BIND DNS Master with Zerigo Slaves - BIND won't update the slave servers

Question

I've tried to resolve this myself and have looked through Google and Stack but haven't found the answer I'm looking for.

Currently on a VPS server I have BIND DNS installed as a MASTER DNS Server. I use Zerigo's DNS service as SLAVE servers for public use: The Master doesn't receive queries - It's job is to simply create and modify DNS entries locally of which the SLAVE use to serve.

Here is an excerpt of the BIND log, I set it to INFO event logging:

14-Apr-2012 23:00:00.234 general: info: received control channel command 'reload'
14-Apr-2012 23:00:00.234 general: info: loading configuration from 'C:\DNS\BIND\etc\named.conf'
14-Apr-2012 23:00:00.234 general: info: using default UDP/IPv4 port range: [1024, 65535]
14-Apr-2012 23:00:00.234 general: info: using default UDP/IPv6 port range: [1024, 65535]
14-Apr-2012 23:00:00.250 general: info: reloading configuration succeeded
14-Apr-2012 23:00:00.250 general: info: reloading zones succeeded
14-Apr-2012 23:16:22.750 xfer-out: info: client 174.36.24.251#47135: transfer of 'ajmakeup.com/IN': AXFR started
14-Apr-2012 23:16:22.750 xfer-out: info: client 174.36.24.251#47135: transfer of 'ajmakeup.com/IN': AXFR ended
14-Apr-2012 23:16:23.015 xfer-out: info: client 68.71.141.22#36212: transfer of 'ajmakeup.com/IN': AXFR started
14-Apr-2012 23:16:23.031 xfer-out: info: client 68.71.141.22#36212: transfer of 'ajmakeup.com/IN': AXFR ended

As you can see there is no problem with Zerigo's DNS servers requesting new DNS data, when I force a reload that is; I don't believe, as per the way they are set as SLAVE, that they poll for changes.

However the problem is the other way; the MASTER is not updating the SLAVE servers when reload is run (on the MASTER); it is a batch on a 15 minute timer.

Below is my NAMED.CONF:

key "rndc-key" {
    algorithm hmac-md5;
    secret "REMOVED FOR SECURITY";
};

acl "trusted" {
        174.36.24.251/32;
    68.71.141.22/32;
        localhost;
};

options {
    version "not currently available";
    directory "C:\DNS\BIND\etc";
    allow-query {
                trusted;
        };
};

controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } 
    keys { "rndc-key"; };
};

logging{
  channel simple_log {
    file "C:\DNS\BIND\logging\bind.log" versions 3 size 5m;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default{
    simple_log;
  };
};

zone "ajmakeup.com" in {
    type master;
    file "c:\dns\BIND\zones\db.ajmakeup.com.txt";
    allow-transfer { 174.36.24.251; 68.71.141.22; };
    allow-update { none; };
};

Does my problem have something to do with 'allow-query' under options? You will notice that 'allow-transfer' is set explicitly on each DNS zone.

In case you need it here is my RNDC.CONF:

key "rndc-key" {
    algorithm hmac-md5;
    secret "REMOVED FOR SECURITY";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
};

server localhost {
  key "rndc-key";
};

Note:

I am using WebsitePanel as my hosting panel and is such why it creates the zone enteries the way it does. Although I know I can change this behaviour, I do not wish to do so nor do I believe is the root of the problem.

Thanks for your help.

Are `notify` messages being sent correctly? Try adding an `also-notify { 174.36.24.251; 68.71.141.22; };` statement to the zone's config. — Shane Madden, Apr 16 '12 at 19:15
I will check it out... Can I have these referenced in the 'Options' section? I have no control over how the ZONE files are created. — Anthony, Apr 17 '12 at 11:47

score 1 · Answer 1 · answered May 03 '13 at 17:08

Things to check:

Check notify messages are not turned off (notify must be left as default ("yes") or set to "yes" or "explicit")
If you are hidden master setup (which it sounds like you might be) named will not send a notify to the master server listed in the zone SOA unless you name it in an also-notify statement or set notify-to-soa
As suggested above it might be best just to list the servers you want notified in an also-notify statement so there is no ambiguity.
Make sure that you are updating the serial number in the SOA when you make zone changes. This is a very common mistake. Upon receiving a notify the slave will do an SOA query for the zone to determine whether it needs to AXFR. If it already has the same serial number it will consider retransferring the zone unnecessary. You must increment the serial number if you want slaves to AXFR without having to manually trigger it.
From your log file excerpt it sounds like this does not apply to you because you appear to have things properly permitted to allow the AXFR, but for the benefit of others who may have similar problems, slave servers will usually need to be explicitly permitted to make AXFR requests (with the allow-transfer directive.)

BIND DNS Master with Zerigo Slaves - BIND won't update the slave servers

1 Answers1