Thanks for your reply, comments inline: > Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400): > 2010/7/1 Y z > >> >> (bind version 9.7.0-P1) >> >> A DNS slave server has two IPs: an internal RFC1918 number to talk to >> the internal net, and an external one to talk to the rest of the world. >> >> If I *don't* put the external IP in a master: >> >> zone "example.com" { >> type slave; >> file "example"; >> masters port 1053 { 172.16.0.30; } ;
This is the internal IP of the (true) master. >> }; > >> I get errors: >> >> Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify >> from non-master: external.ip#59808 >> > This error appears because your master sends notify from external.ip, which > isn't listed in "masters {};" statement. No. Sorry if I was confusing. external.ip belongs to the slave server; i.e., the slave server appears to want to talk to itself. >> Whereas, if I *do* put the IP in as a master, I get: >> >> Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from >> external.ip#1053 failed to connect: connection refused >> > And this error appears because your master doesn't configured to allow > connections to external.ip#1053. The slave (external.ip) doesn't, it is true. But the true master does; I just checked. Again, I'm theorizing that (somewhere) NAT is confusing the box into wanting to talk to itself. > It will be very helpful in resolving your problem if you provide > "options{};" part of your named.conf file. ok: options { pid-file "/var/run/bind/run/named.pid"; directory "/var/named"; allow-recursion { 127.0.0.1; internal.net; external.ip.subnet; }; allow-transfer { external.slave.ip; internal.ip; external.ip }; /* both internal.ip and external.ip are assigned to this host; external.slave.ip is a host on another network */ /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; >> (the reason I'm using port 1053 is because the real master is running >> on two different instances, one on port 53, and one on port 1053). >> >> Despite the errors, the zones still seem to function. So, what do I do >> to make the errors go away? >> >> Thanks! _________________________________________________________________ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users