Slave DNS server issues - not found or not authoritative

[Richard G]

I'm almost there but some things are not quite correct.

When I do a test on the nameserver with DNSstuff.com everything looked oke. Not anymore now, I probably changed something in the config which was not correct.

However, when I test with the sidn.nl nameserver check, it says either "no nameservers found at child" or that the 2nd nameserver is not authoritative.
Glue records are in place. And now suddenly it can't find it anymore (no nameserver found at child).

When I look in the slave server's log I see this a lot for several domains:

Jan 11 03:10:47 server2 named[3797]: client 46.4xx.xxx.xxx#58952: received notify for zone 'mydomain.nl': not authoritative

The 46.4xx.xxx.xxx is the master server.

I don't get it anymore.

This is from the DA server named.conf:

options {
//listen-on port 53 { 127.0.0.1; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-transfer { 141.xxx.xxx.xxx; };
notify yes;
//also-notify { 141.xxx.xxx.xxx; };
allow-recursion { localnets; };
allow-query { 141.xxx.xxx.xxx; localhost; };
//recursion yes;
version "just Bind";

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Below this, the zone statements of the domains are present.

And this is my slave server named.conf:

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-query { 46.xxx.xxx.xxx; 127.0.0/8; };
allow-transfer { 46.xxx.xxx.xxx; };
allow-notify { 46.xxx.xxx.xxx; };
allow-recursion { localnets; };
//listen-on-v6 { any; };
notify no;
};

zone "serverxxxxx.nl" {
type slave;
file "slaves/server04.nl.db";

masters {
46.xxx.xxx.xxx;
};
};

That's all, the 46.xxx ip is the master (DA) server.

What am I doing wrong? Because I can't get this to work so that the check's recognize them.
For a short time DNSstuff gave a good report, but now he can't find the server either.
TCP and UDP ports 53 are open.

 

[Richard G]

Biggest problem is fixed now by removing the "allow-recursion" and "allow-query" statemens in both the named.conf files and adding the rndc.key statement to the slave named.conf.

I also changed:

zone "mydomain.nl" {

to

zone "mydomain.nl" IN {

I hope that was correct too for the slave server. And yes I used a "serverxxxxxx.nl" example before, but it's just an example, I did not change the real name.

Now all tests are oke.

However, I still get those:

Jan 11 03:10:47 server2 named[3797]: client 46.4xx.xxx.xxx#58952: received notify for zone 'mydomain.nl': not authoritative

Is there a way to turn this off so these lines don't appear in the slave server log every time I restart the master?
Maybe I have to set notify to NO in the master named.conf? If it has to be set to no, will Directslave still work?

 

[zEitEr]

Hello,

Removing "allow-query" is OK, as you should allow queering your DNS server.

Removing "allow-recursion" is not OK, I'd rather say, as I guess allowing recursion for everyone is not what you want for your DNS server.

 

[Richard G]

You're quite correct. I'm sorry it was a bit late (it was 04.12 am here) so I was mistaken in telling what I had removed. I did not remove the allow-recursion.
It's still the same, so like this:
allow-recursion { localnets; };

It's the allow-query and allow-notify which I had removed from the slave server.

Now I only hope to get a quick response on the maker of Directslave, because that one is not working at the moment.

 

[zEitEr]

Are you sure you want to allow NOTIFY from another DNS servers?

allow-notify applies to slave zones only and defines a match list, for example, IP address(es) that are allowed to NOTIFY this server and implicitly update the zone in addition to those hosts defined in the masters option for the zone. The default behaviour is to allow zone updates only from the masters IP(s). This statement may be used in a zone, view or global options clause.

http://www.zytrax.com/books/dns/ch7/xfer.html


Note, I did not find issue for your *.nl domain (it can be found in your very first post here in the thread) with http://intodns.com/

 

[Richard G]

in addition to those hosts defined in the masters option for the zone

Correct... it's a slave dns but the master is named in the zonefile, so I don't need addional notify's.
I thought that this was to allow the master to send a notify.
But as you can see from my last reply, I had disabled this again.

The issue's for the domains are now gone.

The only thing what was left was when I restart named on my master server, then on my slave server in the log are lots of these:

Jan 11 03:10:47 server2 named[3797]: client 46.4xx.xxx.xxx#58952: received notify for zone 'mydomain.nl': not authoritative

This seems to be fixed when I set "notify no;" on the master server. I just don't know if Directslave or Master2slave will still work with notify turned off.

 

[zEitEr]

Can't say anything about Master2slave, but with Directslave it should work without sending NOTIFY, as the Directslave simulates Directadmin Multiserver function, which does not use SLAVES at all, and does not need to sent NOTIFY.

 

[Richard G]

Oke thank you, I had the same thought.
However... Directslave is running fine, as soon as DA tries to connect, DA gives the API error and the error log of Directslave says:

This doesn't look like start-end
at /usr/lib/perl5/site_perl/5.8.8/Net/Server.pm line 602

So I can't use that at the moment.
I posted this error in the 3rd party Directslave thread, so I hope the coder will have a look at it.