Bind master keeps saying it is not authoritative
Hello, I cannot fix a master/slave problem on RHEL7 with bind 9.9.4. It is a server in building process, in a LAN, so I cannot use tools like Zonecheck. Please note that my boss explicitely asked me to anonymize the zone name. I know this is useless. I can provide named.conf files for both servers, but basically, I disabled (commented out) all security related options, and added "any" to all acls. The zones declaration are double checked : Master : zone "myzone.fr" { type master; file "/etc/named/internal/myzone.fr"; allow-transfer {my-slaves; }; }; Slave : zone "myzone.fr" { type slave; file "/etc/named/slave/myzone.fr.db"; masters {172.29.16.135; }; }; When I initiate a zone transfer manually it works : [root@slave etc]# dig @master axfr myzone.fr ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @master axfr myzone.fr ; (1 server found) ;; global options: +cmd myzone.fr. 86400 IN SOA master.myzone.fr. dnsmaster.myzone.fr. 2017021602 28800 7200 604800 86400 ...etc... But, in normal operation (all zones loaded OK), when I look at the master I got this : xfer-out: info: client 172.29.16.133#57190 (myzone.fr): bad zone transfer request: 'myzone.fr/IN': non-authoritative zone (NOTAUTH) And on the slave : general: info: zone myzone.fr/IN: refresh: unexpected rcode (REFUSED) from master 172.29.16.135#53 (source 0.0.0.0#0) general: info: zone myzone.fr/IN: Transfer started. xfer-in: info: transfer of 'myzone.fr/IN' from 172.29.16.135#53: connected using 172.29.16.133#53836 xfer-in: error: transfer of 'myzone.fr/IN' from 172.29.16.135#53: failed while receiving responses: NOTAUTH xfer-in: info: transfer of 'myzone.fr/IN' from 172.29.16.135#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) I'm really lost. I've configured dozens of DNSs with no such problems. Did I miss something obvious ? Thanks in advance, Xavier -- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Rectorat de Nancy-Metz 03 83 86 27 39 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind master keeps saying it is not authoritative
Xavier Humbertwrote: > > I'm really lost. I've configured dozens of DNSs with no such problems. > Did I miss something obvious ? I can't see anything obvious... Did you obfuscate the zone name so we can't see if there's a typo? Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fitzroy, Sole: South or southwest, becoming cyclonic later, 5 to 7, perhaps gale 8 later. Rough or very rough. Rain or thundery showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind master keeps saying it is not authoritative
The whole configuration, comments removed : -- Master -- acl my-slaves { any;// DEBUG }; acl my-clients { any;// DEBUG }; options { // IP config listen-on port 53 {172.29.16.135; 127.0.0.1; }; listen-on-v6 port 53 {none; }; // Paths directory"/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Behaviour recursion no; allow-transfer{ my-slaves; }; }; // rndc key include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; // Logging // omitted zone "in.acv.orion.education.fr" { type master; file "/etc/named/internal/in.acv.orion.education.fr.db"; allow-transfer {my-slaves; }; }; -- Slave -- acl my-clients { localhost; any;//DEBUG }; options { // IP config listen-on port 53 {172.29.16.133; 127.0.0.1; }; listen-on-v6 port 53 {none; }; // Paths directory"/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Behaviour recursion no; allow-update{ 172.29.16.135; }; allow-transfer{ 172.29.16.135; }; }; // rndc key include "/etc/rndc.key"; // Logging // Omitted zone "in.acv.orion.education.gouv.fr" { type slave; file "/etc/named/in.acv.orion.education.gouv.fr.db"; masters {172.29.16.135; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; -- Really, reall basic ! Thanks -- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Rectorat de Nancy-Metz 03 83 86 27 39 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind master keeps saying it is not authoritative
Is this the zone in question? master: zone "in.acv.orion.education.fr" { wrong on slave: zone "in.acv.orion.education.gouv.fr" { Regards, Edda Am 02.03.17 um 12:33 schrieb Xavier Humbert: The whole configuration, comments removed : -- Master -- acl my-slaves { any;// DEBUG }; acl my-clients { any;// DEBUG }; options { // IP config listen-on port 53 {172.29.16.135; 127.0.0.1; }; listen-on-v6 port 53 {none; }; // Paths directory"/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Behaviour recursion no; allow-transfer{ my-slaves; }; }; // rndc key include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; // Logging // omitted zone "in.acv.orion.education.fr" { type master; file "/etc/named/internal/in.acv.orion.education.fr.db"; allow-transfer {my-slaves; }; }; -- Slave -- acl my-clients { localhost; any;//DEBUG }; options { // IP config listen-on port 53 {172.29.16.133; 127.0.0.1; }; listen-on-v6 port 53 {none; }; // Paths directory"/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Behaviour recursion no; allow-update{ 172.29.16.135; }; allow-transfer{ 172.29.16.135; }; }; // rndc key include "/etc/rndc.key"; // Logging // Omitted zone "in.acv.orion.education.gouv.fr" { type slave; file "/etc/named/in.acv.orion.education.gouv.fr.db"; masters {172.29.16.135; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; -- Really, reall basic ! Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind master keeps saying it is not authoritative
Ensure that the allow-query clause on the master includes the slave. If the slave can't query for the SOA on the zone it can't do an xfer. On Mar 2, 2017 6:34 AM, "Xavier Humbert"wrote: > The whole configuration, comments removed : > > -- Master -- > acl my-slaves { > any;// DEBUG > }; > > acl my-clients { > any;// DEBUG > }; > > options { > // IP config > listen-on port 53 {172.29.16.135; 127.0.0.1; }; > listen-on-v6 port 53 {none; }; > > // Paths > directory"/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > // Behaviour > recursion no; > allow-transfer{ my-slaves; }; > }; > > // rndc key > include "/etc/rndc.key"; > > controls { > inet 127.0.0.1 port 953 > allow { 127.0.0.1; } keys { "rndc-key"; }; > }; > > // Logging > // omitted > > zone "in.acv.orion.education.fr" { > type master; > file "/etc/named/internal/in.acv.orion.education.fr.db"; > allow-transfer {my-slaves; }; > }; > > -- Slave -- > acl my-clients { > localhost; > any;//DEBUG > }; > > options { > // IP config > listen-on port 53 {172.29.16.133; 127.0.0.1; }; > listen-on-v6 port 53 {none; }; > > // Paths > directory"/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > // Behaviour > recursion no; > allow-update{ 172.29.16.135; }; > allow-transfer{ 172.29.16.135; }; > > }; > > // rndc key > include "/etc/rndc.key"; > > // Logging > // Omitted > > zone "in.acv.orion.education.gouv.fr" { > type slave; > file "/etc/named/in.acv.orion.education.gouv.fr.db"; > masters {172.29.16.135; }; > }; > zone "." IN { > type hint; > file "named.ca"; > }; > > include "/etc/named.rfc1912.zones"; > include "/etc/named.root.key"; > > -- > > Really, reall basic ! > Thanks > > -- > Xavier Humbert > CRT Supervision et Exploitation de Niveau 1 > Rectorat de Nancy-Metz > 03 83 86 27 39 > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users