Re: FW: BIND 9 errors

2010-07-01 Thread Peter Andreev 
2010/7/1 Y z yan...@hotmail.com


 (bind version 9.7.0-P1)

 A DNS slave server has two IPs: an internal RFC1918 number to talk to
 the internal net, and an external one to talk to the rest of the world.

 If I *don't* put the external IP in a master:

 zone example.com {
 type slave;
 file example;
 masters port 1053 { 172.16.0.30; } ;
 };

 I get errors:

 Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
 from non-master: external.ip#59808

This error appears because your master sends notify from external.ip, which
isn't listed in masters {}; statement.


 Whereas, if I *do* put the IP in as a master, I get:

 Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from
 external.ip#1053 failed to connect: connection refused

And this error appears because your master doesn't configured to allow
connections to external.ip#1053.

It will be very helpful in resolving your problem if you provide
options{}; part of your named.conf file.


 (the reason I'm using port 1053 is because the real master is running
 on two different instances, one on port 53, and one on port 1053).

 Despite the errors, the zones still seem to function. So, what do I do
 to make the errors go away?

 Thanks!


 _
 The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with
 Hotmail.

 http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
--
AP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9 errors

2010-07-01 Thread Y z 

Thanks for your reply, comments inline:

 Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400):
 2010/7/1 Y z 


 (bind version 9.7.0-P1)

 A DNS slave server has two IPs: an internal RFC1918 number to talk to
 the internal net, and an external one to talk to the rest of the world.

 If I *don't* put the external IP in a master:

 zone example.com {
 type slave;
 file example;
 masters port 1053 { 172.16.0.30; } ;

This is the internal IP of the (true) master.

 };

 I get errors:

 Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
 from non-master: external.ip#59808

 This error appears because your master sends notify from external.ip, which
 isn't listed in masters {}; statement.

No. Sorry if I was confusing. external.ip belongs to the slave server;
i.e., the slave server appears to want to talk to itself.

 Whereas, if I *do* put the IP in as a master, I get:

 Jun 30 14:02:08 hostname named[1792]: transfer of 'example.com/IN' from
 external.ip#1053 failed to connect: connection refused

 And this error appears because your master doesn't configured to allow
 connections to external.ip#1053.

The slave (external.ip) doesn't, it is true. But the true master does; I
just checked. Again, I'm theorizing that (somewhere) NAT is confusing
the box into wanting to talk to itself.

 It will be very helpful in resolving your problem if you provide
 options{}; part of your named.conf file.

ok:

options {
pid-file /var/run/bind/run/named.pid;
directory /var/named;
allow-recursion { 127.0.0.1; internal.net; external.ip.subnet; };
allow-transfer { external.slave.ip; internal.ip; external.ip };
/* both internal.ip and external.ip are assigned to this host;
external.slave.ip is a host on another network */

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

 (the reason I'm using port 1053 is because the real master is running
 on two different instances, one on port 53, and one on port 1053).

 Despite the errors, the zones still seem to function. So, what do I do
 to make the errors go away?

 Thanks!
  
_
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with 
Hotmail. 
http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9 errors

2010-07-01 Thread Mark Andrews 

In message snt117-w75ea52bae5d8946f5b8c0db...@phx.gbl, Y z writes:
 
 Thanks for your reply, comments inline:
 
  Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400):
  2010/7/1 Y z 
 
 
  (bind version 9.7.0-P1)
 
  A DNS slave server has two IPs: an internal RFC1918 number to talk to
  the internal net, and an external one to talk to the rest of the world.
 
  If I *don't* put the external IP in a master:
 
  zone example.com {
  type slave;
  file example;
  masters port 1053 { 172.16.0.30; } ;
 
 This is the internal IP of the (true) master.
 
  };
 
  I get errors:
 
  Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
  from non-master: external.ip#59808
 
  This error appears because your master sends notify from external.ip, which
  isn't listed in masters {}; statement.
 
 No. Sorry if I was confusing. external.ip belongs to the slave server;
 i.e., the slave server appears to want to talk to itself.

You have a hairpin NAT.  The notify is sent to the external address
of the slave.  The NAT then turns this around making the source
address of the notify message be the external address of the NAT.

You can any of the following:

* tell the master to send notify messages to a explict list of addresses
  and use the internal address of the slave.  This has long term maintenance
  issues.

notify explict;
also-notify { internal address; other slave addresess; };

  You may want to add the also-notify { internal address; }; regardless
  of whether you turn on notify explict.

* tell the slave to accept notify messages from its external address.

allow-notify { acl; };

* add a forwarding entry for the NAT to send external/{TCP,UDP}/1053
  to master/1053 and use masters port 1053 { external; };.  i.e.
  go through the NAT.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FW: BIND 9 errors

2010-07-01 Thread Barry Margolin 
In article mailman.1945.1277966757.21153.bind-us...@lists.isc.org,
 Peter Andreev andreev.pe...@gmail.com wrote:

 2010/7/1 Y z yan...@hotmail.com
 
 
  (bind version 9.7.0-P1)
 
  A DNS slave server has two IPs: an internal RFC1918 number to talk to
  the internal net, and an external one to talk to the rest of the world.
 
  If I *don't* put the external IP in a master:
 
  zone example.com {
  type slave;
  file example;
  masters port 1053 { 172.16.0.30; } ;
  };
 
  I get errors:
 
  Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
  from non-master: external.ip#59808
 
 This error appears because your master sends notify from external.ip, which
 isn't listed in masters {}; statement.

This can be resolved by putting a notify-source option in the master's 
named.conf.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users