DNS Master Slave setup

Installing, Configuring, Troubleshooting server daemons such as Web and Mail

DNS Master Slave setup

Postby bbecken » 2006/06/27 16:05:59

I have two servers running bind 9.2.x and I cannot get the primary to do a zone transfer to the secondary. I have posted the errors below.

I think the issues is related to the fact that both servers have multiple IP addresses bound which I address using a "transfer-source" statement on the slave server.

Both servers are on the same network, no firewalls currently running.

Actual IP's and domains named changed.

Note:
.1 is the master server
.97 is the slave server

Here's the error I get on the master.
Jun 27 10:28:51.606 security: error: client ::ffff:xxx.xxx.xxx.97#40136: zone transfer 'domain.org/IN' denied

Here's the error I get on the slave.
Jun 27 10:28:51.579 xfer-in: error: transfer of 'domain.org/IN' from xxx.xxx.xxx.1#53: failed while receiving responses: REFUSED
Jun 27 10:28:51.579 xfer-in: info: transfer of 'domain.org/IN' from xxx.xxx.xxx.1#53: end of transfer


What do I need to change to get rid of this error?


(Ip Address xxx.xxx.xxx.1)
Here is the Master nameservers named.conf:
options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
zone-statistics yes;
statistics-file "/var/log/named.stats";
allow-transfer { xxx.xxx.xxx.1; xxx.xxx.xxx.97; };
listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.1; };
listen-on-v6 { any; };
notify yes;
allow-recursion { 127.0.0.1; xxx.xxx.xxx.0/24; };
recursion yes;

key "zonetransfer" {
algorithm hmac-md5;
secret "XXXXXXXXXXXX";
};

# allow zone xfers from authorized Secondary DNS servers
server xxx.xxx.xxx.97 {
transfers 100;
};

zone "domain.org" in {
type master;
file "master/domain.org.zone";
};


================================
(Ip Address xxx.xxx.xxx.97 )
Slave server named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "not currently available";
allow-notify { xxx.xxx.xxx.1; };
allow-transfer { xxx.xxx.xxx.1; xxx.xxx.xxx.97; };
transfer-source xxx.xxx.xxx.97;
allow-recursion { xxx.xxx.xxx.0/24; };
};

////////////////////////////
zone "domain.org" in {
type slave;
file "slave/domain.org.zone";
masters { xxx.xxx.xxx.1; };
};
bbecken
 
Posts: 7
Joined: 2006/06/27 15:31:26
Location: Missouri, USA

Re: DNS Master Slave setup

Postby rapo1 » 2006/06/28 16:31:45

Dear bbecker,

do you have the key "zonetransfer" in your named.conf of your slave dns?
rapo1
 
Posts: 27
Joined: 2006/06/20 11:43:02
Location: Munich

Re: DNS Master Slave setup

Postby bbecken » 2006/06/28 21:38:53

No, I did not have the zonetransfer key in the secondaries named.conf. I copied it over and restart named on both servers.

I got the same error.

master:
Jun 28 16:29:31.129 security: error: client ::ffff:xxx.xxx.xxx.97#56729: zone transfer 'domain.org/IN' denied


slave:
Jun 28 16:29:31.150 xfer-in: error: transfer of 'domain.org/IN' from xxx.xxx.xxx.1#53: failed while receiving responses: REFUSED
bbecken
 
Posts: 7
Joined: 2006/06/27 15:31:26
Location: Missouri, USA

Re: DNS Master Slave setup

Postby rapo1 » 2006/06/29 07:47:01

Dear bbecken,

sorry, was my fault. The key has nothing to do with it (was a bit tired yesterday). I tried the settings you posted and it works well. Could it be that you forgot to change the owner on the directory /var/named to root:named with the permissions 775 and the owner of the zone-files to named:named? With these settings it works fine on my system.

If it still doesent work i´ll post you my test-files of the named.conf and of my zones.

with best regards

rapo1

Edit:
of course the permissions cn be set lower to only read and write 660 (others do not need to do anything with these files)
And maybe you think about running your dns in a chroot environment.
rapo1
 
Posts: 27
Joined: 2006/06/20 11:43:02
Location: Munich

Re: DNS Master Slave setup

Postby bbecken » 2006/06/29 12:25:42

I don't think it's the permissions, but I may be wrong.

Here are the current permissions:

[root@mx1 named]# ls -la /var/named
total 56
drwxrwxr-x 6 root named 4096 Jun 27 08:37 .
drwxr-xr-x 22 root root 4096 Jun 22 11:15 ..
drwxrwx--- 2 named named 4096 Jun 26 17:18 data
-rw-r--r-- 1 named named 198 Feb 21 2005 localdomain.zone
-rw-r--r-- 1 named named 195 Feb 21 2005 localhost.zone
drwxr-xr-x 2 named named 4096 Jun 29 07:18 log
drwxr-xr-x 2 named named 4096 Jun 26 15:02 master
-rw-r--r-- 1 named named 415 Feb 21 2005 named.broadcast
-rw-r--r-- 1 named named 2518 Feb 21 2005 named.ca
-rw-r--r-- 1 named named 432 Feb 21 2005 named.ip6.local
-rw-r--r-- 1 named named 433 Feb 21 2005 named.local
-rw-r--r-- 1 named named 416 Feb 21 2005 named.zero
drwxr-xr-x 2 named named 4096 Jun 28 21:21 slave
bbecken
 
Posts: 7
Joined: 2006/06/27 15:31:26
Location: Missouri, USA

Re: DNS Master Slave setup

Postby rapo1 » 2006/06/29 12:53:32

Ok, the permisions look right (if these are the ones of the slave-dns)
The only thing which is different to my setup is:

drwxr-xr-x 22 root root 4096 ...
I have:
drwxr-xr-x root named

Here are my settings (i only made the zone 192.168.0.0/24 to have a slave dns-server)

// Slave Nameserver für testnetz.test ; IP 192.168.0.100
// und Zone 0.168.192

options {
directory "/var/named";
allow-notify { 192.168.0.1; };
allow-transfer { 192.168.0.1; 192.168.0.100; };
transfer-source 192.168.0.100;
allow-recursion { 192.168.0.0/24; };
};

zone "testnetz.test" IN {
type slave;
file "testnetz.test.slave";
masters { 192.168.0.1; };
};

zone "0.168.192.in-addr.arpa" IN {
type slave;
file "0.168.192.slave";
masters {192.168.0.1; };
};

----------------------------------------------------------------------

# Named Konfigurationsdatei /etc/named.conf
# DNS-Server IP: 192.168.0.1; Name: server.testnetz.test

include "/etc/rndc.key";

acl "lan" { 192.168.0.0/21; 127.0.0.1;};

options {
directory "/var/named";
allow-query { "lan";};
allow-transfer { 192.168.0.1; 192.168.0.100; };
};

controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; 192.168.0.1; 192.168.1.1; 192.168.2.1; 192.168.3.1; } keys { "rndckey"; };
};

// new for slave-dns
server 192.168.0.100 {
transfers 100;
};
// end

zone "testnetz.test" {
type master;
file "testnetz.test";
allow-update { "lan";};
notify yes; // new
};

zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192";
allow-update { "lan";};
notify yes; // new
};

----------------------------------------------------
rapo1
 
Posts: 27
Joined: 2006/06/20 11:43:02
Location: Munich

Re: DNS Master Slave setup

Postby rapo1 » 2006/06/29 16:10:58

Dear bbecken,

call me blind and stupid - but now (after rereading and rereading your posts) I know your problem!

You try to update the master by the slave and -of course that can´t work. If you do it the way I postet before, you´llhav a real master and a real slave dns-server.

If you want to have two dns-server for your net you have to change the /etc/dhcpd.conf (put in the second dns server)


with best regards

rapo1
rapo1
 
Posts: 27
Joined: 2006/06/20 11:43:02
Location: Munich

Re: DNS Master Slave setup

Postby bbecken » 2006/06/30 16:15:08

Ugh... I still cannot see what needs to be done. Here's the wholeball of wax with configs.

Error on Master server:
Jun 30 11:10:38.681 security: error: client ::ffff:208.35.133.97#59987: zone transfer 'wonca2004.org/IN' denied

Error on Slave server:
Jun 30 11:10:38.701 xfer-in: info: transfer of 'wonca2004.org/IN' from 208.35.133.1#53: end of transfer

---------------
### Begin Master cfg
#
# /etc/named.conf
# Primary 208.35.133.1
#
include "/etc/named.conf.include";

acl "master" { 208.35.133.1; };
acl "slave" { 208.35.133.97; };

options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
version "not currently available";
allow-query { any; };
allow-transfer { "master"; "slave"; };
listen-on port 53 { 127.0.0.1; 208.35.133.1; };
listen-on-v6 { any; };
notify yes;
allow-recursion { 127.0.0.1; 208.35.133.0/24; };
recursion yes;
};

controls {
inet 127.0.0.1 port 953 allow {127.0.0.1; 208.35.133.1; } keys {"rndc-key";};
};

include "/etc/rndc.key";

# definition of the root nameservers
zone "." IN {
type hint;
file "root.hint";
};

# define the localhost
zone "localhost" IN {
type master;
file "localhost.zone";
};

# Define reverse lookup for localhost
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
};
# allow zone xfers from authorized Slave DNS servers
server 208.35.133.97 {
transfers 100;
};

zone "133.35.208.in-addr.arpa" IN {
type master;
file "master/208.35.133.zone";
};
zone "38.168.65.in-addr.arpa" IN {
type master;
file "master/65.168.38.zone";
};
zone "234.173.65.in-addr.arpa" IN {
type master;
file "master/65.173.234.zone";
};
zone "wonca2004.org" IN {
type master;
file "master/wonca2004.org.zone";
allow-update { 208.35.133.0/24; 127.0.0.1; };
notify yes;
};


### End Master cfg
# rndc status <- on Master server
number of zones: 53
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running

# ls -la /var/lib/named
total 48
drwxr-xr-x 9 root root 4096 Jun 27 09:01 .
drwxr-xr-x 32 root root 4096 May 23 09:02 ..
-rw-r--r-- 1 root root 192 Nov 29 2005 127.0.0.zone
drwxr-xr-x 2 root root 4096 Jun 26 14:06 dev
drwxr-xr-x 2 named named 4096 Nov 29 2005 dyn
drwxr-xr-x 3 root root 4096 Nov 29 2005 etc
-rw-r--r-- 1 root root 158 Nov 29 2005 localhost.zone
drwxr-xr-x 2 named named 4096 Jun 30 11:08 log
drwxr-xr-x 2 named named 4096 Jun 30 10:34 master
-rw-r--r-- 1 root root 2517 Nov 29 2005 root.hint
drwxr-xr-x 3 named named 4096 Jun 15 14:34 slave
drwxr-xr-x 4 root root 4096 May 10 17:23 var

# ls -la /var/lib/named/master
drwxr-xr-x 2 named named 4096 Jun 30 10:34 .
drwxr-xr-x 9 root root 4096 Jun 27 09:01 ..
-rw------- 1 named named 2400 Jun 27 11:36 208.35.133.zone

-rw------- 1 named named 453 Jun 15 11:06 wonca2004.org.zone



### Begin Slave cfg

#
# /etc/named.conf
# Slave nameserver configuration 208.35.133.97
#

acl "master" { 208.35.133.1; };
acl "slave" { 208.35.133.97; };

options {
directory "/var/named";
allow-notify { 208.35.133.1; };
transfer-source 208.35.133.97;
allow-recursion { 208.35.133.0/24; };
version "not currently available";
statistics-file "/var/named/data/named_stats.txt";
dump-file "/var/named/data/cache_dump.db";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "/etc/rndc.key";

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};


zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};

zone "133.35.208.in-addr.arpa" IN {
type slave;
file "slave/208.35.133.zone";
masters { 208.35.133.1; };
};

zone "wonca2004.org" IN {
type slave;
file "slave/wonca2004.org.zone";
masters { 208.35.133.1; };

};

### End Slave cfg

rndc status of slave server.
rndc status
number of zones: 57
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running


# ls -la /var/named
total 56
drwxr-xr-x 6 root named 4096 Jun 27 08:37 .
drwxr-xr-x 22 root named 4096 Jun 22 11:15 ..
drwxrwx--- 2 named named 4096 Jun 26 17:18 data
-rw-r--r-- 1 named named 198 Feb 21 2005 localdomain.zone
-rw-r--r-- 1 named named 195 Feb 21 2005 localhost.zone
drwxr-xr-x 2 named named 4096 Jun 30 11:09 log
drwxr-xr-x 2 named named 4096 Jun 26 15:02 master
-rw-r--r-- 1 named named 415 Feb 21 2005 named.broadcast
-rw-r--r-- 1 named named 2518 Feb 21 2005 named.ca
-rw-r--r-- 1 named named 432 Feb 21 2005 named.ip6.local
-rw-r--r-- 1 named named 433 Feb 21 2005 named.local
-rw-r--r-- 1 named named 416 Feb 21 2005 named.zero
drwxr-xr-x 2 named named 4096 Jun 29 12:08 slave


# ls -la /var/named/slave
total 212
drwxr-xr-x 2 named named 4096 Jun 29 12:08 .
drwxr-xr-x 6 root named 4096 Jun 27 08:37 ..
-rw------- 1 named named 2400 Jun 30 10:27 208.35.133.zone
bbecken
 
Posts: 7
Joined: 2006/06/27 15:31:26
Location: Missouri, USA

Re: DNS Master Slave setup

Postby rapo1 » 2006/07/03 13:13:10

OK, let´s make another try :-)

In your master cfg of named.conf you have (include "/etc/named.conf.include";). Is there anything in this file?

Is the file /var/named/slave/208.35.133.zone on yor slave-dns created automatically?

Can you post the messages created during a restart of the two dns? Stop both server then start the master first - when it is running start the slave.
rapo1
 
Posts: 27
Joined: 2006/06/20 11:43:02
Location: Munich

Re: DNS Master Slave setup

Postby bbecken » 2006/07/03 16:41:15

Master: /etc/named.conf.include is empty
-rw-r--r-- 1 root named 0 Jun 30 16:01 named.conf.include


If I deleted the slave servers /var/named/slave/208.35.133.zone and "restart" named, the zone file is NOT re-created.

Master ( slave is currently shutdown)
/etc/init.d/named restart
Jul 03 11:34:35.237 general: info: shutting down: flushing changes
Jul 03 11:34:35.238 general: notice: stopping command channel on 127.0.0.1#953
Jul 03 11:34:35.238 network: info: no longer listening on ::#53
Jul 03 11:34:35.238 network: info: no longer listening on 127.0.0.1#53
Jul 03 11:34:35.238 network: info: no longer listening on 208.35.133.1#53
Jul 03 11:34:35.275 general: notice: exiting
Jul 03 11:34:36.041 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 42
Jul 03 11:34:36.045 general: info: zone 133.35.208.in-addr.arpa/IN: loaded serial 2006062601
Jul 03 11:34:36.125 general: info: zone wonca2004.org/IN: loaded serial 2006042501
Jul 03 11:34:36.127 general: info: running

Slave (Master is started)
/etc/init.d/named start
Jul 03 11:34:39.376 notify: info: zone 133.35.208.in-addr.arpa/IN: sending notifies (serial 2006062601)
Jul 03 11:34:39.879 notify: info: received notify for zone '133.35.208.in-addr.arpa'
Jul 03 11:34:41.892 xfer-in: error: transfer of 'wonca2004.org/IN' from 208.35.133.1#53: failed while receiving responses: REFUSED
Jul 03 11:34:41.892 xfer-in: info: transfer of 'wonca2004.org/IN' from 208.35.133.1#53: end of transfer

Two questions:
1) what about rndc... does the key have to be the same on each server?
2) Are we still looking at a permissions issue?
bbecken
 
Posts: 7
Joined: 2006/06/27 15:31:26
Location: Missouri, USA

Next

Return to CentOS 4 - Server Support

Who is online

Users browsing this forum: No registered users and 0 guests