BIND Named: Set a Zone Transfer IP Address For Master DNS Server

by on January 8, 2009 · 4 comments· LAST UPDATED January 8, 2009

in , ,

I've three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Red Hat Enterprise Linux 5.2 as follows:

LB1 - 202.54.1.2 -> Master BIND 9.x
LB2 - 75.54.1.2  -> Slave BIND 9.x
LB3 - 41.54.1.2 -> Slave BIND 9.x

So when a zone transfer initiates from slave server, all I get following errors in master BIND 9 server (LB1):

Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#50968: zone transfer 'example.com/AXFR/IN' denied
Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#54359: zone transfer 'example.org/AXFR/IN' denied

A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. After, some rearch I came across the documentation and while it suggests other IP's can be used when the transfer-source fails. You need to place following two directives in options section of named.conf on each slave server:
transfer-source IPv4-address;
transfer-source-v6 IPv6-address;

The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. Also, you need set use-alt-transfer-source to yes so that the alternate transfer sources can be used. In short add following two directives to your named.conf options or server section:

transfer-source 75.54.xx.xx;
use-alt-transfer-source yes;

Here is my sample named.conf file:

 // Slave server ns2.example.com
options
{
        listen-on-v6 { none; };
        listen-on { xx.yy.zz.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { xx.yy.zz.yy; aa.bb.cc.dd; };
        version "NS2 [BIND]";
        transfer-source  75.54.xx.xx  ;
        use-alt-transfer-source yes;
 
};
logging
{
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
/* KEYS for master server dnssec */
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "YOUR-KEY";
        };
 
        server aa.bb.cc.dd {
                keys { TRANSFER; };
        };
 
/*  Get rndc key */
         include "/etc/rndc.key";
 
/*      Get localhost and other rfc stuff */
        include "/etc/named.rfc1912.zones";
 
/*      Get root server */
        include "/etc/named.root.hints";
 
/*      Get our zones */
        include "/etc/named.conf.zones.local";

Finally, restart named:
# named-checkconf -t /var/named/chroot/ && rndc reload
OR
# rndc reload

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!
1 Daniel Silva January 19, 2009 at 2:17 pm

Thanks, dude… I was having the same error on my DNS Master Server. Your post help me to solve that problem. :)

2 Marco Belmonte May 23, 2011 at 6:28 am

Nice find – despite having listen-on set explicitely – zone transfers were still being initiated from my non-aliased interface… Thanks for the help!

3 WebHost December 12, 2011 at 8:08 pm

Switching a few of my sites over to ubuntu servers, and I am having a hell of a time trying to get bind9 working. Just want to setup slave zones on a secondary server, and use my windows 2003 box as a master, and the transfer never seems to happen.

Even when I add a master zone, and an a record to it, doing a dig doesn’t produce results.

What am I missing here?

4 WebHost December 12, 2011 at 8:17 pm

Ok, so not getting the master’s A records was my bad. It was due to the fact that I had restricted the allow query options with a list.
Still not able to transfer info over from the master node the slave node though.

Comments on this FAQ are closed. If you'd like to continue the discussion on this topic, you can do so at our forum.

Tagged as: , , , , , , , , , , ,

Previous post:

Next post: