<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Resending because the message was over 40K... I removed most of the
internal\external zones and logs to shorten the message.<br>
<div class="moz-forward-container"><font face="Calibri"> We have a
split DNS chrooted master\slave setup running on CentOS 5.11. I
have 3 named.conf files below, Working master, working slave and
a new CentOS 7 non-working slave that I'm trying to spin up. The
internal zones do get transferred\updated however the</font><font
face="Calibri"><font face="Calibri"> external zones aren't
transferring at all, the master doesn't even have any
mentioning of external transfers for this specific slave. I
have a hunch that this is either happening because I don't
have multiple network adapters configured ie split DNS for
slave or possibly a hostname issue. I tried to basically
mirror the setup of my new slave all except the ip address. My
new slave is </font></font>192.168.1.224. The instructions I
followed to set this up was from: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps/">http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps/</a><br>
<div class="moz-forward-container"><font face="Calibri"><font
face="Calibri"> <br>
Any assistance would be greatly appreciated, please let me
know if\what other info you might need from me.<br>
</font><br>
Working Master (CentOS 5.11 Bind 9.3.6-25-P1) named.conf</font>:<br>
<br>
/* This comment tests the subversion commit */<br>
options {<br>
directory "/var/named";<br>
dump-file "/var/named/data/cache_dump.db";<br>
statistics-file "/var/named/data/named.stats";<br>
recursive-clients 10000;<br>
/*<br>
* If there is a firewall between you and nameservers
you want<br>
* to talk to, you might need to uncomment the
query-source<br>
* directive below. Previous versions of BIND always
asked<br>
* questions using port 53, but BIND 8.1 uses an
unprivileged<br>
* port by default.<br>
*/<br>
// query-source address * port 53;<br>
# forward only;<br>
forwarders {<br>
# 64.212.106.84; //dns2.jfk.gblx.net<br>
# 209.130.136.2; //dns1.roc.gblx.net<br>
8.8.8.8; //google-public-dns-a.google.com<br>
8.8.4.4; //google-public-dns-b.google.com<br>
};<br>
allow-recursion { 10.0.0.0/8; 192.168.0.0/16;
172.16.0.0/12;};<br>
};<br>
logging {<br>
channel update_debug {<br>
file "/var/log/update-debug.log";<br>
severity debug 3;<br>
print-category yes;<br>
print-severity yes;<br>
print-time yes;<br>
};<br>
channel security_info {<br>
file "/var/log/named-auth.info";<br>
severity debug 3;<br>
print-category yes;<br>
print-severity yes;<br>
print-time yes;<br>
};<br>
category update { update_debug; };<br>
category security { security_info; };<br>
};<br>
controls {<br>
inet 127.0.0.1 allow { localhost; } keys { rndckey; };<br>
};<br>
view "internal" {<br>
match-clients {<br>
!192.168.1.4; 10.0.0.0/8; 192.168.0.0/16;
127.0.0.0/8;<br>
};<br>
allow-transfer { key slave-internal; };<br>
notify yes ;<br>
also-notify { 192.168.1.222; 192.168.1.224;
192.168.1.227; };<br>
notify-source 192.168.1.221 ;<br>
zone "simons-rock.edu." IN {<br>
type master;<br>
file "internal/simons-rock.edu.internal.db";<br>
};<br>
zone "southberkshireconcerts.org." IN {<br>
type master;<br>
file "internal/southberkshireconcerts.org.int.db";<br>
};<br>
};<br>
view "external" {<br>
match-clients { any; };<br>
allow-transfer { key slave-external; };<br>
also-notify { 192.168.1.4; 192.168.1.224; 192.168.1.227;
};<br>
notify yes ;<br>
notify-source 192.168.1.3 ;<br>
zone "simons-rock.edu." IN {<br>
type master;<br>
file "external/simons-rock.edu.ext.db";<br>
};<br>
zone "southberkshireconcerts.org." IN {<br>
type master;<br>
file "external/southberkshireconcerts.org.ext.db";<br>
};<br>
};<br>
<br>
#zone "." IN {<br>
# type hint;<br>
# file "named.ca";<br>
#}<br>
include "/etc/rndc.key";<br>
include "/etc/transfer-internal.key";<br>
include "/etc/transfer-external.key";<br>
include "/etc/netreg-update.key";<br>
-------------------------------------------------------------------------------------<br>
<br>
Working slave <font face="Calibri">(CentOS 5.11 Bind
9.3.6-25-P1)</font> named.conf<br>
<br>
/* This comment tests the subversion commit */<br>
options {<br>
directory "/var/named";<br>
dump-file "/var/named/data/cache_dump.db";<br>
statistics-file "/var/named/data/named.stats";<br>
recursive-clients 10000;<br>
/*<br>
* If there is a firewall between you and nameservers
you want<br>
* to talk to, you might need to uncomment the
query-source<br>
* directive below. Previous versions of BIND always
asked<br>
* questions using port 53, but BIND 8.1 uses an
unprivileged<br>
* port by default.<br>
*/<br>
# // query-source address * port 53;<br>
# forward only;<br>
forwarders {<br>
# 64.212.106.84; //dns2.jfk.gblx.net<br>
# 209.130.136.2; //dns1.roc.gblx.net<br>
8.8.8.8; //google-public-dns-a.google.com<br>
8.8.4.4; //google-public-dns-b.google.com<br>
};<br>
allow-recursion { 10.0.0.0/8; 192.168.0.0/16;
172.16.0.0/12;};<br>
};<br>
controls {<br>
inet 127.0.0.1 allow { localhost; } keys { rndckey; };<br>
};<br>
view "internal" {<br>
match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8;
};<br>
query-source address 192.168.1.222 ;<br>
transfer-source 192.168.1.222 ;<br>
allow-notify { 192.168.1.221; };<br>
zone "simons-rock.edu." IN {<br>
type slave;<br>
masterfile-format text;<br>
masters { 192.168.1.221; };<br>
file "internal/simons-rock.edu.internal.db";<br>
};<br>
zone "southberkshireconcerts.org." IN {<br>
type slave;<br>
masterfile-format text;<br>
masters { 192.168.1.221; };<br>
file "internal/southberkshireconcerts.org.int.db";<br>
};<br>
};<br>
view "external" {<br>
match-clients { any; };<br>
query-source address 192.168.1.4 ;<br>
transfer-source 192.168.1.4 ;<br>
allow-notify { 192.168.1.3; };<br>
zone "simons-rock.edu." IN {<br>
type slave;<br>
masters { 192.168.1.3; };<br>
file "external/simons-rock.edu.ext.db";<br>
};<br>
zone "southberkshireconcerts.org." IN {<br>
type slave;<br>
masters { 192.168.1.3; };<br>
file "external/southberkshireconcerts.org.ext.db";<br>
};<br>
};<br>
include "/etc/rndc.key";<br>
include "/etc/transfer-internal.key";<br>
include "/etc/transfer-external.key";<br>
<br>
server 192.168.1.221 {<br>
keys {<br>
slave-internal;<br>
};<br>
};<br>
<br>
server 192.168.1.3 {<br>
keys {<br>
slave-external;<br>
};<br>
};<br>
<br>
------------------------------------------------------------------------------------------------------------<br>
<br>
<font face="Calibri">Non-working slave (CentOS 7.0 BIND
9.9.4-RedHat-9.9.4-18.el7_1.1) named.conf</font>:<br>
<br>
/* This comment tests the subversion commit */<br>
options {<br>
directory "/var/named";<br>
dump-file "/var/named/data/cache_dump.db";<br>
statistics-file "/var/named/data/named_stats.txt";<br>
memstatistics-file
"/var/named/data/named_mem_stats.txt";<br>
recursive-clients 10000;<br>
/*<br>
* If there is a firewall between you and nameservers
you want<br>
* to talk to, you might need to uncomment the
query-source<br>
* directive below. Previous versions of BIND always
asked<br>
* questions using port 53, but BIND 8.1 uses an
unprivileged<br>
* port by default.<br>
*/<br>
# // query-source address * port 53;<br>
# forward only;<br>
forwarders {<br>
# 64.212.106.84; //dns2.jfk.gblx.net<br>
# 209.130.136.2; //dns1.roc.gblx.net<br>
8.8.8.8; //google-public-dns-a.google.com<br>
8.8.4.4; //google-public-dns-b.google.com<br>
};<br>
allow-recursion { 10.0.0.0/8; 192.168.0.0/16;
172.16.0.0/12;};<br>
};<br>
controls {<br>
inet 127.0.0.1 allow { localhost; } keys { rndckey; };<br>
};<br>
view "internal" {<br>
match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8;
};<br>
query-source address 192.168.1.224 ;<br>
transfer-source 192.168.1.224 ;<br>
allow-notify { 192.168.1.221; };<br>
zone "simons-rock.edu." IN {<br>
type slave;<br>
masterfile-format text;<br>
masters { 192.168.1.221; };<br>
file "internal/simons-rock.edu.internal.db";<br>
};<br>
zone "southberkshireconcerts.org." IN {<br>
type slave;<br>
masterfile-format text;<br>
masters { 192.168.1.221; };<br>
file "internal/southberkshireconcerts.org.int.db";<br>
};<br>
};<br>
view "external" {<br>
match-clients { any; };<br>
query-source address 192.168.1.224 ;<br>
transfer-source 192.168.1.224 ;<br>
allow-notify { 192.168.1.3; };<br>
zone "simons-rock.edu." IN {<br>
type slave;<br>
masters { 192.168.1.3; };<br>
file "external/simons-rock.edu.ext.db";<br>
};<br>
zone "southberkshireconcerts.org." IN {<br>
type slave;<br>
masters { 192.168.1.3; };<br>
file "external/southberkshireconcerts.org.ext.db";<br>
};<br>
};<br>
include "/etc/rndc.key";<br>
include "/etc/transfer-internal.key";<br>
include "/etc/transfer-external.key";<br>
<br>
server 192.168.1.221 {<br>
keys {<br>
slave-internal;<br>
};<br>
};<br>
server 192.168.1.3 {<br>
keys {<br>
slave-external;<br>
};<br>
};<br>
--------------------------------------------------------------------------<br>
Some error logs from non-working slave:<br>
--------------------------------------------------------------------------<br>
Apr 2 13:40:29 localhost named[9800]: zone
93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
Apr 2 13:40:31 localhost named[9800]: zone
southberkshireconcerts.org/IN/external: Transfer started.<br>
Apr 2 13:40:31 localhost named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
connected using 192.168.1.224#42883<br>
Apr 2 13:40:31 localhost named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
failed while receiving responses: REFUSED<br>
Apr 2 13:40:31 localhost named[9800]: transfer of
'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs
(0 bytes/sec)<br>
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: zone
southberkshireconcerts.org/IN/external: Transfer started.<br>
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer
of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
connected using 192.168.1.224#42188<br>
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer
of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
failed while receiving responses: REFUSED<br>
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer
of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53:
Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs
(0 bytes/sec)<br>
Apr 02 13:54:10 letitroost.simons-rock.edu named[9800]: zone
89111.cn/IN/internal: refresh: non-authoritative answer from
master 192.168.1.221#53 (source 192.168.1.224#0)<br>
Apr 02 13:54:11 letitroost.simons-rock.edu named[9800]: zone
89.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
Apr 02 13:54:21 letitroost.simons-rock.edu named[9800]: zone
93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
Apr 02 13:54:42 letitroost.simons-rock.edu named[9800]: zone
evilman.cn/IN/internal: refresh: non-authoritative answer from
master 192.168.1.221#53 (source 192.168.1.224#0)<br>
Apr 02 13:54:53 letitroost.simons-rock.edu named[9800]: zone
95.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
Apr 02 13:55:18 letitroost.simons-rock.edu named[9800]: zone
92.81.208.in-addr.arpa/IN/external: refresh: non-authoritative
answer from master 192.168.1.3#53 (source 192.168.1.224#0)<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA 01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:wclarke@simons-rock.edu">wclarke@simons-rock.edu</a></pre>
<br>
</div>
<br>
<br>
</div>
<br>
</body>
</html>