I've three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Red Hat Enterprise Linux 5.2 as follows:
LB1 - 202.54.1.2 -> Master BIND 9.x LB2 - 75.54.1.2 -> Slave BIND 9.x LB3 - 41.54.1.2 -> Slave BIND 9.x
So when a zone transfer initiates from slave server, all I get following errors in master BIND 9 server (LB1):
Jan 1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#50968: zone transfer 'example.com/AXFR/IN' denied Jan 1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#54359: zone transfer 'example.org/AXFR/IN' denied
A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. After, some rearch I came across the documentation and while it suggests other IP's can be used when the transfer-source fails. You need to place following two directives in options section of named.conf on each slave server:
transfer-source IPv4-address;
transfer-source-v6 IPv6-address;
The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. Also, you need set use-alt-transfer-source to yes so that the alternate transfer sources can be used. In short add following two directives to your named.conf options or server section:
transfer-source 75.54.xx.xx; use-alt-transfer-source yes;
Here is my sample named.conf file:
// Slave server ns2.example.com options { listen-on-v6 { none; }; listen-on { xx.yy.zz.yy; }; directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; dnssec-enable yes; recursion no; allow-notify { xx.yy.zz.yy; aa.bb.cc.dd; }; version "NS2 [BIND]"; transfer-source 75.54.xx.xx ; use-alt-transfer-source yes; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; /* KEYS for master server dnssec */ key "TRANSFER" { algorithm hmac-md5; secret "YOUR-KEY"; }; server aa.bb.cc.dd { keys { TRANSFER; }; }; /* Get rndc key */ include "/etc/rndc.key"; /* Get localhost and other rfc stuff */ include "/etc/named.rfc1912.zones"; /* Get root server */ include "/etc/named.root.hints"; /* Get our zones */ include "/etc/named.conf.zones.local";
Finally, restart named:
# named-checkconf -t /var/named/chroot/ && rndc reload
OR
# rndc reload
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: Jan/8/2009
{ 1 comment… read it below or add one }
Thanks, dude… I was having the same error on my DNS Master Server. Your post help me to solve that problem. :)