DNSSEC Secondary Nameserver

Found if I restart named on master, the transfer of update works.

 

I do have the IP in the "Allow zone transfers..." on the Zone settings tab.

 

Hang on. Looks like restarting bind on both machines has cleared up the issue. Continuing to test, but the changes are being replicated. I'll post procedures after a couple more zone migrations.

 

Made progress and got the first slave server configured with all zones transferred. Now running into an issue on the 2nd slave server. I can get the zone config file to transfer to named.config.local, but the zone file does not transfer from the master. The config file does indicate it's a slave and has the correct IP for the master.

I've set both the master and the slave in debug mode but there no errors.

Any suggestions?

 

I just stumbled on why the zones aren't transferring. The zone config files on the 2nd slave are not the same as on the 1st slave.
On slave 1, the config files show the path and name of the master's file as "file "/etc/bind/sec.domain.name"
On slave 2, the config files show the path and name of the master's file as "file "/etc/bind/domain.name"

If I manually modify the filename to include "sec.domain.name", the zone file transfers.

I've verified the settings for ns3 and ns4 are identical. ns4 is the first server I reconfigured, and it pulls the data and any changes from the master without issue. ns3, the second slave, does not. Here's what I'm seeing on the 2nd slave:

zone "domain.name" {
type slave;
masters {ip of master;};
allow-transfer {none;};
file "/etc/bind/domain.name";
};
notice the file does not include the "sec." prefix.

 

Thanks, Till. I can see where those settings are, but the master is blank for both the master and slave prefixes, yet the prefix on all zones is "pri." On the first slave, the master prefix is ".pri" and "slave/sec" for the slave, as you mentioned. The 2nd slave is blank, and the 3rd slave is also blank.

I don't know why the master prefixes with pri and don't know why some servers are blank. But I'll make them all match and I'm sure that'll resolve the issue.

Thanks for your patience.

 

Thanks, Till. I neglected to add the "." in the post but had it in the CP DNS Config.
I was able to complete the migration from ISPConfig mirror to BIND replication. Because the slave servers were mirrors, there were a couple extra steps involved. I had 3 servers to migrate. I found it easier to change to root with sudo su -. These are the steps taken, one server at a time:
1. Changed "Is mirror of Server" (System | Server Services | Server) to None.
2. Verify the master and slave prefixes are set correctly (System | Server | Services, select the server and check the settings on the DNS tab). As Till mentioned, for master it's pri. and for slaves, it's slave/sec. (see attached file)
3. Logged in to the server and sopped the BIND service (systemctl stop named).
4. Changed to /etc/bind and deleted all the zones identified with pri.domain.name. Leave all other files and the slave dir.
5. Create a Secondary DNS-Zone (DNS | Secondary DNS | Zones) by clicking on Add new Secondary DNS-Zones.

a. Specify the name of the slave server for Server: (it'll now be available after removing it from ISPConfig mirroring per step 1).
b. Select Client
c. Enter the IP of the master under NS (IP-address).
d. Leave Allow zone transfers.. blank.​

6. On the slave server, restart BIND (systemctl start named, or rndc refresh).
7. Change to /etc/bind/slave and verify the zones have populated.
8. Repeat on next slave if you have more than one.

That's what worked for me. Hope it helps.

 

Addendum:
For each DNS Zone, be sure to add the slave IP(s) to the master to allow transfers from the master to the slave. Go to DNS | Zones and open the DNS Zone name. Click on the Zone settings tab and add the slave IP to the Allow zone transfers to these IPs. This, and the creation of the secondary zone will need to be done for each zone. If there are multiple slaves, the secondary zones need to be created on each slave server.
\