On 18.5.2009, at 17:17, Mark Andrews wrote:
I use the secure BIND template by Rob Thomas (http://www.cymru.com/Documents/
secure-bind-template.html
). I have had a peculiar problem with this template conf, which I
have
not been able to resolve. My problem is that some slave zones return
REFUSED when queried from the external view for ANY records while
others return the expected values. For example:
dig @194.86.83.21 ruoka.fi ANY
returns nothing, but when queried from master zone:
dig @194.86.83.27 ruoka.fi ANY
returns expected values. Furthermore, a seemingly identical zone
(see
complete zone configs below) for another domain returns expected
values from both servers:
What do you have infront of the nameserver? Firewall? NAT?
Note the reply is to the wrong port.
00:15:38.593884 211.30.172.21.57914 > 194.86.83.21.53: 60775 ANY?
ruoka.fi. (26)
00:15:38.935222 194.86.83.21.53 > 211.30.172.21.48599: 60775*-
5/0/0 SOA, NS ns2.kirnauskis.com., NS ns.kirnauskis.com., MX
smtp.kirnauskis.com. 0, TXT v=spf1 ~all (167)
There's a firewall infront of both nameservers. I don't think the
reply port should be the issue, because all traffic is allowed from
the server to WAN. Furthermore, if it were a firewall issue, why would
it work for one domain and not the other? And why would changing the
'additional-from-auth' and 'additional-from-cache' settings make a
difference?
I did try allowing all traffic in and out from the server just in
case, and it didn't help.
--
Hans Vallden
h...@vallden.com
skype: hans.vallden
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
