HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials - DNS zones not transfered to slave server anymore

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)

- - DNS zones not transfered to slave server anymore (http://www.howtoforge.com/forums/showthread.php?t=32145)

DNS zones not transfered to slave server anymore

I have a slave DNS server (BIND) which transfers zones from my ISPCONFIG3 server. Everything worked great until I updated to latest SVN, now the transfer of zones is refused:

53: failed while receiving responses: REFUSED

I checked all setting and logs...nothing....

There has nothing be changed in this part of ISPconfig 3 and I tested the zone transfers today, so there must have been something else updated or changed too.

Quote:

Originally Posted by till (Post 173569)

There has nothing be changed in this part of ISPconfig 3 and I tested the zone transfers today, so there must have been something else updated or changed too.

Tnx for your quick reply, good to know that it is not an ispconfig issue.

I have no idea what is causing this, no iptables rules, connectivity is fine, mydns.conf did not change, I google and googled nothing, did a trace to mydns....

Any ideas?

Is the ip address for the xfer destination correct?

I think I know where the problem is, such a stupid thing...somehow BIND got installed and run on the same server where mydns is running....dammit this is a mystery

I stopped the BIND service, restarted mydns and still I have the same problem.

I run mydns with verbose option

# mydns -d -v

this is what I get:

Code:

mydns[9564]: 05-Mar-2009 20:23:19+626218 #0 60278 UDP MY_IP IN SOA domain.com. NOERROR - 1 1 2 0 LOG N QUERY ""

mydns[9566]: 05-Mar-2009 20:23:19+630278 #1 15965 TCP MY_IP IN AXFR domain.com. REFUSED AXFR_disabled 0 0 0 0 LOG N QUERY ""

mydns.conf

Quote:

## AUTOMATICALLY GENERATED BY DEBCONF. DO NOT MODIFY DATABASE
## INFORMATION (database, db-*)...
## PLEASE RUN 'dpkg-reconfigure mydns-mysql' INSTEAD.
## CHANGES TO THE FOLLOWING DIRECTIVES ARE NOT PRESERVED, BUT REPLACED,
## ON UPGRADE:
## user, group, pidfile, db-*, database

##
## /etc/mydns.conf
## Thu Aug 2 16:36:26 2007
## For more information, see mydns.conf(5).
##

# DATABASE INFORMATION

db-host = localhost # SQL server hostname
db-user = ispconfig # SQL server username
db-password = 1111111111 # SQL server password
database = dbispconfig # MyDNS database name

# GENERAL OPTIONS

user = nobody # Run with the permissions of this user
group = nogroup # Run with the permissions of this group
listen = * # Listen on these addresses ('*' for all)
no-listen = # Do not listen on these addresses

# CACHE OPTIONS

zone-cache-size = 2048 # Maximum number of elements stored in the zone cache
zone-cache-expire = 60 # Number of seconds after which cached zones expires
reply-cache-size = 2048 # Maximum number of elements stored in the reply cache
reply-cache-expire = 30 # Number of seconds after which cached replies expire

# ESOTERICA

log = LOG_DAEMON # Facility to use for program output (LOG_*/stdout/stderr)
pidfile = /var/run/mydns.pid # Path to PID file
timeout = 120 # Number of seconds after which queries time out
multicpu = 1 # Number of CPUs installed on your system
recursive = # Location of recursive resolver
allow-axfr = yes # Should AXFR be enabled?
allow-tcp = yes # Should TCP be enabled?
allow-update = no # Should DNS UPDATE be enabled?
ignore-minimum = no # Ignore minimum TTL for zone?
soa-table = dns_soa # Name of table containing SOA records
rr-table = dns_rr # Name of table containing RR data
soa-where = server_id = 1 # Extra WHERE clause for SOA queries
rr-where = server_id = 1 # Extra WHERE clause for RR queries
use-soa-active = yes # To fix bug 295 where active or inactive status is ignored.
use-rr-active = yes# To fix bug 295 where active or inactive status is ignored.

from the mydns manual

Quote:

REFUSED
The query was refused due to server policy. This usually happens because
the client attempted to AXFR a zone that they were not allowed to transfer,
or because the client requested a name within a zone for which the server
is not authoritative.
11. If the previous ﬁeld was anything but NOERROR, this is a human-readable reason why
the query failed, with any space characters in the string converted into underscore (‘_’)
characters. If the previous ﬁeld was NOERROR, this ﬁeld contains a dash (‘-’).
12. The number of resource records included in the question section of the reply.
13. The number of resource records included in the answer section of the reply.
14. The number of resource records included in the authority section of the reply.
15. The number of resource records included in the additional section of the reply.
16. The word LOG.
17. The character ‘Y’ if this was a cached reply, ‘N’ if it was not.
18. The opcode for this query – ‘QUERY’ or ‘UPDATE’.
19. If the previous ﬁeld was ‘UPDATE’, this is a description of the update performed, enclosed
in quotation marks. For example, this ﬁeld might contain ‘"test-a.example.com.
3600 IN A 0 1.2.3.4"’, indicating that for the zone speciﬁed, an A record was created
for test-a.example.com. with the value 1.2.3.4.

any ideas? I am struggling here....

I recompiled the mydns debian package, with debug option this is what I get:

Code:

mydns[5372]: IP_SLAVE_DNS: 000 : task_init(0x80ada80) from tcp.c:62

mydns[5372]: IP_SLAVE_DNS: 000 : enqueued (by task.c:293)

mydns[5372]: IP_SLAVE_DNS: TCP connection accepted

mydns[5372]: IP_SLAVE_DNS: 000 : starting task_process() with NEED_READ status

mydns[5372]: last message repeated 2 times

mydns[5372]: IP_SLAVE_DNS: 2+29 TCP octets in

mydns[5372]: new_task(0x80ada80, 0x807de18, 29)

mydns[5372]: IP_SLAVE_DNS: 000 : id=41391 qr=0 opcode=QUERY aa=0 tc=0 rd=0 ra=0 z=0 rcode=0

mydns[5372]: IP_SLAVE_DNS: 000 : qd=1 an=0 ns=0 ar=0

mydns[5372]: remembering name "domain.com." at offset 12

mydns[5372]: remembering name "com." at offset 20

mydns[5372]: AXFR: process started on pid 5568 for TCP fd 9, task ID 5

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: Starting AXFR for task ID 5

mydns[5568]: AXFR: domain.com.: SOA record 10

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: Beginning zone transfer

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: dnserror(): REFUSED AXFR_disabled from axfr.c:204

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     id = 41391

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     qr = 1 (message is a response)

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply: opcode = 0 (QUERY)

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     aa = 0 (answer not authoritative)

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     tc = 0 (message not truncated)

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     rd = 0 (no recursion)

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     ra = 0 (recursion unavailable)

mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:  rcode = 5 (REFUSED)

mydns[5568]: 06-Mar-2009 15:07:17+581455 #5 41391 TCP IP_SLAVE_DNS IN AXFR domain.com. REFUSED AXFR_disabled 0 0 0 0 LOG N QUERY ""

mydns[5372]: child pid 5568 exited successfully

mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: starting task_process() with NEED_READ status

mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: dequeued (by task.c:474)

mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: task_free(0x80ada80) from queue.c:119

this is the function from axfr.c

Code:

/**************************************************************************************************

        CHECK_XFER

        If the "xfer" column exists in the soa table, it should contain a list of wildcards separated

        by commas.  In order for this zone transfer to continue, one of the wildcards must match

        the client's IP address.

**************************************************************************************************/

static void

check_xfer(TASK *t, MYDNS_SOA *soa)

{

        SQL_RES        *res = NULL;

        SQL_ROW        row;

        char                ip[256];

        char                query[512];

        size_t        querylen;

        int                ok = 0;



        if (!mydns_soa_use_xfer)

                return;



        strncpy(ip, clientaddr(t), sizeof(ip)-1);



        querylen = snprintf(query, sizeof(query), "SELECT xfer FROM %s WHERE id=%u%s",

                mydns_soa_table_name, soa->id, mydns_rr_use_active ? " AND active=1" : "");



        if (!(res = sql_query(sql, query, querylen)))

                ErrSQL(sql, "%s: %s", desctask(t), _("error loading zone transfer access rules"));



        if ((row = sql_getrow(res)))

        {

                char *wild, *r;



#if DEBUG_ENABLED && DEBUG_AXFR

                Debug("%s: checking AXFR access rule '%s'", desctask(t), row[0]);

#endif

                for (r = row[0]; !ok && (wild = strsep(&r, ",")); )

                {

                        if (strchr(wild, '/'))

                        {

                                if (t->family == AF_INET)

                                        ok = in_cidr(wild, t->addr4.sin_addr);

                        }

                        else if (wildcard_match(wild, ip))

                                ok = 1;

                }

        }

        sql_free(res);



        if (!ok)

        {

                dnserror(t, DNS_RCODE_REFUSED, ERR_NO_AXFR);

                axfr_reply(t);

                axfr_error(t, _("access denied"));

        }

}

/*--- check_xfer() ------------------------------------------------------------------------------*/

Quote:

Originally Posted by grungy (Post 173471)

I have a slave DNS server (BIND) which transfers zones from my ISPCONFIG3 server.

try to disable incremental transfers from slave. modify slave-BIND's configuration to ask always full zone from Ispconfig:

Code:

server IP_MASTER_DNS {

        provide-ixfr no ;

        request-ixfr no ;

};

this is how i got my BIND's to act as a slave to Ispconfig while transition to mydns replication.

Antennipasi, tnx for your reply but this didn't help :(

Do you have any other ideas?