Hello,
can someone explain these errors
Oct 27 15:34:05 vhost01 named[1316]: zone #ZONE#/IN/auth: refresh: retry limit for master IPV6-MASTER#53 exceeded (source IPV6-THIS#0) Oct 27 15:34:05 vhost01 named[1316]: zone #ZONE#/IN/auth: Transfer started. Oct 27 15:34:06 vhost01 named[1316]: zone #ZONE#/IN/auth: refresh: retry limit for master IPV6-MASTER#53 exceeded (source IPV6-THIS#0) Oct 27 15:34:06 vhost01 named[1316]: zone #ZONE#/IN/auth: Transfer started. Oct 29 04:06:19 vhost01 named[1316]: zone #ZONE#/IN/auth: refresh: retry limit for master IPV6-MASTER#53 exceeded (source IPV6-THIS#0) Oct 29 04:06:19 vhost01 named[1316]: zone #ZONE#/IN/auth: Transfer started.
is this caused by a misconfiguration at the master dns or this dns (slave)? (the master dns can only be connected by IPv6)
is there a serious problem?
there also can be found such entries
Oct 29 04:06:21 vhost01 named[1316]: transfer of '#ZONE#/IN/auth' from IPV6-MASTER#53: connected using IPV6-THIS#46019 Oct 29 04:06:21 vhost01 named[1316]: transfer of '#ZONE#/IN/auth' from IPV6-MASTER#53: Transfer completed: 0 messages, 1 records, 0 bytes, 0.064 secs (0 bytes/sec)
or is this just caused by #0 - I guess source port 0?
these are the ip6tables entries on this dns (slave)
-A INPUT -i eth0 -d IPV6-THIS -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -d IPV6-THIS -m udp -p udp --dport 53 -j ACCEPT
the master has these for each dns
-A INPUT -i sit1 -s IPV6-SLAVE -d IPV6-MASTER -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i sit1 -s IPV6-SLAVE -d IPV6-MASTER -m udp -p udp --dport 53 -j ACCEPT
the master DNS has this in /etc/named.conf
acl dns-hosts { IPV6-SLAVE; // IPv6only: slave ... };
view "auth" { match-clients { dns-hosts; }; empty-zones-enable no; recursion no;
additional-from-auth no; additional-from-cache no;
also-notify { IPV6-SLAVE; // IPv6only: slave ... }; notify-source 0.0.0.0; notify-source-v6 IPV6-MASTER; transfer-source 0.0.0.0; transfer-source-v6 IPV6-MASTER;
zone "#ZONE#" IN { type master; notify yes; file "named._authzone-#ZONE#"; allow-transfer { dns-hosts; }; allow-update { none; }; };
... };
the slaves itself have this in /etc/named.conf
masters masterhost { IPV6-MASTER; // IPv6only: master };
view "auth" { match-clients { any; }; empty-zones-enable no; recursion no;
transfer-source 0.0.0.0; transfer-source-v6 IPV6-SLAVE;
additional-from-auth no; additional-from-cache no;
zone "#ZONE#" IN { type slave; masters { masterhost; }; file "slaves/named._authzone-#ZONE#"; };
... };
I have 3 slave DNS servers, each has the same master; and such log entries are at all three slave DNS servers; each of these 3 slaves is DualStack (in the wild) and the master is IPv6only (at home)
Thanks, Walter
On 10/30/19 1:14 AM, Walter H. wrote:
can someone explain these errors
Oct 27 15:34:05 vhost01 named[1316]: zone #ZONE#/IN/auth: refresh: retry limit for master IPV6-MASTER#53 exceeded (source IPV6-THIS#0)
https://access.redhat.com/solutions/1231573
I believe this means that the client is trying to reach the server over UDP, and is unable to do so.
is this caused by a misconfiguration at the master dns or this dns (slave)?
Probably the firewall or ACL on the master.
is there a serious problem?
I think so, yes.
the master has these for each dns
-A INPUT -i sit1 -s IPV6-SLAVE -d IPV6-MASTER -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i sit1 -s IPV6-SLAVE -d IPV6-MASTER -m udp -p udp --dport 53 -j ACCEPT
You're obscuring kind of a lot of information, so it's hard to guess. If the ACLs are denying transfers, I believe the server's named logs will reflect that, so check those. If the firewall is denying it, you should be able to observe that using tcpdump on the server to watch requests and responses from the client.
You might also want to check whether the client is using RFC4941 temp addresses, and whether your ACLs and rules will actually match the address it uses for requests: