I am experiencing a problem with my slave dns server. I will try to be thorough in describing the problem. Primary dns server is working properly. So, the websites are accessible. But, when I run a dig command against the primary server this is what I get. Code: dig @ns1.xxx.com example.com ; <<>> DiG 9.3.4-P1 <<>> @ns1.xxx.com example.com ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1561 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 86400 IN A 199.104.xxx.xxx ;; AUTHORITY SECTION: example.com. 86400 IN NS ns1.xxx.net. example.com. 86400 IN NS ns2.xxx.net. ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 21 10:33:47 2010 ;; MSG SIZE rcvd: 95 looks ok to me. However when I run a dig command against the secondary dns server this is what I get... Code: dig @ns2.xxx.com example.com ; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> @ns2.xxx.com example.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26575 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 21 10:36:47 2010 ;; MSG SIZE rcvd: 32 Now, I have checked the named.conf files for both servers and they are the same. The zone files look fine on the slave server, the slave server is listening on UDP and TCP port 53 at 127.0.0.1 and the local IP of the server. Here is the part I don't understand. If I run a dig command for google.com against the slave server, it responds correctly. So, I believe that bind is working the way it should, just not for domains that it is supposed to be authoritative for. Can anyone point be in the right direction on this?
the plot thickens. In /var/log/messages... Beginning at about 8 AM today, I show a log of a request sent about once every second to the secondary name server. here is a portion of the log. Code: Jul 21 15:49:36 k2 named[19260]: client 83.145.214.81#49626: query (cache) './NS/IN' denied Jul 21 15:49:37 k2 named[19260]: client 83.145.214.81#2418: query (cache) './NS/IN' denied Jul 21 15:49:37 k2 named[19260]: client 83.145.214.81#36781: query (cache) './NS/IN' denied Jul 21 15:49:38 k2 named[19260]: client 83.145.214.81#18753: query (cache) './NS/IN' denied Jul 21 15:49:39 k2 named[19260]: client 83.145.214.81#19434: query (cache) './NS/IN' denied Jul 21 15:49:40 k2 named[19260]: client 83.145.214.81#64390: query (cache) './NS/IN' denied Jul 21 15:49:41 k2 named[19260]: client 83.145.214.81#52190: query (cache) './NS/IN' denied Jul 21 15:49:42 k2 named[19260]: client 83.145.214.81#30965: query (cache) './NS/IN' denied Jul 21 15:49:42 k2 named[19260]: client 83.145.214.81#49321: query (cache) './NS/IN' denied Jul 21 15:49:43 k2 named[19260]: client 83.145.214.81#35870: query (cache) './NS/IN' denied every request is from the same IP address, which translates to finland. I will block this IP from getting to my server and that should make it stop, but doesn't really get to the root of the problem.
The first thing I would be checking is if the secondary actually has the zone, and that it can actually get it from the primary. A quick test. On the secondary, run 'dig @ns1.xxx.com example.com -t AXFR'. What you get back should be the entire zone. If so, that means you have allowed ns2 to get the zone, which is good. Try incrementing the zone's serial number on the primary, reload the zone, and then check the logs at each end to see if a] the secondary is notified, and b] the zone is transferred. If those things aren't happening, you need to do some looking at your configs. Specifically, on the primary check the options statement 'allow-transfer { 123.234.111.222; };' has your secondary's IP in it.
Thank you for your suggestions. Can you tell me where the 'allow-transfer { };' statement is? Here is what is in my log on the secondary after taking the steps you suggested.... Code: Jul 22 08:42:10 k2 named[28174]: example.com/IN: Transfer started. Jul 22 08:42:10 k2 named[28174]: transfer of 'example.com/IN' from 199.104.xxx.xxx#53: connected using 10.xx.x.xxx#54259 Jul 22 08:42:11 k2 named[28174]: dumping master file: tmp-BVjE94eft2: open: permission denied Jul 22 08:42:11 k2 named[28174]: transfer of 'example.com/IN' from 199.104.xxx.xxx#53: failed while receiving responses: permission denied Jul 22 08:42:11 k2 named[28174]: transfer of 'example.com/IN' from 199.104.xxx.xxx#53: Transfer completed: 0 messages, 8 records, 0 bytes, 0.048 secs
I added an allow-transfer statement to named.conf. I still get the error message in the messages log. Could I be missing something else?
Thanks for posting the error messages. From the looks of it, you might have a permissions problem on the secondary. Check that the directory that receives the zone file is writeable by named.
Perfect!!! Changed the permissions for the directory and then made some changes to the zone files to force an update. Everything transferred perfectly. thanks for the help.
could you share your config lines how you force an update and also do we need to set allow-transfer on both servers ns1 and ns2?
