<div dir="ltr"><div>Yes!!! This was the problem!!</div><div><br></div><div>Thank you :-)<br></div></div><br><div class="gmail_quote"><div dir="ltr">Στις Τετ, 17 Οκτ 2018 στις 5:16 μ.μ., ο/η Bob Harold <<a href="mailto:rharolde@umich.edu">rharolde@umich.edu</a>> έγραψε:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">On Wed, Oct 17, 2018 at 9:56 AM Andreas Brandino <<a href="mailto:ampranti@gmail.com" target="_blank">ampranti@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Both servers receive the NOTIFY message from NS1. What I see on the logs:</div><div><br></div><div><b>NS3:</b><br>17-Oct-2018 16:41:00.688 notify: info: client 1.1.1.1#19513/key ns1ns3_key: view external: received notify for zone '<a href="http://myzone.com" target="_blank">myzone.com</a>': TSIG 'ns1ns3_key'</div></div></div></div></div></blockquote><div><br></div><div>Notice the "view external" in the line above, compared to ns5, which got the notify on the internal view. That appears to be the issue.</div><div>Try adding the IP of NS1 to the "match" list for the internal view on NS3.</div><div><br></div><div>-- </div><div>Bob Harold</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><b>NS5:</b><br>17-Oct-2018 16:40:56.131 notify: info: client 1.1.1.1#32586/key ns1ns5_key: received notify for zone '<a href="http://myzone.com" target="_blank">myzone.com</a>': TSIG 'ns1ns5_key'<br>17-Oct-2018 16:40:56.139 notify: info: zone <a href="http://myzone.com/IN" target="_blank">myzone.com/IN</a>: sending notifies (serial 2018101910)<br></div><div><br></div><div>The 2nd line is missing on NS3. <br></div><div>At this point NS5 starts the zone copy (<b>NS1 </b>logs):<br></div><div></div><div><br></div><div>17-Oct-2018 16:41:01.233 xfer-out: info: client 5.5.5.5#40909/key ns1ns5_key (<a href="http://myzone.com" target="_blank">myzone.com</a>): view internal: transfer of '<a href="http://myzone.com/IN" target="_blank">myzone.com/IN</a>': AXFR started: TSIG ns1ns5_key<br>17-Oct-2018 16:41:01.234 xfer-out: info: client 5.5.5.5#40909/key ns1ns5_key (<a href="http://myzone.com" target="_blank">myzone.com</a>): view internal: transfer of '<a href="http://myzone.com/IN" target="_blank">myzone.com/IN</a>': AXFR ended</div><div><br></div><div>At this point NS3 does nothing.<br></div><div></div><div></div><div><br></div>This is not a firewall or networking problem because I can start the transfer manually.<div><br></div><div>Best Regards<br></div></div></div><br><div class="gmail_quote"><div dir="ltr">Στις Τετ, 17 Οκτ 2018 στις 4:35 μ.μ., ο/η Bob Harold <<a href="mailto:rharolde@umich.edu" target="_blank">rharolde@umich.edu</a>> έγραψε:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="m_8486511162358041491m_4766126701638608703gmail-m_-8169827261918427122gmail_signature"><br></div></div><div class="gmail_quote"><div dir="ltr">On Wed, Oct 17, 2018 at 7:23 AM Andreas Brandino <<a href="mailto:ampranti@gmail.com" target="_blank">ampranti@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hello all,<br><br>I wonder if anyone can help me to find the cause of the problem I am currently having.<br>All servers are running on Debian and BIND 9.10.3-P4-Debian.<br><br>I have a master server and 4 slaves.<br>The zone is transfered from the master [ns1] to all slaves [ns3,ns4,ns5 and ns6].<br>I am also using TSIG with a different key for each server. <br>Moreover, the zone file refers to the internal view.<br><br>When I change the <a href="http://myzone.com" target="_blank">myzone.com</a>, I always update the serial and I reload the zone.<br><br>The problem:<br>ns3 and ns4 never get the updated zone file automatically.<br>On the other hand, ns4 and ns5 always get the updated zone file immediately.<br><br>If I initialize the transfer manually from ns3 and ns4, I get no errors.<br><br>Here is the config:<br><br>NS1 config: (IP 1.1.1.1 - master DNS)<br><br> zone "<a href="http://myzone.com" target="_blank">myzone.com</a>" {<br> type master;<br> file "/etc/bind/master/myzone.com.INSIDE";<br> allow-transfer { key ns1ns3_key; key ns1ns4_key; key ns1ns5_key; key ns1ns6_key; };<br> also-notify {<br> 3.3.3.3 port 53 key ns1ns3_key;<br> 4.4.4.4 port 53 key ns1ns4_key;<br> 5.5.5.5 port 53 key ns1ns5_key;<br> 6.6.6.6 port 53 key ns1ns6_key;<br> };<br> notify explicit;<br> notify-source 1.1.1.1 ;<br> };<br><br><br>NS3 config: (IP 3.3.3.3 - transfer fails)<br><br> zone " myzone .com" {<br> file "/etc/bind/master/myzone.com.INSIDE";<br> type slave;<br> allow-update { key ns1ns3_key; };<br> masters { 1.1.1.1; };<br> allow-notify { 1.1.1.1; };<br> notify yes;<br> request-ixfr no;<br> };<br><br>NS5 config: (IP 5.5.5.5, successful transfer)<br><br>zone "<a href="http://myzone.com" target="_blank">myzone.com</a>" {<br> file "/etc/bind/master/myzone.com.INSIDE";<br> type slave;<br> allow-update { key ns1ns5_key; };<br> masters { 1.1.1.1; };<br> notify yes;<br> request-ixfr no;<br> };<br><br>Do you see any errors in the above configuration that could cause this problem?</div><div dir="ltr"><br></div><div>Best Regards</div></div></blockquote><div><br></div><div>What you don't show is the 'match' statement for your views. Perhaps 1 does not match the internal view on 3, so the notify packet hits the wrong view. Check the notify messages in the logs on 3, compared to 5. Here is a typical notify log message:<br></div><div><br></div><div><span id="m_8486511162358041491m_4766126701638608703gmail-m_-8169827261918427122gmail-docs-internal-guid-287cc882-7fff-5f76-e7b0-de20087f6fb9"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">30-Sep-2018 23:12:37.135 general: info: zone <a href="http://psych.lsa.umich.edu/IN/oncampus" target="_blank">psych.lsa.umich.edu/IN/oncampus</a>: notify from 141.211.147.150#38695: zone is up to date</p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Note the zone/class/view contains ".../IN/oncampus" - check the view in your logs.</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">If you cannot find the notify, you might need to turn on logging for category "general". Or check routing and firewall rules if the packet is not being received.</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">-- </p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Bob Harold</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p></span></div></div></div></div>
</blockquote></div></div></div>
</blockquote></div></div>
</blockquote></div>