BIND Named: Set a Zone Transfer IP Address For Master DNS Server

by Vivek Gite · 1 comment

I've three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Red Hat Enterprise Linux 5.2 as follows:

LB1 - 202.54.1.2 -> Master BIND 9.x
LB2 - 75.54.1.2  -> Slave BIND 9.x
LB3 - 41.54.1.2 -> Slave BIND 9.x

So when a zone transfer initiates from slave server, all I get following errors in master BIND 9 server (LB1):

Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#50968: zone transfer 'example.com/AXFR/IN' denied
Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#54359: zone transfer 'example.org/AXFR/IN' denied

A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. After, some rearch I came across the documentation and while it suggests other IP's can be used when the transfer-source fails. You need to place following two directives in options section of named.conf on each slave server:
transfer-source IPv4-address;
transfer-source-v6 IPv6-address;

The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. Also, you need set use-alt-transfer-source to yes so that the alternate transfer sources can be used. In short add following two directives to your named.conf options or server section:

transfer-source 75.54.xx.xx;
use-alt-transfer-source yes;

Here is my sample named.conf file:

 // Slave server ns2.example.com
options
{
        listen-on-v6 { none; };
        listen-on { xx.yy.zz.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { xx.yy.zz.yy; aa.bb.cc.dd; };
        version "NS2 [BIND]";
        transfer-source  75.54.xx.xx  ;
        use-alt-transfer-source yes;
 
};
logging
{
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
/* KEYS for master server dnssec */
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "YOUR-KEY";
        };
 
        server aa.bb.cc.dd {
                keys { TRANSFER; };
        };
 
/*  Get rndc key */
         include "/etc/rndc.key";
 
/*      Get localhost and other rfc stuff */
        include "/etc/named.rfc1912.zones";
 
/*      Get root server */
        include "/etc/named.root.hints";
 
/*      Get our zones */
        include "/etc/named.conf.zones.local";

Finally, restart named:
# named-checkconf -t /var/named/chroot/ && rndc reload
OR
# rndc reload

Featured Articles:

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 1 comment… read it below or add one }

1 Daniel Silva 01.19.09 at 2:17 pm

Thanks, dude… I was having the same error on my DNS Master Server. Your post help me to solve that problem. :)

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: