I have an ISPConfig perfect setup on Debian 3.1 and i have a problem with slave DNS. When i create a slave zone on my ISPCONFIG, i have this error in my syslog file :

Jan 3 18:19:15 jedi named[15319]: transfer of 'domain.org/IN' from 195 ... ... ...#53: failed while receiving responses: REFUSED
Jan 3 18:19:15 jedi named[15319]: transfer of 'domain.org/IN' from 195 ... ... ...#53: end of transfer


My named.conf seems to be good but the zone file isn't created. It seems to be a problem with a chmod on a directory...?

/var/lib/named = 755 root:root

/var/lib/named/etc = 755 root:root

/var/lib/named/etc/bind = 755 bind:bind


On my primary DNS server i have this in my named.conf :

zone "domain.org" {
type master;
file "domain.zone";
allow-transfer {195 ... ... ...; };
};


My primary DNS server is not an IPSconfig server.

Could you help me please ?

Thanks for your great work ;)

On my primary DNS server i have this in my named.conf :

zone "domain.org" {
type master;
file "domain.zone";
allow-transfer {195 ... ... ...; };
};



The IP address in allow-transfer must be the IP address of the secondary DNS server. Also make sure that the firewall doesn't block port 53 (TCP and UDP)!

Thanks for your help Falko, but my firewall is off and ip address on my primary server is ip of my ISPconfig server (slave)... If you have another idea i take it ;)

This is in my named.conf on my secondary DNS (ISPConfig)

zone "domain.org" {
type slave;
file "sec.domain.org";
masters { ip of my primary DNS };
};

In fact the file "sec.domain.org" isn't created...

The domain sec.domain.org is created as master record on the primary DNS server?
The firewall on the primary SNS allows zone transfers?
Maybe you have disabld zone transfers on the primary DNS server?

I found this on http://www.isc.org/index.pl?/sw/bind/FAQ.php:

Q:

I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while receiving responses: permission denied" error messages.
A:

These indicate a filesystem permission error preventing named creating / renaming the temporary file. These will usually also have other associated error messages like

"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"

Named needs write permission on the directory containing the file. Named writes the new cache file to a temporary file then renames it to the name specified in named.conf to ensure that the contents are always complete. This is to prevent named loading a partial zone in the event of power failure or similar interrupting the write of the master file.

Note file names are relative to the directory specified in options and any chroot directory ([<chroot dir>/][<options dir>]).

If named is invoked as "named -t /chroot/DNS" with the following named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the user named is running as.

options {
directory "/var/named";
};

zone "example.net" {
type slave;
file "sl/example.net";
masters { 192.168.4.12; };
};

I think it is a permission problem because all my aothers secondary DNS are ok.
On my ISPConfig i have this when i do a

ps aux | grep named

bind 21799 0.0 0.2 29404 2656 ? Ss 11:42 0:00 /usr/sbin/named -u bind -t /var/lib/named


What are the good permissions for my directory /var/lib/named ?

Where should be created sec... files ?

When i restart my primary DNS i have this in my syslog :

Jan 4 12:06:30 xplora named[711]: client 195... ... ... #48283: zone transfer 'domain.org/IN' denied
Jan 4 12:06:30 xplora named[16155]: received notify for zone 'another_domain.net'
Jan 4 12:06:30 xplora named[16155]: received notify for zone 'another_domain.org'

It seems to be ok for others secondary DNS...

What are the good permissions for my directory /var/lib/named ?
Please post the output of ls -la /var/lib/named


When i restart my primary DNS i have this in my syslog :

Jan 4 12:06:30 xplora named[711]: client 195... ... ... #48283: zone transfer 'domain.org/IN' denied
Jan 4 12:06:30 xplora named[16155]: received notify for zone 'another_domain.net'
Jan 4 12:06:30 xplora named[16155]: received notify for zone 'another_domain.org'

It seems to be ok for others secondary DNS...
Looks like your primary DNS is blocking the transfer which means it isn't a permissions problem on your secondary...

ok thanks Falko

ls -la /var/lib/named

drwxrwxr-x 5 root root 4096 2005-11-25 00:00 .
drwxr-xr-x 23 root root 4096 2005-11-25 14:48 ..
drwxrwxr-x 2 root root 4096 2005-11-24 18:35 dev
drwxrwxr-x 3 root root 4096 2005-11-25 00:00 etc
drwxrwxr-x 4 root root 4096 2005-11-25 00:00 var


I search on my primary DNS but i don't find where is the problem :(

ok thanks Falko

ls -la /var/lib/named

drwxrwxr-x 5 root root 4096 2005-11-25 00:00 .
drwxr-xr-x 23 root root 4096 2005-11-25 14:48 ..
drwxrwxr-x 2 root root 4096 2005-11-24 18:35 dev
drwxrwxr-x 3 root root 4096 2005-11-25 00:00 etc
drwxrwxr-x 4 root root 4096 2005-11-25 00:00 var



This does look like a permissions problem! Is your Bind running as user named and group named? Then you should do this:
chown -R named:named /var/lib/named otherwise Bind does not have the permission to write to that directory.

Ok Falko but i haven't any named user on my ispconfig (perfect setup sarge 3.1) !!!

when i do a ps aux :

ps aux | grep named

i have this answer :

bind 15714 0.0 0.2 29408 2664 ? Ss 09:45 0:00 /usr/sbin/named -u bind -t /var/lib/named


Perhaps the solution is :

chown -R bind:bind /var/lib/named

What do you think ?

Yes, your named user is bind. Do the chown to the bind user.

I have this answer now :(

Jan 5 10:58:25 jedi named[20909]: transfer of 'domain.org/IN' from 195 ... ... ...#53: failed while receiving responses: SERVFAIL

A dig on my primary server :

dig @localhost domain.org


; <<>> DiG 9.2.4 <<>> @localhost domain.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24453
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.org. IN A

;; AUTHORITY SECTION:
domain.org. 38400 IN SOA serveur.domain.com. root.domain.org. 2006010402 28800 14400 3600000 86400

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Thu Jan 5 11:01:04 2006
;; MSG SIZE rcvd: 93


On my secondary (ISPConfig)

dig @localhost domain.org


; <<>> DiG 9.2.4 <<>> @localhost domain.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51956
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.org. IN A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Thu Jan 5 11:07:51 2006
;; MSG SIZE rcvd: 33


I think there is a problem with permissions but i dont know where :(

Is your primary DNS the authoritative DNS for domain.org?

Yes it is the SOA...

This is ok !

there was a problem with my primary DNS on allow-transfer and notify options.

thanks for your help !