AXFR/IN' denied

[jeffrey j donovan]

Greetings

I have 2 systems master and slave, the slave seems to not allow the zone 
transfer.

master 192.168.1.2

//
// mydomain.com

zone "mydomain.com" {
type master;
file "domain.db";
allow-transfer { 192.168.96.3; };
allow-update {none;};
};

zone "96.168.192.in-addr.arpa" {
type master;
file "in-arpa-192/REV-NOC.db";
};

zone "97.168.192.in-addr.arpa" {
type master;
file "in-arpa-192/REV-EDC.db";
};


slave; 192.168.1.3

//
// mydomain.com

zone "mydomain.com" {
type slave;
masters { 192.168.96.2; };
file "domain.db";
allow-transfer {none;};
};

zone "96.168.192.in-addr.arpa" {
type slave;
masters { 192.168.96.2; };
file "in-arpa-209/REV-NOC.db";
};

zone "97.168.192.in-addr.arpa" {
type slave;
masters { 209.96.96.2; };
file "in-arpa-209/REV-EDC.db";
};


here is the log output

from master
-Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60712: view 
com.basd.DNS.public: zone transfer '96.168.192.in-addr.arpa/AXFR/IN' denied
-Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60737: view 
com.basd.DNS.public: zone transfer '97.168.192.in-addr.arpa/AXFR/IN' denied

from slave


27-Apr-2011 22:57:23.039 general: info: zone 
96.168.192.in-addr.arpa/IN/com.basd.DNS.public: Transfer started.
27-Apr-2011 22:57:23.041 xfer-in: info: transfer of 
'96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: 
connected using 192.168.96.3#60755
27-Apr-2011 22:57:23.042 xfer-in: error: transfer of 
'96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: failed 
while receiving responses: REFUSED
27-Apr-2011 22:57:23.042 xfer-in: info: transfer of 
'96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: Transfer 
completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)


firewall on the slave is off and the master has an allow statement for dns
12310271101096192 allow tcp from any to any dst-port 53
12310  2124656  168384287 allow udp from any to any dst-port 53


not sure what I missed , any insight would be helpful

-j

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AXFR/IN' denied

[Torinthiel]

On 04/28/11 05:10, jeffrey j donovan wrote:
> Greetings
> 
> I have 2 systems master and slave, the slave seems to not allow the zone 
> transfer.

It's the master that doesn't allow zone transfer. You have
allow-transfer and allow-update in mydomain.com (which I guess is
transfering correctly, at least nothing you've written says otherwise),
but you don't have these in reverse zones.
Torinthiel

> 
> master 192.168.1.2
> 
> //
> // mydomain.com
> 
> zone "mydomain.com" {
>   type master;
>   file "domain.db";
>   allow-transfer { 192.168.96.3; };
>   allow-update {none;};
> };
> 
> zone "96.168.192.in-addr.arpa" {
>   type master;
>   file "in-arpa-192/REV-NOC.db";
> };
> 
> zone "97.168.192.in-addr.arpa" {
>   type master;
>   file "in-arpa-192/REV-EDC.db";
> };
> 
> 
> slave; 192.168.1.3
> 
> //
> // mydomain.com
> 
> zone "mydomain.com" {
>   type slave;
>   masters { 192.168.96.2; };
>   file "domain.db";
>   allow-transfer {none;};
> };
> 
> zone "96.168.192.in-addr.arpa" {
>   type slave;
>   masters { 192.168.96.2; };
>   file "in-arpa-209/REV-NOC.db";
> };
> 
> zone "97.168.192.in-addr.arpa" {
>   type slave;
>   masters { 209.96.96.2; };
>   file "in-arpa-209/REV-EDC.db";
> };
> 
> 
> here is the log output
> 
> from master
> -Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60712: view 
> com.basd.DNS.public: zone transfer '96.168.192.in-addr.arpa/AXFR/IN' denied
> -Apr-2011 22:54:17.539 security: error: client 192.168.96.3#60737: view 
> com.basd.DNS.public: zone transfer '97.168.192.in-addr.arpa/AXFR/IN' denied
> 
> from slave
> 
> 
> 27-Apr-2011 22:57:23.039 general: info: zone 
> 96.168.192.in-addr.arpa/IN/com.basd.DNS.public: Transfer started.
> 27-Apr-2011 22:57:23.041 xfer-in: info: transfer of 
> '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: 
> connected using 192.168.96.3#60755
> 27-Apr-2011 22:57:23.042 xfer-in: error: transfer of 
> '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: failed 
> while receiving responses: REFUSED
> 27-Apr-2011 22:57:23.042 xfer-in: info: transfer of 
> '96.168.192.in-addr.arpa/IN/com.basd.DNS.public' from 192.168.96.2#53: 
> Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
> 
> 
> firewall on the slave is off and the master has an allow statement for dns
> 12310271101096192 allow tcp from any to any dst-port 53
> 12310  2124656  168384287 allow udp from any to any dst-port 53
> 
> 
> not sure what I missed , any insight would be helpful
> 
> -j
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AXFR/IN' denied

[Phil Mayers]

On 04/28/2011 04:10 AM, jeffrey j donovan wrote:


master 192.168.1.2

zone "mydomain.com" {
type master;
file "domain.db";
allow-transfer { 192.168.96.3; };


Ok, you have an allow-transfer so this is working.


allow-update {none;};
};

zone "96.168.192.in-addr.arpa" {
type master;
file "in-arpa-192/REV-NOC.db";
};

zone "97.168.192.in-addr.arpa" {
type master;
file "in-arpa-192/REV-EDC.db";
};


There is no allow-transfer on these two zones, so they are failing.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AXFR/IN' denied ::solved::

[jeffrey j donovan]

On Apr 27, 2011, at 11:10 PM, jeffrey j donovan wrote:

> Greetings
> 
> I have 2 systems master and slave, the slave seems to not allow the zone 
> transfer.
> 

found the problem, I had multiple option entries in named.conf there was an 
original option line that I over looked that was from a previous master that 
had  allow-transfer { none; };
sorry to waste bandwidth :)
-j

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users