BIND upgrade and subsequent zone transfer issues
Robert Gahl
I'm in the process of adding a secondary DNS within our private network. I
dl'd and installed Bind 9.2.0 rc9 on the "new" internal secondary.
I have bind 9.1.x running successfully externally, so I'm pretty sure I
have the zone files and named.conf configured correctly, but of course, I'm
not 100% confident. Our master DNS server inside our private network is
running 8.2 from our Redhat distribution (soon to be upgraded once I get
the secondary up).
When I start the slave, the reverse zone files transfer just fine. But, the
forward files generate the following errors in my log files:
Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.fireclick.com/IN: refresh:
unexpected rcode (NXDOMAIN) from master 192.168.254.1#53
Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.eng.fireclick.com/IN:
refresh:unexpected rcode (NXDOMAIN) from master 192.168.11.33#53
Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.qa.fireclick.com/IN:
refresh: unexpected rcode (SERVFAIL) from master 192.168.0.2#53
(granted, there are other "masters" in our network, but solving one will
probably solve the problem with the others, who are running who-knows what
version of bind at this point).
Here is my named.conf file on the slave:
>// DNS clients at fireclick.com
>acl "trusted" {
> localhost;
> 208.45.103.16/29; // Hosts at Fireclick Corporate (external)
> 63.146.119.64/26; // Hosts at Qwest Cabinet
> 64.210.184.128/28; // Hosts at Exodus
> 65.200.204.0/26; // Hosts at UUNet
> 192.168.0.0/24; // All 0 net (QA)
> 192.168.6.0/24; // All 6 net (ENG)
> 192.168.11.0/24; // All 24 net (ENG)
> 192.168.17.0/24; // All 17 net (VPN)
>};
>
>// Official zone transfer hosts
>acl "fireclick-xfer" {
> 192.168.254.0/24; // Hosts at Fireclick Corporate
> 192.168.0.0/24; // All 0 net (QA)
> 192.168.11.0/24; // All 11 net (ENG)
> 192.168.17.0/24; // All 17 net (VPN)
> 63.145.119.64/26; // Hosts at Qwest
> 64.210.184.128/28; // Hosts at Exodus
> 65.200.204.0/26; // Hosts at UUNet
>};
>
>// Known fake source addresses shouldn't be replied to.
>// For external queries, these should be blocked by Fireclick's
>// border router.
>
>acl "bogon" {
> 0.0.0.0/8; // Null address
> 1.0.0.0/8; // IANA reserved, popular fake
> 2.0.0.0/8;
> 192.0.2.0/24; // Test address
> 224.0.0.0/3; // Multicast address
> // Enterprise networks may or may not be bogus
> 10.0.0.0/8;
> 172.16.0.0/12;
>// 192.168.0.0/16; // Potential conflict with QA IPs - commented out
>};
>
>options {
> directory "/etc/dns";
> pid-file "/var/log/named.pid";
> listen-on { 127.0.0.1; 192.168.254.231; };
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> query-source address * port 53;
> allow-query {
> trusted;
> };
> allow-transfer {
> none;
> };
>};
>
>//
>// View settings are manditory for each class
>//
>view "internal" in {
> match-clients { any; };
>
> // Bootstrap the root.
>
> zone "." in {
> type hint;
> file "root.cache";
> };
>
> // 127.0.0.0/24 - The loopback network
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "zone.127.0.0";
> allow-query {
> trusted;
> };
> // Every DNS server should be a master
> // for 127.0.0.0/24
> allow-transfer {
> none;
> };
> };
>
> zone "168.192.in-addr.arpa" {
> type slave;
> file "slave/zone.192.168";
> masters {
> 192.168.254.1;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "254.168.192.in-addr.arpa" {
> type slave;
> file "slave/zone.192.168.254";
> masters {
> 192.168.254.1;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "17.168.192.in-addr.arpa" {
> type slave;
> file "slave/zone.192.168.17";
> masters {
> 192.168.254.1;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "11.168.192.in-addr.arpa" {
> type slave;
> file "slave/zone.192.168.11";
> masters {
> 192.168.11.33;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "6.168.192.in-addr.arpa" {
> type slave;
> file "slave/zone.192.168.6";
> masters {
> 192.168.11.33;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "0.168.192.in-addr.arpa" {
> type slave;
> file "slave/zone.192.168.0";
> masters {
> 192.168.0.2;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "zone.fireclick.com" {
> type slave;
> file "slave/zone.fireclick.com";
> masters {
> 192.168.254.1;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "zone.eng.fireclick.com" {
> type slave;
> file "slave/zone.eng.fireclick.com";
> masters {
> 192.168.11.33;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "zone.qa.fireclick.com" {
> type slave;
> file "slave/zone.qa.fireclick.com";
> masters {
> 192.168.0.2;
> };
> allow-query {
> trusted;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>};
>
>view "chaos" chaos {
>
> match-clients { !127.0.0.1; !trusted; any; };
> allow-query { none; };
>
> // Bootstrap the root.
>
> zone "." chaos {
> type hint;
> file "/dev/null";
> };
>
> // Control access to BIND version number to
> // users at fireclick.com only.
> // Ref: BUGTRAQ posting from LaMont Jones
> // <lam...@CRANSTON.FC.HP.COM> on 1998-06-12.
> zone "bind" chaos {
> type master;
> file "master/bind";
> allow-query {
> trusted;
> };
> allow-transfer {
> none;
> };
> };
>};
Any ideas what I'm doing wrong or what the problem might be?
===
Bob Gahl Bicycle (Ryan Vanguard) Mobile || @
ARPA/Internet: bg...@bawcsa.org || !_ \
URL: http://www.bawcsa.org/bgahl/ || (*)-~--+--(*)
"Sahn joong moe low ful how jee yah ching wong" - "When the
mountain has no tigers, the monkey will also declare himself
king." Chinese Proverb
Barry Margolin
>Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.fireclick.com/IN: refresh:
>unexpected rcode (NXDOMAIN) from master 192.168.254.1#53
>Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.eng.fireclick.com/IN:
>refresh:unexpected rcode (NXDOMAIN) from master 192.168.11.33#53
>Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.qa.fireclick.com/IN:
>refresh: unexpected rcode (SERVFAIL) from master 192.168.0.2#53
>> zone "zone.fireclick.com" {
....
>> zone "zone.eng.fireclick.com" {
....
>> zone "zone.qa.fireclick.com" {
The message means that there's no zones with those names on the master
server. Are you sure those shouldn't be:
zone "fireclick.com" {
....
zone "eng.fireclick.com" {
....
zone "qa.fireclick.com" {
--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
Robert Gahl
At 07:39 PM 11/14/2001 +0000, Barry Margolin wrote:
>In article <9sugft$a...@pub3.rc.vix.com>, Robert Gahl <bg...@bawcsa.org>
>wrote:
> >unexpected rcode (NXDOMAIN) from master 192.168.254.1#53
> >Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.eng.fireclick.com/IN:
> >refresh:unexpected rcode (NXDOMAIN) from master 192.168.11.33#53
> >Nov 14 11:24:50 dhcp-231 named[15781]: zone zone.qa.fireclick.com/IN:
> >refresh: unexpected rcode (SERVFAIL) from master 192.168.0.2#53
>
>....
> >> zone "zone.eng.fireclick.com" {
>....
> >> zone "zone.qa.fireclick.com" {
>
>The message means that there's no zones with those names on the master
>server. Are you sure those shouldn't be:
>
> zone "fireclick.com" {
>....
> zone "eng.fireclick.com" {
>....
> zone "qa.fireclick.com" {
Yes, sigh :( There it was staring me in the face the entire time. Gads, do
I feel dumb. Thanks, Barry! It's corrected.