I've been trying to implement a bind master->slave setup between two machines, but I've a problem regarding the IP address BIND used on the master to notify my slave machine.

Here is my setup:

Master: master.site.com -
Slave: slave.site.com -

The Master has a authoritative zone for site.com and it's configured to notify all slaves when the zone is changed. The zone is working properly. It replies fine to queries and dig @ -t SOA site.com

So, on the master I've this named.conf.options:

options {
    directory "/var/cache/bind";

    dnssec-validation auto;
    auth-nxdomain no;

    listen-on {; };
    listen-on-v6 { any; };
    allow-query     { any; };
    recursion yes;
    allow-recursion { localhost; };
    allow-notify { localhost; };
    allow-transfer { localhost;; };
    version none;

    notify yes;
    also-notify {; };


On the slave:

options {
    directory "/var/cache/bind";

    dnssec-validation auto;
    auth-nxdomain no;

    listen-on {; };
    listen-on-v6 { any; };
    allow-query     { any; };
    recursion yes;
    allow-recursion { localhost; };
    allow-notify { localhost;; };
    allow-transfer { localhost;; };
    version none;

To start, notifications doesn't seem to work, using tcpdump on the slave machine I got this message:

02:32:50.269377 IP > 64103 notify [b2&3=0x2400] [1a] SOA? site.com. (85)
02:32:50.269662 IP > 64103 notify Refused- 0/0/0 (27)

As you can see although master is set to listen on when sending notifications it is sending them using it's main IP address and logically my slave refused the notification...

Why isn't the master not sending the notifications over Is there any config where I can force that? The machine owns 3 IP's, one for it's website, another for email and another for DNS... I need to make it ONLY use for DNS, but apparently listen-on doesn't seem to work with outgoing traffic...

How can I fix this?

You are looking for the notify-source option. From the BIND ARM:


notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave server's masters zone clause or in an allow-notify clause. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file.

As for why BIND behaves this way, it is fairly typical of most applications. The source IP of locally initiated traffic defaults to the primary IP of the interface associated with the route. On a Linux system, you can view the source IP associated with each route by typing ip route show and looking at the values following the src keyword.

Andrew B
