0 bytes/sec)<br>
        Apr 02 13:54:10 letitroost.simons-rock.edu named[9800]: zone
        89111.cn/IN/internal: refresh: non-authoritative answer from
        master 192.168.1.221#53 (source 192.168.1.224#0)<br>
        Apr 02 13:54:11 letitroost.simons-rock.edu named[9800]: zone
        89.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
        answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
        Apr 02 13:54:21 letitroost.simons-rock.edu named[9800]: zone
        93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
        answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
        Apr 02 13:54:42 letitroost.simons-rock.edu named[9800]: zone
        evilman.cn/IN/internal: refresh: non-authoritative answer from
        master 192.168.1.221#53 (source 192.168.1.224#0)<br>
        Apr 02 13:54:53 letitroost.simons-rock.edu named[9800]: zone
        95.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
        answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
        Apr 02 13:55:18 letitroost.simons-rock.edu named[9800]: zone
        92.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
        answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
        <br>
        <br>
        <pre class="moz-signature" cols="72">-- 

William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA  01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:wclarke@simons-rock.edu">wclarke@simons-rock.edu</a></pre>
        <br>
      </div>
      <br>
      <br>
    </div>
    <br>
  </body>
</html>