RE: zone transfer problem (newbie issue) - SOLVED!

Hi again all! I found the issue (see below)! Many thanks to all who
helped illuminate the path!
Begin forwarded message:

> From: Dave Stewart
> Date: May 17, 2005 12:15:45 PM PDT
> To: bind-users@isc.org
> Subject: RE: zone transfer problem (newbie issue)
>
> First off, thanks for the quick responses. My apologies for the delay
> in my response to them, it's kinda busy around here lately. That said
> ...
>
> Begin forwarded message:
>
>> From: Brad Knowles
>> Date: May 13, 2005 6:25:17 PM PDT
>> To: Dave Stewart
>> Cc: bind-users@isc.org
>> Subject: Re: zone transfer problem (newbie issue)
>>
>> At 4:51 PM -0700 2005-05-13, Dave Stewart wrote:
>>
>>> So at this point, "rusty" can only resolve the zone's it's a master
>>> for, yet "diagnostics" can resolve all zones. It appears to me
>>> after a
>>> week of splitting my head open on this issue (searching archives,
>>> documentation, O'Reilly's online "DNS and BIND", and any and all
>>> tutorials and help files I can grab:) that "diagnostics" is
>>> approving
>>> the request for a zone transfer, but then not sending a response
>>> back
>>> to "rusty". To check this suspicion I ran the following on "rusty"
>>> to
>>> force a transfer:
>>
>> One thing to check is the firewall settings on both machines, as
>> well as on all the network equipment between them. Most DNS queries
>> happen over UDP, but zone transfers are done over TCP.
>
> Good thought here, I didn't realize that the transfers would happen
> over TCP. But unfortunately for me, this isn't the issue. Everything
> I'm playing with here is behind the firewall.

Oops, my bad. I spoke to quickly, turns out there was an active
firewall on diagnostics that *WAS* blocking port 53 on me. Turn on
access to that port and my slave zones started transferring right away!

Many thanks again to Brad for being the first to point this possibility
out to me and to all others that gave input on my issue.

Since I'm so wet behind the ears on this, if someone notices something
very bad in my configuration files that somehow seems to be working
anyway, please feel free to let me know!

>
> This zone is working fine, mastered on rusty and slaved properly on
> diagnostics:
>
>
>> **********start goleta.aquaflo.com zone file**********
>> ;
>> ; zone file for the goleta.aquaflo.com zone
>> ; (deploy on primary master DNS - rusty)
>> ;
>> ; created on 4/2005 by Dave Stewart
>> ;
>> $TTL 3D ; Time To
>> Live = 3 days
>> @ IN SOA rusty.aquaflo.com.
>> dstewart.aquaflo.com. (
>> 1 ; Serial
>> number
>> 12H ; Refresh
>> after 12 hours (43200 seconds)
>> 1H ; Retry after
>> 1 hour (3600 seconds)
>> 2W ; Expire
>> after 14 days (1209600 seconds)
>> 1D ; Minimum TTL
>> of 1 day (86400 seconds)
>> )
>>
>> IN NS rusty.aquaflo.com.
>>
>> localhost IN A 127.0.0.1
>>
>> ;
>> ; other dns servers
>> ;
>> diags IN A 192.168.12.25
>>
>> ;
>> ; equipment section
>> ;
>> digi IN A 192.168.12.100
>> switch IN A 192.168.12.221
>>
>> **********end goleta.aquaflo.com zone**********
>
>
> (Note I do have a blank line at the end of these files, that's not a
> problem is it?)
>
> The pertinent parts of rusty's named.conf file:
>
>
>> **********start rusty's named.conf**********
>> # named.conf
>> #
>> # configuration file for primary master DNS server
>> # should be deployed on "rusty"
>> #
>> # responsibilities of this server:
>> # - primary (master) server of "central" (goleta) zone
>> # - secondary (slave) server of all other zones
>> #
>> # created 4/2005 by Dave Stewart
>>
>> # "internal" defines all IP addresses within
>> # Aqua~Flo's internal LAN
>> acl internal { localhost; //obviously ;-)
>> 192.168.11.0/24; //ojai domain
>> 192.168.12.0/24; //goleta domain (central)
>> 192.168.13.0/24; //sc domain
>> 192.168.14.0/24; //sb domain
>> 192.168.15.0/24; //wla domain
>> 192.168.16.0/24; //vta domain
>> 192.168.17.0/24; //tor domain
>> };
>>
>> # "spoof" defines all IP addresses that are simply
>> # blacklisted (untrusted addresses from RFC1918 space)
>> acl spoof { 0.0.0.0/8;
>> 1.0.0.0/8;
>> 2.0.0.0/8;
>> 10.0.0.0/8;
>> 172.16.0.0/12;
>> 192.0.2.0/24;
>> 224.0.0.0/3;
>> };
>>
>> # this is where the options for the BIND server
>> # are configured. Some notes:
>> # 1. only "internal" addresses are allowed to
>> # query this server and
>> # 2. all addresses from RFC1918 space are blacklisted
>> # (they are often used to spoof DNS servers)
>> options {
>> directory "/etc/named";
>> allow-query { internal; };
>> allow-transfer { 192.168.12.25; };
>> # query-source { 192.168.12.25; };
>> # notify-source { 192.168.12.25; };
>> # transfer-source { 192.168.12.25; };
>> blackhole { spoof; };
>> };
>>
>> # mapping to goleta devices
>> zone "goleta.aquaflo.com" {
>> type master;
>> file "named.goleta.hosts";
>> };
>>
>> # reverse mapping for corporate machines (central)
>> zone "12.168.192.in-addr.arpa" {
>> type master;
>> file "named.rev";
>> };
>>
>> # slave mapping for ojai zone
>> zone "ojai.aquaflo.com" {
>> type slave;
>> file "named.ojai.slave.hosts";
>> masters { 192.168.12.25; };
>> };
>>
>> # slave reverse mapping for ojai zone
>> zone "11.168.192.in-addr.arpa" {
>> type slave;
>> file "named.ojai.slave.rev";
>> masters { 192.168.12.25; };
>> };
>>
>> **********end rusty's named.conf**********
>
>
> Diagnostics has no problem slaving goleta.aquaflo.com, but rusty won't
> slave ojai.aquaflo.com. That zone file looks a lot like goleta's
> though, here's what I have for ojai.aquaflo.com on diagnostics:
>
>
>> **********start ojai.aquaflo.com zone**********
>> ;
>> ; zone file for the ojai.aquaflo.com zone
>> ; (deploy on secondary master DNS - diags)
>> ;
>> ; created on 4/2005 by Dave Stewart
>> ;
>> $TTL 3D ; Time To
>> Live = 3 days
>> @ IN SOA diags.aquaflo.com.
>> dstewart.aquaflo.com. (
>> 2 ; Serial
>> number
>> 12H ; Refresh
>> after 12 hours (43200 seconds)
>> 1H ; Retry after
>> 1 hour (3600 seconds)
>> 2W ; Expire
>> after 14 days (1209600 seconds)
>> 1D ; Minimum TTL
>> of 1 day (86400 seconds)
>> )
>> IN NS diags.aquaflo.com.
>>
>> localhost IN A 127.0.0.1
>> rusty IN A 192.168.12.200
>> diags IN A 192.168.12.25
>>
>> ;
>> ; equipment section
>> ;
>> digi IN A 192.168.11.100
>> switch IN A 192.168.11.221
>>
>> **********end ojai.aquaflo.com zone**********
>
>
> And, of course the named.conf file from diagnostics:
>
>
>> **********start diagnostics named.conf**********
>> # named.conf
>> #
>> # configuration file for secondary master DNS server
>> # should be deployed on "diags"
>> #
>> # responsibilities of this server:
>> # - secondary (slave) server of "central" (goleta) zone
>> # - primary (master) server of all other zones
>> #
>> # created 4/2005 by Dave Stewart
>>
>> # "internal" defines all IP addresses within
>> # Aqua~Flo's internal LAN
>> acl internal { localhost; //obviously ;-)
>> 192.168.11.0/24; //ojai domain
>> 192.168.12.0/24; //goleta domain (central)
>> 192.168.13.0/24; //sc domain
>> 192.168.14.0/24; //sb domain
>> 192.168.15.0/24; //wla domain
>> 192.168.16.0/24; //vta domain
>> 192.168.17.0/24; //tor domain
>> };
>>
>> # "aquaflodns" defines all IP addresses that are
>> # allowed to do zone-transfers (all other DNS servers)
>> acl aquaflodns { localhost;
>> 192.168.12.200;
>> 192.168.12.210;
>> };
>>
>> # "spoof" defines all IP addresses that are simply
>> # blacklisted (untrusted addresses from RFC1918 space)
>> acl spoof { 0.0.0.0/8;
>> 1.0.0.0/8;
>> 2.0.0.0/8;
>> 10.0.0.0/8;
>> 172.16.0.0/12;
>> 192.0.2.0/24;
>> 224.0.0.0/3;
>> };
>>
>> # this is where the options for the BIND server
>> # are configured. Some notes:
>> # 1. only "internal" addresses are allowed to
>> # query this server and
>> # 2. all addresses from RFC1918 space are blacklisted
>> # (they are often used to spoof DNS servers)
>> options {
>> directory "/etc/named";
>> allow-query { internal; };
>> allow-transfer { aquaflodns; };
>> transfer-format one-answer;
>> blackhole { spoof; };
>> };
>>
>> zone "goleta.aquaflo.com" {
>> type slave;
>> file "named.slave.goleta.hosts";
>> masters { 192.168.12.200; };
>> };
>>
>> # slave reverse mapping for corporate machines (central)
>> zone "12.168.192.in-addr.arpa" {
>> type slave;
>> file "named.slave.goleta.rev";
>> masters { 192.168.12.200; };
>> };
>>
>> # mapping for ojai zone
>> zone "ojai.aquaflo.com" {
>> type master;
>> file "named.ojai.hosts";
>> };
>>
>> # reverse mapping for ojai zone
>> zone "11.168.192.in-addr.arpa" {
>> type master;
>> file "named.ojai.rev";
>> };
>>
>> **********end diagnostics named.conf**********
>
>
> So, with my guts hanging out for all to see (no worries, it's all
> internal stuff anyway), does anyone see why I'm sick?
>
> Many thanks in advance for any and all suggestions. Keep in mind I'm
> just learning this stuff, if there is an unrelated obvious glaring
> issue with the above configurations please feel free to point it out
> to me!
>
>
> Dave Stewart
> Aqua~Flo Supply (Goleta CA)
> dstewart at aquaflo dot com
>
> Duct tape is like the force;
> it has a light side and a dark side
> and it holds the universe together.
>


Dave Stewart
Aqua~Flo Supply (Goleta CA)
dstewart at aquaflo dot com

There are 10 kinds of people in the world:
Those who understand binary and those who don't.