BIND Named: Set a Zone Transfer IP Address For Master DNS Server

last updated in Categories BIND Dns, CentOS, data center, fedora linux, FreeBSD, High performance computing, Linux Scalability, RedHat/Fedora Linux, Troubleshooting

I’ve three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Red Hat Enterprise Linux 5.2 as follows:


LB1 - -> Master BIND 9.x
LB2 -  -> Slave BIND 9.x
LB3 - -> Slave BIND 9.x

So when a zone transfer initiates from slave server, all I get following errors in master BIND 9 server (LB1):

Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#50968: zone transfer '' denied
Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#54359: zone transfer '' denied

A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. After, some rearch I came across the documentation and while it suggests other IP’s can be used when the transfer-source fails. You need to place following two directives in options section of named.conf on each slave server:
transfer-source IPv4-address;
transfer-source-v6 IPv6-address;

The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. Also, you need set use-alt-transfer-source to yes so that the alternate transfer sources can be used. In short add following two directives to your named.conf options or server section:

transfer-source 75.54.xx.xx;
use-alt-transfer-source yes;

Here is my sample named.conf file:

 // Slave server
        listen-on-v6 { none; };
        listen-on { xx.yy.zz.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { xx.yy.zz.yy;; };
        version "NS2 [BIND]";
        transfer-source  75.54.xx.xx  ;
        use-alt-transfer-source yes;
        channel default_debug {
                file "data/";
                severity dynamic;
/* KEYS for master server dnssec */
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "YOUR-KEY";
        server {
                keys { TRANSFER; };
/*  Get rndc key */
         include "/etc/rndc.key";
/*      Get localhost and other rfc stuff */
        include "/etc/named.rfc1912.zones";
/*      Get root server */
        include "/etc/named.root.hints";
/*      Get our zones */
        include "/etc/named.conf.zones.local";

Finally, restart named:
# named-checkconf -t /var/named/chroot/ && rndc reload
# rndc reload

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


5 comment

  1. Nice find – despite having listen-on set explicitely – zone transfers were still being initiated from my non-aliased interface… Thanks for the help!

  2. Switching a few of my sites over to ubuntu servers, and I am having a hell of a time trying to get bind9 working. Just want to setup slave zones on a secondary server, and use my windows 2003 box as a master, and the transfer never seems to happen.

    Even when I add a master zone, and an a record to it, doing a dig doesn’t produce results.

    What am I missing here?

  3. Ok, so not getting the master’s A records was my bad. It was due to the fact that I had restricted the allow query options with a list.
    Still not able to transfer info over from the master node the slave node though.

  4. Sadly, this doesn’t work for me. I also tried this:

    …which is actually the opposite of the advice given here!

    Every install that I’ve done has something different about it and has always taken me hours to even days to get working. Right now I’m trying to setup a simple slave using debian wheezy and jessie/testing. Both are giving me problems. The wheezy install, NO MATTER WHAT I DO will only initiate transfers on the main IP, not the alias IP, DESPITE having listen-on, et all set to just one IP. And the logging is a total mystery which is near impossible to grasp. Sometimes you get loads of errors and the thing works, other times there are no errors and nothing seems to work.

    BIND is royal convoluted a POS IMO.

Leave a Comment