Bind 9.7 does not notify slaves

Issues related to applications and software problems
Post Reply
s91066
Posts: 12
Joined: 2011/12/01 09:41:40

Bind 9.7 does not notify slaves

Post by s91066 » 2012/04/20 12:03:17

Hallo,
I want to setup a lab. This lab is about DNS and I will use "Split Horizon" architecture, as is now in my production but wil older servers.

Now, I have setup a CentOS 6.2 with bind 9.7.3, and IP 192.168.0.28 with latest packages. This is the hidden master DNS server.
The slave DNS server is RHEL 5.x with the latest packages from Red Hat and IP 192.168.0.22

The problem: Zone updates performed on Master server are not populated on the slave server.
The only way to receive the updates from slave is to explicity request for it. rndc reload on either the master or the slave servers is not initiating a zone transfer, although the zone IS modified AND the serial IS changed.

I have checked the configuration as thoroughly as I could but I cannot find were the problem is.
Follows configuration and zone definition:

Master Server:
[code]
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl secondary { 192.168.0.22; };
options {
listen-on port 53 { any; };
transfer-format many-answers;
notify-source 192.168.0.28;
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localnets; };
allow-query-cache { localnets; };
allow-update { none; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
//Prevent asking for BIND related data.
version "Not available";
hostname none;
server-id none;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
include "/etc/rndc.key";
key mydomain.com {
algorithm hmac-md5;
secret "The Secret";
};
server 192.168.0.22 {
keys { mydomain.com.; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named-audit.log" versions 50 size 10m;
severity dynamic;
print-category yes;
print-time yes;
};
channel default_log {
// Send the security related messages to a separate file.
file "/var/log/named-messages.log" versions 50 size 10m;
severity dynamic;
print-category yes;
print-time yes;
};
category default { default_log; };
category config { default_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category update { audit_log; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named/forward/internal.conf";
include "/etc/named/reverse/internal.conf";


----------------------------------------------
$TTL 3D
@ IN SOA dns1.mydomain.com. hostmaster.mydomain.com. (
2012042004 ; serial
1D ; refresh
1H ; retry
1W ; expire
9H ) ; minimum
NS dns1.mydomain.com.
A 192.168.0.125
AAAA ::1
IN A 192.168.0.28
felsaasrv IN A 192.168.0.4
tlsnfssrv IN A 192.168.0.20


dnsp IN A 192.168.0.28
wwww IN A 192.168.0.30
dns1 IN A 192.168.0.22
dns2 IN A 192.168.0.52
srv IN A 192.168.0.125
dnsp4 IN CNAME dns1.
s91066 IN CNAME dns1.

[/code]

Now, notice the log file:
[code]
20-Apr-2012 14:29:40.728 general: received control channel command 'reload mydomain.com'
20-Apr-2012 14:29:40.729 general: zone mydomain.com/IN: loaded serial 2012042004
20-Apr-2012 14:30:59.579 general: received control channel command 'reload'
20-Apr-2012 14:30:59.579 general: loading configuration from '/etc/named.conf'
20-Apr-2012 14:30:59.580 general: reading built-in trusted keys from file '/etc/named.iscdlv.key'
20-Apr-2012 14:30:59.581 general: using default UDP/IPv4 port range: [1024, 65535]
20-Apr-2012 14:30:59.581 general: using default UDP/IPv6 port range: [1024, 65535]
20-Apr-2012 14:30:59.588 security: using built-in trusted-keys for view _default
20-Apr-2012 14:30:59.594 general: reloading configuration succeeded
20-Apr-2012 14:30:59.595 general: reloading zones succeeded
[/code]

As you can see, there are NO notify commands towards the slave DNS.

On the slave server, the configuration is:
[code]
masters "primary" {192.168.0.28;};
acl my_master {192.168.0.28;};
options
{
allow-transfer { none; };
allow-notify { my_master; };

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
//Prevent asking for BIND related data.
version "Not available";
hostname none;
server-id none;
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel default_log {
// Send the security related messages to a separate file.
file "/var/log/named-messages.log" versions 50 size 10m;
severity dynamic;
print-category yes;
print-time yes;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named-audit.log" versions 50 size 10m;
severity dynamic;
print-category yes;
print-time yes;
};
category default { default_log; };
category config { default_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category update { audit_log; };
};

view "internal"
{
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
include "/etc/named.root.hints";

include "/etc/forward/internal.conf";
include "/etc/reverse/internal.conf";
};

key mydomain.com {
algorithm hmac-md5;
secret "BbS65fFm+CdZJnFwHfHf61MIDXHvUT+zSOdgGpsGZXHgzotti5el/mLDqjNcnCpIhuFeJTybFIpVbAm0HKk65A==";
};

server 192.168.0.28 {
keys { mydomain.com.;};
};

view "external"
{
match-clients { any; };
match-destinations { any; };
recursion no;
allow-query-cache { none; };
include "/etc/named.root.hints";
};
[/code]

What do I miss? :-? :-? :-? :-?

s91066
Posts: 12
Joined: 2011/12/01 09:41:40

Re: Bind 9.7 does not notify slaves

Post by s91066 » 2012/04/23 06:08:33

Almost 200 reads and no answer...
Anyway, I wanted to be sure that the problem is only on the notify mechanism, so I used the notify-also mechanism.
It worked great. So, either a bug, or the NOTIFY mechanism cannot work with hidden master.

We will see.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Bind 9.7 does not notify slaves

Post by pschaff » 2012/04/23 14:51:51

[quote]
s91066 wrote:
Almost 200 reads and no answer...
...[/quote]
Would not want you to go without an answer. Wish I had a useful one. :-)

Apparently your issue is too esoteric for most people here. It certainly is for me. Good luck and let us know how it goes.

northerngit
Posts: 2
Joined: 2013/12/03 11:17:30

Re: Bind 9.7 does not notify slaves

Post by northerngit » 2014/04/17 17:03:24

s91066 wrote:Almost 200 reads and no answer...
Anyway, I wanted to be sure that the problem is only on the notify mechanism, so I used the notify-also mechanism.
It worked great. So, either a bug, or the NOTIFY mechanism cannot work with hidden master.

We will see.
I understand this is an old thread, but having recently experienced the same issue, I thought I'd respond.

To resolve my particular problem, I had to include the following in named.conf, in the options block. You can obviously restrict this per zone.

allow-transfer { 172.19.0.4; };
also-notify { 172.19.0.4; };

NOTIFY explicitly updates the authoritative NS for the zone (excluding the SOA for the zone); my secondary's external address was routed behind a NAT firewall, but available on the local subnet. Adding the above saw slave zones updating without issue.

http://www.zytrax.com/books/dns/ch7/xfer.html#notify

James

Post Reply