Re: Zones-unable-update
On 1/6/2020 4:09 AM, Fajar A. Nugraha wrote:
zone "kalam.com.sa" {
type slave;
...
masters {
212.119.92.5;
};
};
How many IPs, and what IPs, did you put on the masters there? It
should only be ns1 (the master). If you put two, change it.
I would disagree. YMMV.
AlanC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones-unable-update
> On 6 Jan 2020, at 09.16, MEjaz wrote:
>
>
> 1. My primary name server, /etc/named.conf, and here am forcing transfer
> to only few trusted servers, as mentioned in the below clause.
>
>
> transfers-out 2000;
>
> allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};
>
> Jan 6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Please note that this client is NOT in the list above.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones-unable-update
On Mon, Jan 6, 2020 at 3:16 PM MEjaz wrote:
> 1. My primary name server, /etc/named.conf, and here am forcing transfer
> to only few trusted servers, as mentioned in the below clause.
> transfers-out 2000;
> allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};
> 2. secondary/slave name server
> allow-transfer {"none";};
> I can't run this dig command from both dns server " dig soa kalam.com.sa
> @ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data,
Ok. So you ran this on ns2, right?
> Just now again I noticed at 11:03 GMT+3, secondary server attempt to fetch
> the data from master but no luck. same error as denied.
No, that might not be it.
> Jan 6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from
> 212.119.92.5#37487: zone is up to date
> Jan 6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from
> 212.119.92.5#52519: serial 2019434249
> Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
> Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
> Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started.
> Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial
> 2019434249
> Jan 6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
You're pasting the logs on ns2. While that helps, we also need the
logs on ns1. What does it say?
"denied" on ns2 is expected, since you have 'allow-transfer
{"none";};' on ns2. The question is "why does your ns2 ask ns2
(itself), when it should've asked only ns1 (the master)".
Did you perhaps set named.conf (or named.conf.local, depending on the
distro) on the ns2 incorrectly? Something like
zone "kalam.com.sa" {
type slave;
...
masters {
212.119.92.5;
};
};
How many IPs, and what IPs, did you put on the masters there? It
should only be ns1 (the master). If you put two, change it.
... then there's also the question of "why does 212.119.92.5 (ns1) ask
ns2 for zone transfer (which caused one of the denied lines), when the
master shouldn't even need to ask anyone. Not sure about this one
though.
> Do you advise simulate the setup on testing environment. Without the firewall.
In this case, only if you've setup named.conf correctly.
--
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Zones-unable-update
1. My primary name server, /etc/named.conf, and here am forcing transfer to
only few trusted servers, as mentioned in the below clause.
transfers-out 2000;
allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};
2. secondary/slave name server
allow-transfer {"none";};
I can't run this dig command from both dns server " dig soa kalam.com.sa
@ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data,
No. my mean is that the servers are not testing, these are live authoritative
only that particular zone kalam.com.sa is a test zone.
Just now again I noticed at 11:03 GMT+3, secondary server attempt to fetch the
data from master but no luck. same error as denied.
Jan 6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from
212.119.92.5#37487: zone is up to date
Jan 6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from
212.119.92.5#52519: serial 2019434249
Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started.
Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial
2019434249
Jan 6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Do you advise simulate the setup on testing environment. Without the firewall.
Thanks a lot.
Ejaz
-Original Message-
From: Fajar A. Nugraha [mailto:fa...@fajar.net]
Sent: Monday, January 6, 2020 10:59 AM
To: MEjaz
Cc: bind-users@lists.isc.org
Subject: Re: Zones-unable-update
On Mon, Jan 6, 2020 at 2:03 PM MEjaz < <mailto:me...@cyberia.net.sa>
me...@cyberia.net.sa> wrote:
>
> Thank you for your emai.
>
>
>
> I am not cutting any logs, I am capturing only for that particular zone
> which I have chooses for the test, as I can't do the test on live zones.
>
> This time I have noticed "denied" in my slave server logs as below, this is
> something very strange sometimes zone transferred perfect after two hours.
>
> However this time I need to wait and see whether this zone would transfer
> after few hours as seen before.
>
> Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460
> 212.119.92.5#42430 (kal am.com.sa): zone transfer
> 'kalam.com.sa/AXFR/IN' denied Jan 6 09:15:43 ns2 named[24436]: client
> @0x7f1228272ed0 212.119.93.5#36083 (kalam.com.sa): zone transfer
> 'kalam.com.sa/AXFR/IN' denied
Well, fix that.
Something is causing the transfer to fail. Is 212.119.92.5 and
212.119.93.5 both allowed to transfer data (e.g. allow-transfer configuration)?
> [root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr, "with this I
> can fetch all the correct update records"
Did you run this on both 212.119.92.5 and 212.119.93.5?
> Thanks in advance for your assistance. Do you think that should I take look
> from our network side for the MTU size??
It's somewhat harder to check for temporary errors.
The easiest way, since you say that this is a "test", is to replicate (i.e.
same OS/distro, software versions, configs) your setup on test VMs (or servers,
if you have that), on the same network (e.g. VMs with private network 10.x.x.x
is fine), and see if it always works there.
If yes, then most likely the problem is somewhere in your network (e.g.
firewall).
If no, then the problem is somewhere in your bind configuration.
--
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones-unable-update
On Mon, Jan 6, 2020 at 2:03 PM MEjaz wrote: > > Thank you for your emai. > > > > I am not cutting any logs, I am capturing only for that particular zone > which I have chooses for the test, as I can't do the test on live zones. > > This time I have noticed "denied" in my slave server logs as below, this is > something very strange sometimes zone transferred perfect after two hours. > > However this time I need to wait and see whether this zone would transfer > after few hours as seen before. > > Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 > (kal am.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied > Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied Well, fix that. Something is causing the transfer to fail. Is 212.119.92.5 and 212.119.93.5 both allowed to transfer data (e.g. allow-transfer configuration)? > [root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr, "with this I > can fetch all the correct update records" Did you run this on both 212.119.92.5 and 212.119.93.5? > Thanks in advance for your assistance. Do you think that should I take look > from our network side for the MTU size?? It's somewhat harder to check for temporary errors. The easiest way, since you say that this is a "test", is to replicate (i.e. same OS/distro, software versions, configs) your setup on test VMs (or servers, if you have that), on the same network (e.g. VMs with private network 10.x.x.x is fine), and see if it always works there. If yes, then most likely the problem is somewhere in your network (e.g. firewall). If no, then the problem is somewhere in your bind configuration. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Zones-unable-update
Thank you for your emai. I am not cutting any logs, I am capturing only for that particular zone which I have chooses for the test, as I can't do the test on live zones. This time I have noticed "denied" in my slave server logs as below, this is something very strange sometimes zone transferred perfect after two hours. However this time I need to wait and see whether this zone would transfer after few hours as seen before. Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 (kal am.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied >> test whether you can manually request all records. Something like running >> this on the slave: "dig kalam.com.sa @ns1.cyberia.net.sa axfr" [root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr, "with this I can fetch all the correct update records" ;; Warning, extra type option ; <<>> DiG 9.14.9 <<>> soa kalam.com.sa @ns1.cyberia.net.sa axfr ;; global options: +cmd kalam.com.sa. 600 IN SOA ns1.kalam.com.sa. root.kalam.net.sa. 2019434249 43200 4320 1209600 21600 kalam.com.sa. 600 IN NS ns1.cyberia.net.sa. kalam.com.sa. 600 IN NS ns2.cyberia.net.sa. kalam.com.sa. 600 IN MX 10 mailborder.cyberia.net.sa. kalam.com.sa. 600 IN MX 20 ingate.cyberia.net.sa. kalam.com.sa. 600 IN TXT "v=spf1 mx ip4:212.119.65.150 ~all" cargo.kalam.com.sa. 600 IN A 212.71.42.152 ejaz4.kalam.com.sa. 600 IN A 1.2.3.5 localhost.kalam.com.sa. 600 IN A 127.0.0.1 mail.kalam.com.sa. 600 IN A 212.119.64.134 ser12.kalam.com.sa. 600 IN A 212.119.64.141 shivin.kalam.com.sa.600 IN A 1.1.1.1 test55.kalam.com.sa.600 IN A 212.119.65.20 kalam.com.sa. 600 IN SOA ns1.kalam.com.sa. root.kalam.net.sa. 2019434249 43200 4320 1209600 21600 ;; Query time: 1 msec ;; SERVER: 212.119.92.5#53(212.119.92.5) ;; WHEN: Mon Jan 06 10:00:26 AST 2020 ;; XFR size: 14 records (messages 1, bytes 459) Thanks in advance for your assistance. Do you think that should I take look from our network side for the MTU size?? Ejaz -Original Message- From: Fajar A. Nugraha [mailto:fa...@fajar.net] Sent: Monday, January 6, 2020 9:23 AM To: MEjaz Cc: bind-users@lists.isc.org Subject: Re: Zones-unable-update On Thu, Jan 2, 2020 at 7:58 PM MEjaz wrote: > > Hello all. > > My setup which has one primary and slave server was working fine since years. > > All of sudden I started getting the problem of zones updates on slaves. > Which are not happening on time. it takes two hours to take the updates. > > > > Below logs for the reference, when I do required changes on masters, the > slave getting notified but without transferring the updated zone. > > > > Jan 2 09:17:50 ns2 named[25563]: zone kalam.com.sa/IN: notify from > 212.119.92.5#34424: serial 2019434243 > > Jan 2 09:24:45 ns2 named[25563]: zone kalam.com.sa/IN: notify from > 212.119.92.5#54651: serial 2019434245: refresh in progress, refresh > check queued > > Jan 2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: Transfer started. > > Jan 2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: transferred > serial 2019434245 Are you cutting out some logs? If yes, please include all logs for the zone (kalam.com.sa) and the master (212.119.92.5) > > Therefore, I wanted to know. How to force secondary/slave Name server > to update/refresh dns zones from primary DNS server? Just I want a > slave name server to initiate a zone transfer immediately >From https://kb.isc.org/docs/aa-00726: notify from 192.0.2.1#62160: refresh in progress, refresh check queued A notify was received, but the zone being notified was already in the process of being refreshed or is waiting to be refreshed, so the check is queued and will be processed later. You can try: - check your logs for what previously triggered the refresh process (another notify?), and when did it happen - check your logs on WHY the previous transfer took a long time (and check what the log means on the KB). e.g does it show "connection reset"? something else? - are there lots of other slaves or zones currently transferring data from the master at the same time? - test whether you can manually request all records. Something like running this on the slave: "dig kalam.com.sa @ns1.cyberia.net.sa axfr" Some possible problems which comes to mind: - there's something in the middle (e.g. IPS) that's sending TCP resets, that might cause your t
Re: Zones-unable-update
On Thu, Jan 2, 2020 at 7:58 PM MEjaz wrote: > > Hello all. > > My setup which has one primary and slave server was working fine since years. > > All of sudden I started getting the problem of zones updates on slaves. > Which are not happening on time. it takes two hours to take the updates. > > > > Below logs for the reference, when I do required changes on masters, the > slave getting notified but without transferring the updated zone. > > > > Jan 2 09:17:50 ns2 named[25563]: zone kalam.com.sa/IN: notify from > 212.119.92.5#34424: serial 2019434243 > > Jan 2 09:24:45 ns2 named[25563]: zone kalam.com.sa/IN: notify from > 212.119.92.5#54651: serial 2019434245: refresh in progress, refresh check > queued > > Jan 2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: Transfer started. > > Jan 2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: transferred serial > 2019434245 Are you cutting out some logs? If yes, please include all logs for the zone (kalam.com.sa) and the master (212.119.92.5) > > Therefore, I wanted to know. How to force secondary/slave Name server to > update/refresh dns zones from primary DNS server? Just I want a slave name > server to initiate a zone transfer immediately >From https://kb.isc.org/docs/aa-00726: notify from 192.0.2.1#62160: refresh in progress, refresh check queued A notify was received, but the zone being notified was already in the process of being refreshed or is waiting to be refreshed, so the check is queued and will be processed later. You can try: - check your logs for what previously triggered the refresh process (another notify?), and when did it happen - check your logs on WHY the previous transfer took a long time (and check what the log means on the KB). e.g does it show "connection reset"? something else? - are there lots of other slaves or zones currently transferring data from the master at the same time? - test whether you can manually request all records. Something like running this on the slave: "dig kalam.com.sa @ns1.cyberia.net.sa axfr" Some possible problems which comes to mind: - there's something in the middle (e.g. IPS) that's sending TCP resets, that might cause your transfers to fail - TCP MTU or similar problems -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Zones-unable-update
Thank you for your reply. On both server. * Bind version [root@ns1 ~]# named -v BIND 9.14.9 (Stable Release) * O/S version [root@ns1 named]# more /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo * Total number of zones,= 2500 [root@ns1 named]# grep zone /etc/named.conf | wc -l 1903 [root@ns1 named]# grep zone /etc/nesmabind.conf | wc -l 451 CPU always less than 20% which is very normal. I have corrected the name server filed for kalam.com.sa where as I removed additional NS which was ns3.kalam.com.sa, hope it should be ok, it was testing zone/domain only. But all others live zones are having the same behavior when I do the changes in primary It takes two hours to update on secondary servers. Thanks in advance. Ejaz [root@ns1 named]# more /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Anders Löwinger Sent: Sunday, January 5, 2020 8:26 PM To: bind-users@lists.isc.org Subject: Re: Zones-unable-update On 2020-01-03 18:12, Ejaz Ahmed wrote: Note: Please include email list in your responses. > All of sudden I started getting the problem of zones updates on slaves. > Which are not happening on time. it takes two hours to take the updates. You have not given that much information so it is hard to help. Operating system, bind version? number of zones? > CPU is ok. On both primary and secondaries? > do you think would it be problems if I try to transfer all zones at once with > rndc reload, rndc reload can only retransfer one zone at a time. How many zones do you have? Some other issues: The domain kalam.com.sa is not 100% correct, your nameservers includes one additional NS record ns3.kalam.com.sa, compared to the delegation. Check warnings and errors here <https://zonemaster.net/result/367781fc8cc487bf> https://zonemaster.net/result/367781fc8cc487bf -- MVH/Regards Anders Löwinger, Abundo AB, 072-206 0322 ___ Please visit <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones-unable-update
On 2020-01-03 18:12, Ejaz Ahmed wrote: Note: Please include email list in your responses. > All of sudden I started getting the problem of zones updates on slaves. > Which are not happening on time. it takes two hours to take the updates. You have not given that much information so it is hard to help. Operating system, bind version? number of zones? > CPU is ok. On both primary and secondaries? > do you think would it be problems if I try to transfer all zones at once with rndc reload, rndc reload can only retransfer one zone at a time. How many zones do you have? Some other issues: The domain kalam.com.sa is not 100% correct, your nameservers includes one additional NS record ns3.kalam.com.sa, compared to the delegation. Check warnings and errors here https://zonemaster.net/result/367781fc8cc487bf -- MVH/Regards Anders Löwinger, Abundo AB, 072-206 0322 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones-unable-update
On 2020-01-02 13:57, MEjaz wrote: All of sudden I started getting the problem of zones updates on slaves. Which are not happening on time. it takes two hours to take the updates. Therefore, I wanted to know. How to force secondary/slave Name server to update/refresh dns zones from primary DNS server > Just I want a slave name server to initiate a zone transfer immediately on secondary server, run rndc retransfer kalam.com.sa transfers-out 2000; How many domains do you have? 2000 concurrent zone transfers are a lot. How is the CPU load on the primary/secondary server? -- Regards Anders Löwinger ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
