date:20170302

Bind master keeps saying it is not authoritative

2017-03-02 Thread Xavier Humbert

Hello, I cannot fix a master/slave problem on RHEL7 with bind 9.9.4. It
is a server in building process, in a LAN, so I cannot use tools like
Zonecheck. Please note that my boss explicitely asked me to anonymize
the zone name. I know this is useless.

I can provide named.conf files for both servers, but basically, I
disabled (commented out) all security related options, and added "any"
to all acls. The zones declaration are double checked :

Master :
zone "myzone.fr" {
type master;
file "/etc/named/internal/myzone.fr";
allow-transfer {my-slaves; };
};

Slave :
zone "myzone.fr" {
type slave;
file "/etc/named/slave/myzone.fr.db";
masters {172.29.16.135; };
};


When I initiate a zone transfer manually it works :

[root@slave etc]# dig @master axfr myzone.fr

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @master axfr myzone.fr
; (1 server found)
;; global options: +cmd
myzone.fr. 86400 IN SOA master.myzone.fr. dnsmaster.myzone.fr. 
2017021602 28800 7200 604800 86400
...etc...


But, in normal operation (all zones loaded OK), when I look at the
master I got this :

xfer-out: info: client 172.29.16.133#57190 (myzone.fr): bad zone transfer 
request: 'myzone.fr/IN': non-authoritative zone (NOTAUTH)


And on the slave :

general: info: zone myzone.fr/IN: refresh: unexpected rcode (REFUSED) from 
master 172.29.16.135#53 (source 0.0.0.0#0)
general: info: zone myzone.fr/IN: Transfer started.
xfer-in: info: transfer of 'myzone.fr/IN' from 172.29.16.135#53: connected 
using 172.29.16.133#53836
xfer-in: error: transfer of 'myzone.fr/IN' from 172.29.16.135#53: failed while 
receiving responses: NOTAUTH
xfer-in: info: transfer of 'myzone.fr/IN' from 172.29.16.135#53: Transfer 
completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)


I'm really lost. I've configured dozens of DNSs with no such problems.
Did I miss something obvious ?

Thanks in advance,

Xavier

-- 
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Rectorat de Nancy-Metz
03 83 86 27 39

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind master keeps saying it is not authoritative

2017-03-02 Thread Tony Finch

Xavier Humbert  wrote:
>
> I'm really lost. I've configured dozens of DNSs with no such problems.
> Did I miss something obvious ?

I can't see anything obvious... Did you obfuscate the zone name so we
can't see if there's a typo?

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fitzroy, Sole: South or southwest, becoming cyclonic later, 5 to 7, perhaps
gale 8 later. Rough or very rough. Rain or thundery showers. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind master keeps saying it is not authoritative

2017-03-02 Thread Xavier Humbert

The whole configuration, comments removed :

-- Master --
acl my-slaves {
any;// DEBUG
};

acl my-clients {
any;// DEBUG
};

options {
// IP config
listen-on port 53 {172.29.16.135; 127.0.0.1; };
listen-on-v6 port 53 {none; };

// Paths
directory"/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

// Behaviour
recursion no;
allow-transfer{ my-slaves; };
};

// rndc key
include "/etc/rndc.key";

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

// Logging
// omitted

zone "in.acv.orion.education.fr" {
type master;
file "/etc/named/internal/in.acv.orion.education.fr.db";
allow-transfer {my-slaves; };
};

-- Slave --
acl my-clients {
localhost;
any;//DEBUG
};

options {
// IP config
listen-on port 53 {172.29.16.133; 127.0.0.1; };
listen-on-v6 port 53 {none; };

// Paths
directory"/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

// Behaviour
recursion no;
allow-update{ 172.29.16.135; };
allow-transfer{ 172.29.16.135; };

};

// rndc key
include "/etc/rndc.key";

// Logging
// Omitted

zone "in.acv.orion.education.gouv.fr" {
type slave;
file "/etc/named/in.acv.orion.education.gouv.fr.db";
masters {172.29.16.135; };
};
zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

--

Really, reall basic !
Thanks

-- 
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Rectorat de Nancy-Metz
03 83 86 27 39




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind master keeps saying it is not authoritative

2017-03-02 Thread Edda


Is this the zone in question?

master:
zone "in.acv.orion.education.fr" {

wrong on slave:
zone "in.acv.orion.education.gouv.fr" {

Regards, Edda




Am 02.03.17 um 12:33 schrieb Xavier Humbert:

The whole configuration, comments removed :

-- Master --
acl my-slaves {
 any;// DEBUG
};

acl my-clients {
 any;// DEBUG
};

options {
// IP config
 listen-on port 53 {172.29.16.135; 127.0.0.1; };
 listen-on-v6 port 53 {none; };

// Paths
 directory"/var/named";
 dump-file   "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";

// Behaviour
 recursion no;
 allow-transfer{ my-slaves; };
};

// rndc key
include "/etc/rndc.key";

controls {
 inet 127.0.0.1 port 953
 allow { 127.0.0.1; } keys { "rndc-key"; };
};

// Logging
// omitted

zone "in.acv.orion.education.fr" {
 type master;
 file "/etc/named/internal/in.acv.orion.education.fr.db";
 allow-transfer {my-slaves; };
};

-- Slave --
acl my-clients {
 localhost;
 any;//DEBUG
};

options {
// IP config
 listen-on port 53 {172.29.16.133; 127.0.0.1; };
 listen-on-v6 port 53 {none; };

// Paths
 directory"/var/named";
 dump-file   "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";

// Behaviour
 recursion no;
 allow-update{ 172.29.16.135; };
 allow-transfer{ 172.29.16.135; };

};

// rndc key
include "/etc/rndc.key";

// Logging
// Omitted

zone "in.acv.orion.education.gouv.fr" {
 type slave;
 file "/etc/named/in.acv.orion.education.gouv.fr.db";
 masters {172.29.16.135; };
};
zone "." IN {
 type hint;
 file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

--

Really, reall basic !
Thanks



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind master keeps saying it is not authoritative

2017-03-02 Thread Ben Croswell

Ensure that the allow-query clause on the master includes the slave. If the
slave can't query for the SOA on the zone it can't do an xfer.

On Mar 2, 2017 6:34 AM, "Xavier Humbert" 
wrote:

> The whole configuration, comments removed :
>
> -- Master --
> acl my-slaves {
> any;// DEBUG
> };
>
> acl my-clients {
> any;// DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.135; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-transfer{ my-slaves; };
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> // Logging
> // omitted
>
> zone "in.acv.orion.education.fr" {
> type master;
> file "/etc/named/internal/in.acv.orion.education.fr.db";
> allow-transfer {my-slaves; };
> };
>
> -- Slave --
> acl my-clients {
> localhost;
> any;//DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.133; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-update{ 172.29.16.135; };
> allow-transfer{ 172.29.16.135; };
>
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> // Logging
> // Omitted
>
> zone "in.acv.orion.education.gouv.fr" {
> type slave;
> file "/etc/named/in.acv.orion.education.gouv.fr.db";
> masters {172.29.16.135; };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> --
>
> Really, reall basic !
> Thanks
>
> --
> Xavier Humbert
> CRT Supervision et Exploitation de Niveau 1
> Rectorat de Nancy-Metz
> 03 83 86 27 39
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind master keeps saying it is not authoritative

Re: Bind master keeps saying it is not authoritative

Re: Bind master keeps saying it is not authoritative

Re: Bind master keeps saying it is not authoritative

Re: Bind master keeps saying it is not authoritative

5 matches

Site Navigation

Mail list logo

Footer information