Well, for starters your primaries list 192.168.2.10, but your logs show
connection from 192.168.1.1…
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 31. 7. 2023, at 9:51, duluxoz <dulu...@gmail.com> wrote:
>
> Hi Ondřej,
>
> Sorry, force of habit (re: "example.com").
>
> External Secondary DNS Server (ns1.mjb-co.com):
>
> ~~~
>
> acl "bogusnets" {
> !"internal_hosts";
> 0.0.0.0/8;
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 224.0.0.0/3;
> };
> acl "internal_hosts" {
> 192.168.1.0/24;
> 192.168.2.0/24;
> 192.168.3.0/24;
> };
> acl "secondary_external_servers" {
> 192.168.1.10/32;
> };
> acl "secondary_internal_servers" {
> 192.168.2.11/32;
> 192.168.2.12/32;
> };
> acl "ddns_servers" {
> "localhost";
> 192.168.2.10/32;
> 192.168.2.11/32;
> };
> acl "rndc_servers" {
> "localhost";
> 192.168.2.10/32;
> };
> acl "stats_hosts" {
> 192.168.2.0/24;
> };
> controls {
> inet 0.0.0.0 port 953 allow {
> "rndc_servers";
> } keys {
> "rndc-key";
> };
> };
> logging {
> channel "auth_servers_log" {
> file "/var/log/named/auth_servers.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "client_security_log" {
> file "/var/log/named/client_security.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_log" {
> file "/var/log/named/default.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_debug_log" {
> file "/var/log/named/default_debug.log" versions 3 size 20971520
> suffix timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "ddns_log" {
> file "/var/log/named/ddns.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "dnssec_log" {
> file "/var/log/named/dnssec.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "dnstap_log" {
> file "/var/log/named/dnstap.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "queries_log" {
> file "/var/log/named/queries.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "query_errors_log" {
> file "/var/log/named/query_errors.log" versions 3 size 20971520
> suffix timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "rate_limiting_log" {
> file "/var/named/log/rate_limiting.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "rpz_log" {
> file "/var/named/log/rpz.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "zone_transfers_log" {
> file "/var/log/named/zone_transfers.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category "client" {
> "client_security_log";
> "default_debug";
> };
> category "dnssec" {
> "dnssec_log";
> "default_debug";
> };
> category "default" {
> "default_syslog";
> "default_debug";
> "default_log";
> };
> category "delegation-only" {
> "auth_servers_log";
> "default_debug";
> };
> category "edns-disabled" {
> "auth_servers_log";
> "default_debug";
> };
> category "lame-servers" {
> "auth_servers_log";
> "default_debug";
> };
> category "notify" {
> "zone_transfers_log";
> "default_debug";
> };
> category "resolver" {
> "auth_servers_log";
> "default_debug";
> };
> category "security" {
> "client_security_log";
> "default_debug";
> };
> category "update" {
> "ddns_log";
> "default_debug";
> };
> category "update-security" {
> "ddns_log";
> "default_debug";
> };
> category "xfer-in" {
> "zone_transfers_log";
> "default_debug";
> };
> category "xfer-out" {
> "zone_transfers_log";
> "default_debug";
> };
> };
> options {
> blackhole {
> "bogusnets";
> };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> flush-zones-on-shutdown yes;
> managed-keys-directory "/var/named/dynamic";
> memstatistics yes;
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> statistics-file "/var/named/data/named_stats.txt";
> version "Not Currently Available";
> disable-algorithms "." {
> "RSAMD5";
> "RSASHA1";
> "NSEC3RSASHA1";
> "DSA";
> };
> disable-ds-digests "." {
> "SHA-1";
> "GOST";
> };
> recursion no;
> allow-query {
> "any";
> };
> allow-transfer {
> "none";
> };
> multi-master no;
> zone-statistics yes;
> };
> primaries "primary_servers" {
> 192.168.2.10;
> };
> statistics-channels {
> inet 0.0.0.0 port 60443 allow {
> "stats_hosts";
> };
> };
> key "ddns-key" {
> algorithm "hmac-sha512";
> secret
> "????????????????????????????????????????????????????????????????????????????????????????";
> };
> key "rndc-key" {
> algorithm "hmac-sha512";
> secret
> "????????????????????????????????????????????????????????????????????????????????????????";
> };
> server 192.168.1.10/32 {
> keys "ddns-key";
> };
> server 192.168.1.20/32 {
> keys "ddns-key";
> };
> server 192.168.2.10/32 {
> keys "ddns-key";
> };
> server 192.168.2.11/32 {
> keys "ddns-key";
> };
> server 192.168.2.12/32 {
> keys "ddns-key";
> };
> zone "190.115.103.IN-ADDR.ARPA." in {
> type secondary;
> file "slaves/cached.103.115.190.rev.zone";
> primaries {
> "primary_servers";
> };
> };
> zone "mjb-co.com" in {
> type secondary;
> file "secondaries/cached.mjb-co.com.zone";
> primaries {
> "primary_servers";
> };
> };
> ~~~
>
>> On 31/07/2023 17:29, Ondřej Surý wrote:
>> Hi,
>>
>> it’s hard to help you if you don’t provide your configuration
>> (named-checkconf -px) and use example.com instead of real domain names. Are
>> even the IP addresses real?
>>
>> Ondřej
>> --
>> Ondřej Surý — ISC (He/Him)
>>
>> My working hours and your working hours may be different. Please do not feel
>> obligated to reply outside your normal working hours.
>>
>>>> On 31. 7. 2023, at 9:23, duluxoz <dulu...@gmail.com> wrote:
>>>
>>> Hi All,
>>>
>>> Hoping someone can help with this: I've got a primary dns server on an
>>> internal network (192.168.2.10/24) and an external secondary dns server on
>>> the dmz network (192.168.1.10/24). The gateway for each (ie the router) is
>>> 192.168.x.1.
>>>
>>> The external domain is dynamic, with dnssec set up, and everything *seems*
>>> to be working correctly.
>>>
>>> So I did a rndc to update a record in the external zone on the primary. The
>>> primary's logs show that the update went through and that a zone transfer
>>> notification was sent out to the external secondary. I can also see the
>>> updated record in the (raw) zone file on the primary.
>>>
>>> The external secondary's logs show that it received the zone update
>>> notification, BUT that it was coming from the gateway's IP and not the
>>> primary server, and thus because the gateway's IP was not in the
>>> "primaries" ACL it was/is being refused.
>>>
>>> I don't know if its relevant but the external zone has the `dnssec-policy
>>> default` option set.
>>>
>>> The (what I think are the relevant) parts of the external secondary's logs
>>> are:
>>>
>>> ~~~
>>>
>>> 31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8
>>> 192.168.1.1#36875: received notify for zone 'example.com'
>>>
>>> 31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused notify
>>> from non-master: 192.168.1.1#36875
>>>
>>> ~~~
>>>
>>> Can someone please point me in the correct direction to resolve this issue?
>>> I can provide further info if required. I am reluctant to add the gateway's
>>> IP to the "primaries" ACL because its also the external gateway for the
>>> site, and I believe that adding the gateway's IP to the ACL will be a
>>> (major) security issue.
>>>
>>> Thanks in advance
>>>
>>> Dulux-Oz
>>>
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
>>> this list
>>>
>>> ISC funds the development of this software with paid support subscriptions.
>>> Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
