Directslave / secondary DNS setup issues - please help

baggs1981

Verified User
Joined
Sep 18, 2006
Messages
64
Really hope someone can help.
Ok so I am stuck and confused, I know I have had this working before but now cannot get this latest version to work.

I must be doing something wrong as have tried for 3 different servers.

Each server has the IP of the others whitelisted in csf.

The secondary dns config file never gets populated and all I see in /var/log/messages related to the domains are query (cache) 'DOMAIN' denied entries for each one.

Here is my primary named.conf:

Code:
options {

        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };

        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";

        //recursion yes;
        allow-recursion { localnets; };

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        allow-transfer {
        123.123.123.123; # IP Of Secondary DNS Server
        };

        allow-query     { any; };

        also-notify {
        123.123.123.123; # IP Of Secondary DNS Server
        };

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/secondary/named.conf";

zone "server01.domainonprimary.net" { type master; file "/var/named/server01.domainonprimary.net.db"; };

Here is my secondary named.comf:

Code:
options {
        //allow-transfer { none; };
        allow-transfer {
        321.321.321.321; # IP Of Primary Server
        };

        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";

        //allow-query     { localhost; };
        allow-query     { any; };

        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/secondary/named.conf";

zone "server01.domainonsecondary.net" { type master; file "/var/named/server01.domainonsecondary.net.db"; };

Both servers have multi-server setup via ssl, the test via DA button say both work fine. on both servers I have:

1587825426392.png

Restart named on both server, but neither server ever get the others zone files, nor does anything ever appear in /etc/named/secondary/named.conf on either server.

As a side note, in case it is a clue, I can never get the webadmin of directslave to work (for a start why on earth it's default is 2222 which is the long established port for DA admin) but aside from that, I change direct slaves ports (http and https) then restart directslave and nothing works.

Also, /usr/local/directslave/bin/directslave --check says:

Code:
Here we do some test to check if your config ...
/usr/local/directslave/etc/directslave.conf is good.

Reading /usr/local/directslave/etc/directslave.conf ... OK

Trying to drop privileges to 25 25 ... OK

Running tests as UID:25, GID:25

Opening/creating file 'access_log' -> /usr/local/directslave/log/access.log ... OK

Opening/creating file 'error_log' -> /usr/local/directslave/log/error.log ... OK

Opening/creating file 'action_log' -> /usr/local/directslave/log/action.log ... OK

Opening/creating file 'named_conf' -> /etc/named/secondary/named.conf ... OK

Opening/creating file 'pid' -> /usr/local/directslave/run/directslave.pid ... OK

Testing named_workdir acesssibility /etc/named/secondary ... OK

Testing RNDC util accessibility at path /usr/sbin/rndc ... OK

*** All OK! You can safely run with --run flag.
 
What Zhenyapan says.

Next to that, you don't need any "allow-transfers" like this:
Code:
        allow-transfer {
        123.123.123.123; # IP Of Secondary DNS Server
        };

        allow-query     { any; };

        also-notify {
        123.123.123.123; # IP Of Secondary DNS Server
        };

};
because Directslave and Directadmin multiserver setup both use the DA transfer system, not the master/slave setup of named itself. So the internal system is taking care of things.
 
🤦‍♂️ Ok so a fresh edit is needed on every domain dns, thanks for this, I don't think I would ever have thought of that, Is there an easy way just to update the serial on all domain zone files in one go so I don't have to do one by one?
 
Looks like echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue did the trick.

Thanks very much both.
 
Yes. that command is also mentioned in the help file for multiserver setup, so I presumed you used that.
Good to read you figured it out.
 
Back
Top