Hi, it’s hard to help you if you don’t provide your configuration (named-checkconf -px) and use example.com instead of real domain names. Are even the IP addresses real?
Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 31. 7. 2023, at 9:23, duluxoz <dulu...@gmail.com> wrote: > > Hi All, > > Hoping someone can help with this: I've got a primary dns server on an > internal network (192.168.2.10/24) and an external secondary dns server on > the dmz network (192.168.1.10/24). The gateway for each (ie the router) is > 192.168.x.1. > > The external domain is dynamic, with dnssec set up, and everything *seems* to > be working correctly. > > So I did a rndc to update a record in the external zone on the primary. The > primary's logs show that the update went through and that a zone transfer > notification was sent out to the external secondary. I can also see the > updated record in the (raw) zone file on the primary. > > The external secondary's logs show that it received the zone update > notification, BUT that it was coming from the gateway's IP and not the > primary server, and thus because the gateway's IP was not in the "primaries" > ACL it was/is being refused. > > I don't know if its relevant but the external zone has the `dnssec-policy > default` option set. > > The (what I think are the relevant) parts of the external secondary's logs > are: > > ~~~ > > 31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8 > 192.168.1.1#36875: received notify for zone 'example.com' > > 31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused notify > from non-master: 192.168.1.1#36875 > > ~~~ > > Can someone please point me in the correct direction to resolve this issue? I > can provide further info if required. I am reluctant to add the gateway's IP > to the "primaries" ACL because its also the external gateway for the site, > and I believe that adding the gateway's IP to the ACL will be a (major) > security issue. > > Thanks in advance > > Dulux-Oz > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users