1. My primary name server, /etc/named.conf, and here am forcing transfer to
only few trusted servers, as mentioned in the below clause.
transfers-out 2000;
allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};
2. secondary/slave name server
allow-transfer {"none";};
I can't run this dig command from both dns server " dig soa kalam.com.sa
@ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data,
No. my mean is that the servers are not testing, these are live authoritative
only that particular zone kalam.com.sa is a test zone.
Just now again I noticed at 11:03 GMT+3, secondary server attempt to fetch the
data from master but no luck. same error as denied.
Jan 6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from
212.119.92.5#37487: zone is up to date
Jan 6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from
212.119.92.5#52519: serial 2019434249
Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started.
Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial
2019434249
Jan 6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Do you advise simulate the setup on testing environment. Without the firewall.
Thanks a lot.
Ejaz
-----Original Message-----
From: Fajar A. Nugraha [mailto:fa...@fajar.net]
Sent: Monday, January 6, 2020 10:59 AM
To: MEjaz <me...@cyberia.net.sa>
Cc: bind-users@lists.isc.org
Subject: Re: Zones-unable-update
On Mon, Jan 6, 2020 at 2:03 PM MEjaz < <mailto:me...@cyberia.net.sa>
me...@cyberia.net.sa> wrote:
>
> Thank you for your emai.
>
>
>
> I am not cutting any logs, I am capturing only for that particular zone
> which I have chooses for the test, as I can't do the test on live zones.
>
> This time I have noticed "denied" in my slave server logs as below, this is
> something very strange sometimes zone transferred perfect after two hours.
>
> However this time I need to wait and see whether this zone would transfer
> after few hours as seen before.
>
> Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460
> 212.119.92.5#42430 (kal am.com.sa): zone transfer
> 'kalam.com.sa/AXFR/IN' denied Jan 6 09:15:43 ns2 named[24436]: client
> @0x7f1228272ed0 212.119.93.5#36083 (kalam.com.sa): zone transfer
> 'kalam.com.sa/AXFR/IN' denied
Well, fix that.
Something is causing the transfer to fail. Is 212.119.92.5 and
212.119.93.5 both allowed to transfer data (e.g. allow-transfer configuration)?
> [root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr, "with this I
> can fetch all the correct update records"
Did you run this on both 212.119.92.5 and 212.119.93.5?
> Thanks in advance for your assistance. Do you think that should I take look
> from our network side for the MTU size??
It's somewhat harder to check for temporary errors.
The easiest way, since you say that this is a "test", is to replicate (i.e.
same OS/distro, software versions, configs) your setup on test VMs (or servers,
if you have that), on the same network (e.g. VMs with private network 10.x.x.x
is fine), and see if it always works there.
If yes, then most likely the problem is somewhere in your network (e.g.
firewall).
If no, then the problem is somewhere in your bind configuration.
--
Fajar
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
