Hi,

it’s hard to help you if you don’t provide your configuration (named-checkconf 
-px) and use example.com instead of real domain names. Are even the IP 
addresses real?

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 31. 7. 2023, at 9:23, duluxoz <dulu...@gmail.com> wrote:
> 
> Hi All,
> 
> Hoping someone can help with this: I've got a primary dns server on an 
> internal network (192.168.2.10/24) and an external secondary dns server on 
> the dmz network (192.168.1.10/24). The gateway for each (ie the router) is 
> 192.168.x.1.
> 
> The external domain is dynamic, with dnssec set up, and everything *seems* to 
> be working correctly.
> 
> So I did a rndc to update a record in the external zone on the primary. The 
> primary's logs show that the update went through and that a zone transfer 
> notification was sent out to the external secondary. I can also see the 
> updated record in the (raw) zone file on the primary.
> 
> The external secondary's logs show that it received the zone update 
> notification, BUT that it was coming from the gateway's IP and not the 
> primary server, and thus because the gateway's IP was not in the "primaries" 
> ACL it was/is being refused.
> 
> I don't know if its relevant but the external zone has the `dnssec-policy 
> default` option set.
> 
> The (what I think are the relevant) parts of the external secondary's logs 
> are:
> 
> ~~~
> 
> 31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8 
> 192.168.1.1#36875: received notify for zone 'example.com'
> 
> 31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused notify 
> from non-master: 192.168.1.1#36875
> 
> ~~~
> 
> Can someone please point me in the correct direction to resolve this issue? I 
> can provide further info if required. I am reluctant to add the gateway's IP 
> to the "primaries" ACL because its also the external gateway for the site, 
> and I believe that adding the gateway's IP to the ACL will be a (major) 
> security issue.
> 
> Thanks in advance
> 
> Dulux-Oz
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to