[CentOS] Proper configuration for DNS slaves and masters

Tue Nov 3 18:34:36 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

I have the following layout

DNS01 - Master
DNS02 - Remote slave
DNS03 - Local network slave

The master is configured so:

acl HLLnetworks {
	209.47.176/24;
	216.185.71/24;
	};

options {
	allow-query {
		any;
		};
	allow-recursion {
		HLLnetworks;
		};
	allow-transfer {
		HLLnetworks;
		};
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
	query-source address 216.185.71.33;
	listen-on {
		216.185.71.33;
		};
	notify yes;
};


The slaves are configured this way (appropriately modified for each
ip address:

acl HLLnetworks {
	209.47.176/24;
	216.185.71/24;
	};

options {
	allow-query {
		any;
		};
	allow-recursion {
		HLLnetworks;
	};
	allow-transfer {
		HLLnetworks;
		};
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
	notify no;  // this is a slave server
	query-source address 209.47.176.33;
	listen-on {
		127.0.0.1;
		};
	listen-on {
		209.47.176.33;
		};
	forwarders {
		216.185.71.33;
		};
};

Now, what I am seeing on one of the slaves when I change a zone in
the master and reload is this:

Nov  3 12:47:49 inet06 named[9597]: received notify for zone
'byrnejb.ca'

but on the other I see this:

Nov  3 12:47:50 inet04 named[18368]: client 216.185.71.27#33829:
received notify for zone 'byrnejb.ca'
Nov  3 12:47:50 inet04 named[18368]: zone byrnejb.ca/IN: refused
notify from non-master: 216.185.71.27#33829

The master configuration for byrnejb.ca is

zone "byrnejb.ca" {
	type master;
	file "/var/named/masters/byrnejb.ca.hosts";
	};

On inet06 the slave zone configuration is:

zone "byrnejb.ca" {
	type slave;
	masters {
		216.185.71.33;
		};
	file "/var/named/slaves/byrnejb.ca.hosts";
	};

and on inet04 it is:

zone "byrnejb.ca" {
	type slave;
	masters {
		216.185.71.33;
		};
	file "/var/named/slaves/byrnejb.ca.hosts";
	};

Which is, as far as I can see, identical.

In any case, the real problem is that neither slave actually
transfers the updated zone file and I cannot figure out why not.  I
have verified that the master zone file serial number is greater
than that of the slave zones.

So, I have two questions:

1. Why is the source address 216.185.71.27 when the bind named
listens on 216.185.71.33 and answers queries from the same address.
Admittedly, 216.185.71.33 is a virtual ip hosted on 216.185.71.27
but  we have been doing this for over a decade now and I have never
seen this behaviour before.

2. Why are the notifies ignored?  Again, we have had this set up for
over a decade and none of these problems until now, and the only
thing that has happened on the dns side of things recently were the
CentOS updates last week.

I am not a DNS specialist, I set this up several years ago and I am
perplexed as to why it is now giving me these difficulties.  Any
help would be gratefully appreciated.


Sincerely,


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3