Yes!!! This was the problem!! Thank you :-)
Στις Τετ, 17 Οκτ 2018 στις 5:16 μ.μ., ο/η Bob Harold <rharo...@umich.edu> έγραψε: > > On Wed, Oct 17, 2018 at 9:56 AM Andreas Brandino <ampra...@gmail.com> > wrote: > >> Both servers receive the NOTIFY message from NS1. What I see on the logs: >> >> *NS3:* >> 17-Oct-2018 16:41:00.688 notify: info: client 1.1.1.1#19513/key >> ns1ns3_key: view external: received notify for zone 'myzone.com': TSIG >> 'ns1ns3_key' >> > > Notice the "view external" in the line above, compared to ns5, which got > the notify on the internal view. That appears to be the issue. > Try adding the IP of NS1 to the "match" list for the internal view on NS3. > > -- > Bob Harold > > >> *NS5:* >> 17-Oct-2018 16:40:56.131 notify: info: client 1.1.1.1#32586/key >> ns1ns5_key: received notify for zone 'myzone.com': TSIG 'ns1ns5_key' >> 17-Oct-2018 16:40:56.139 notify: info: zone myzone.com/IN: sending >> notifies (serial 2018101910) >> >> The 2nd line is missing on NS3. >> At this point NS5 starts the zone copy (*NS1 *logs): >> >> 17-Oct-2018 16:41:01.233 xfer-out: info: client 5.5.5.5#40909/key >> ns1ns5_key (myzone.com): view internal: transfer of 'myzone.com/IN': >> AXFR started: TSIG ns1ns5_key >> 17-Oct-2018 16:41:01.234 xfer-out: info: client 5.5.5.5#40909/key >> ns1ns5_key (myzone.com): view internal: transfer of 'myzone.com/IN': >> AXFR ended >> >> At this point NS3 does nothing. >> >> This is not a firewall or networking problem because I can start the >> transfer manually. >> >> Best Regards >> >> Στις Τετ, 17 Οκτ 2018 στις 4:35 μ.μ., ο/η Bob Harold <rharo...@umich.edu> >> έγραψε: >> >>> >>> On Wed, Oct 17, 2018 at 7:23 AM Andreas Brandino <ampra...@gmail.com> >>> wrote: >>> >>>> Hello all, >>>> >>>> I wonder if anyone can help me to find the cause of the problem I am >>>> currently having. >>>> All servers are running on Debian and BIND 9.10.3-P4-Debian. >>>> >>>> I have a master server and 4 slaves. >>>> The zone is transfered from the master [ns1] to all slaves [ns3,ns4,ns5 >>>> and ns6]. >>>> I am also using TSIG with a different key for each server. >>>> Moreover, the zone file refers to the internal view. >>>> >>>> When I change the myzone.com, I always update the serial and I reload >>>> the zone. >>>> >>>> The problem: >>>> ns3 and ns4 never get the updated zone file automatically. >>>> On the other hand, ns4 and ns5 always get the updated zone file >>>> immediately. >>>> >>>> If I initialize the transfer manually from ns3 and ns4, I get no errors. >>>> >>>> Here is the config: >>>> >>>> NS1 config: (IP 1.1.1.1 - master DNS) >>>> >>>> zone "myzone.com" { >>>> type master; >>>> file "/etc/bind/master/myzone.com.INSIDE"; >>>> allow-transfer { key ns1ns3_key; key ns1ns4_key; key >>>> ns1ns5_key; key ns1ns6_key; }; >>>> also-notify { >>>> 3.3.3.3 port 53 key ns1ns3_key; >>>> 4.4.4.4 port 53 key ns1ns4_key; >>>> 5.5.5.5 port 53 key ns1ns5_key; >>>> 6.6.6.6 port 53 key ns1ns6_key; >>>> }; >>>> notify explicit; >>>> notify-source 1.1.1.1 ; >>>> }; >>>> >>>> >>>> NS3 config: (IP 3.3.3.3 - transfer fails) >>>> >>>> zone " myzone .com" { >>>> file "/etc/bind/master/myzone.com.INSIDE"; >>>> type slave; >>>> allow-update { key ns1ns3_key; }; >>>> masters { 1.1.1.1; }; >>>> allow-notify { 1.1.1.1; }; >>>> notify yes; >>>> request-ixfr no; >>>> }; >>>> >>>> NS5 config: (IP 5.5.5.5, successful transfer) >>>> >>>> zone "myzone.com" { >>>> file "/etc/bind/master/myzone.com.INSIDE"; >>>> type slave; >>>> allow-update { key ns1ns5_key; }; >>>> masters { 1.1.1.1; }; >>>> notify yes; >>>> request-ixfr no; >>>> }; >>>> >>>> Do you see any errors in the above configuration that could cause this >>>> problem? >>>> >>>> Best Regards >>>> >>> >>> What you don't show is the 'match' statement for your views. Perhaps 1 >>> does not match the internal view on 3, so the notify packet hits the wrong >>> view. Check the notify messages in the logs on 3, compared to 5. Here is >>> a typical notify log message: >>> >>> 30-Sep-2018 23:12:37.135 general: info: zone >>> psych.lsa.umich.edu/IN/oncampus: notify from 141.211.147.150#38695: >>> zone is up to date >>> >>> >>> Note the zone/class/view contains ".../IN/oncampus" - check the view in >>> your logs. >>> >>> >>> If you cannot find the notify, you might need to turn on logging for >>> category "general". Or check routing and firewall rules if the packet is >>> not being received. >>> >>> >>> -- >>> >>> Bob Harold >>> >>> >>>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users