Barry and others: Thanks for the help! It's my bad that the slave zone's subnet range was missing from allow-query. I also added the slave IP explicitly to the allow-transfer option. Now it's seems to be working.
Another issue that I haven't quite figured out is the errors in the syslog. I have no idea where these are coming from: Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:503:c27::2:30#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:7fd::1#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:503:c27::2:30#53 Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:7fd::1#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:dc3::35#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN': 2001:7fe::53#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable) resolving './NS/ I don't have a zone file that have these records defined. Any idea? David > ------------------------------ > > Message: 3 > Date: Fri, 19 Feb 2016 21:25:43 -0500 > From: Barry Margolin <[email protected]> > To: [email protected] > Subject: Re: A Zone Transfer Question > Message-ID: <[email protected]> > > In article <[email protected]>, > David Li <[email protected]> wrote: > >> Hi John, >> >> Well, I was wrong about the log. I did find some info about why zone >> transfer failed. On one server running zone rack1.com, I see: >> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745 >> (rack1.com): query 'rack1.com/SOA/IN' denied >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612 >> (rack1.com): transfer of 'rack1.com/IN': IXFR ended >> >> Any idea why it's denied? > > VM1 has the option: > > allow-query { > 10.4.1/24; > 127.0.0.1; > }; > > 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the > master. > > -- > Barry Margolin > Arlington, MA > > > ------------------------------ > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
