DNS zones not transfered to slave server anymore

Discussion in 'Installation/Configuration' started by grungy, Mar 5, 2009.

  1. grungy

    grungy HowtoForge Supporter

    I have a slave DNS server (BIND) which transfers zones from my ISPCONFIG3 server. Everything worked great until I updated to latest SVN, now the transfer of zones is refused:

    53: failed while receiving responses: REFUSED


    I checked all setting and logs...nothing....
     
  2. till

    till Super Moderator

    There has nothing be changed in this part of ISPconfig 3 and I tested the zone transfers today, so there must have been something else updated or changed too.
     
  3. grungy

    grungy HowtoForge Supporter

    Tnx for your quick reply, good to know that it is not an ispconfig issue.

    I have no idea what is causing this, no iptables rules, connectivity is fine, mydns.conf did not change, I google and googled nothing, did a trace to mydns....

    Any ideas?
     
  4. till

    till Super Moderator

    Is the ip address for the xfer destination correct?
     
  5. grungy

    grungy HowtoForge Supporter

    I think I know where the problem is, such a stupid thing...somehow BIND got installed and run on the same server where mydns is running....dammit this is a mystery

    I stopped the BIND service, restarted mydns and still I have the same problem.
     
  6. grungy

    grungy HowtoForge Supporter

    I run mydns with verbose option

    # mydns -d -v

    this is what I get:

    Code:
    mydns[9564]: 05-Mar-2009 20:23:19+626218 #0 60278 UDP MY_IP IN SOA domain.com. NOERROR - 1 1 2 0 LOG N QUERY ""
    mydns[9566]: 05-Mar-2009 20:23:19+630278 #1 15965 TCP MY_IP IN AXFR domain.com. REFUSED AXFR_disabled 0 0 0 0 LOG N QUERY ""
    
    mydns.conf



    from the mydns manual

     
    Last edited: Mar 5, 2009
  7. grungy

    grungy HowtoForge Supporter

    any ideas? I am struggling here....
     
  8. grungy

    grungy HowtoForge Supporter

    I recompiled the mydns debian package, with debug option this is what I get:


    Code:
    mydns[5372]: IP_SLAVE_DNS: 000 : task_init(0x80ada80) from tcp.c:62
    mydns[5372]: IP_SLAVE_DNS: 000 : enqueued (by task.c:293)
    mydns[5372]: IP_SLAVE_DNS: TCP connection accepted
    mydns[5372]: IP_SLAVE_DNS: 000 : starting task_process() with NEED_READ status
    mydns[5372]: last message repeated 2 times
    mydns[5372]: IP_SLAVE_DNS: 2+29 TCP octets in
    mydns[5372]: new_task(0x80ada80, 0x807de18, 29)
    mydns[5372]: IP_SLAVE_DNS: 000 : id=41391 qr=0 opcode=QUERY aa=0 tc=0 rd=0 ra=0 z=0 rcode=0
    mydns[5372]: IP_SLAVE_DNS: 000 : qd=1 an=0 ns=0 ar=0
    mydns[5372]: remembering name "domain.com." at offset 12
    mydns[5372]: remembering name "com." at offset 20
    mydns[5372]: AXFR: process started on pid 5568 for TCP fd 9, task ID 5
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: Starting AXFR for task ID 5
    mydns[5568]: AXFR: domain.com.: SOA record 10
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: Beginning zone transfer
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: dnserror(): REFUSED AXFR_disabled from axfr.c:204
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     id = 41391
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     qr = 1 (message is a response)
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply: opcode = 0 (QUERY)
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     aa = 0 (answer not authoritative)
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     tc = 0 (message not truncated)
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     rd = 0 (no recursion)
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     ra = 0 (recursion unavailable)
    mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:  rcode = 5 (REFUSED)
    mydns[5568]: 06-Mar-2009 15:07:17+581455 #5 41391 TCP IP_SLAVE_DNS IN AXFR domain.com. REFUSED AXFR_disabled 0 0 0 0 LOG N QUERY ""
    mydns[5372]: child pid 5568 exited successfully
    mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: starting task_process() with NEED_READ status
    mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: dequeued (by task.c:474)
    mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: task_free(0x80ada80) from queue.c:119
    

    this is the function from axfr.c


    Code:
    /**************************************************************************************************
    	CHECK_XFER
    	If the "xfer" column exists in the soa table, it should contain a list of wildcards separated
    	by commas.  In order for this zone transfer to continue, one of the wildcards must match
    	the client's IP address.
    **************************************************************************************************/
    static void
    check_xfer(TASK *t, MYDNS_SOA *soa)
    {
    	SQL_RES	*res = NULL;
    	SQL_ROW	row;
    	char		ip[256];
    	char		query[512];
    	size_t	querylen;
    	int		ok = 0;
    
    	if (!mydns_soa_use_xfer)
    		return;
    
    	strncpy(ip, clientaddr(t), sizeof(ip)-1);
    
    	querylen = snprintf(query, sizeof(query), "SELECT xfer FROM %s WHERE id=%u%s",
    		mydns_soa_table_name, soa->id, mydns_rr_use_active ? " AND active=1" : "");
    
    	if (!(res = sql_query(sql, query, querylen)))
    		ErrSQL(sql, "%s: %s", desctask(t), _("error loading zone transfer access rules"));
    
    	if ((row = sql_getrow(res)))
    	{
    		char *wild, *r;
    
    #if DEBUG_ENABLED && DEBUG_AXFR
    		Debug("%s: checking AXFR access rule '%s'", desctask(t), row[0]);
    #endif
    		for (r = row[0]; !ok && (wild = strsep(&r, ",")); )
    		{
    			if (strchr(wild, '/'))
    			{
    				if (t->family == AF_INET)
    					ok = in_cidr(wild, t->addr4.sin_addr);
    			}
    			else if (wildcard_match(wild, ip))
    				ok = 1;
    		}
    	}
    	sql_free(res);
    
    	if (!ok)
    	{
    		dnserror(t, DNS_RCODE_REFUSED, ERR_NO_AXFR);
    		axfr_reply(t);
    		axfr_error(t, _("access denied"));
    	}
    }
    /*--- check_xfer() ------------------------------------------------------------------------------*/
     
    Last edited: Mar 7, 2009
  9. Antennipasi

    Antennipasi ISPConfig Developer

    try to disable incremental transfers from slave. modify slave-BIND's configuration to ask always full zone from Ispconfig:

    Code:
    server IP_MASTER_DNS {
            provide-ixfr no ;
            request-ixfr no ;
    };
    this is how i got my BIND's to act as a slave to Ispconfig while transition to mydns replication.
     
  10. grungy

    grungy HowtoForge Supporter

    Antennipasi, tnx for your reply but this didn't help :(

    Do you have any other ideas?
     
  11. grungy

    grungy HowtoForge Supporter

    Last edited: Mar 7, 2009
  12. Antennipasi

    Antennipasi ISPConfig Developer

    duh, let's try to narrow this down:

    in Ispconfig, test mydns actually works:

    Code:
    dig @localhost domain.in.isconfig.tld
    you should get "status: NOERROR" in header.

    in slave:

    Code:
    dig @isconfig.master.tld domain.in.isconfig.tld
    you now propably see "status: REFUSED"

    check also ispconfig-mydns-database, dns_soa/xfer should include slave-IP, and dns_soa/active = Y.

    i am running mydns-ng, and if you are not, i suggest you to switch to it. it works all ok with Ispconfig, no modifications needed.
     
  13. grungy

    grungy HowtoForge Supporter

    First of all I will build a mydns-ng .deb package for Debian etch, install it, and see if that will fix the problem.
     
  14. grungy

    grungy HowtoForge Supporter

    Antennipasi tnx for your help.

    I fixed this problem by installing mydns-ng and I wrote a short tutorial on how to build the mydns-ng package for Debian etch:



    http://www.hadzimahmutovic.com/node/2
     
    Last edited: Mar 7, 2009
  15. falcontx

    falcontx New Member

    I had this same problem and figured it out with switching to mydns-ng. I had considered switching to mydns-ng until I found out that it's still in development and there has yet to be a "stable" release. In it's current state, mydns-ng is not suitable for use on our production servers.

    In post #8, you posted the check_xfer function from axfr.c. That function contains the following query:
    Code:
    	querylen = snprintf(query, sizeof(query), "SELECT xfer FROM %s WHERE id=%u%s",
    		mydns_soa_table_name, soa->id, mydns_rr_use_active ? " AND active=1" : "");
    
    The problem is that the query is looking for "active=1" in the dns_soa table. However, in ISPConfig 3.0.1.1 (and probably the SVN, as well), the "active" field in the dns_soa table is type "enum('N', 'Y')", so that query will always fail.

    If you wish to keep mydns, there are two solutions. Either:

    1) Change that query in axfr.c to check for "active='Y'" instead of "active=1" and recompile mydns.

    2) Alter the "active" field in the dns_soa table to type "int" or "tinyint" and change lines 178-179 of "/usr/local/ispconfig/interface/web/dns/form/dns_soa.tform.php" to the following:
    Code:
                            'default'       => '1',
                            'value'         => array(0, 1)
    and change lines 92-94 of "/usr/local/ispconfig/interface/lib/classes/listform_actions.inc.php" to the following:
    Code:
                                    if(strtolower($rec[$key]) == '1' or strtolower($rec[$key]) == '0') {
                                            // Set a additional image variable for boolean fields
                                            $rec['_'.$key.'_'] = (strtolower($rec[$key]) == '1')?'x16/tick_circle.png':'x16/cross_circle.png';                          
    
     
    Last edited: May 15, 2009
  16. till

    till Super Moderator

    Hi,

    this looks like a bug in mydns and not ispconfig. You can verify this with the command:

    mydns --create-tables

    then it outputs you the database tables that mydns expects and the column definition for active is:

    active ENUM('Y', 'N') NOT NULL DEFAULT 'Y',

    So the value can either be Y or N but not 1 or 0.
     
  17. falcontx

    falcontx New Member

    Good call. I didn't notice that. So I guess fixing mydns and recompiling or switching to mydns-ng are the two best options.
     
  18. rukus77

    rukus77 New Member

    thanks for the info on this mydns bug guys!

    And thank you for the fix falcontx! It worked like a charm!

    Mike
     
  19. sonicscott

    sonicscott New Member

    Secondary BIND9 DNS. . .

    I did all of the above, but my secondary is still being refused by MyDNS.

    Not sure where to start to figure this one out. Any assistance would be greatly welcome!
     
  20. till

    till Super Moderator

    @sonicscott: Which mydns version do you have installed?
     

Share This Page