Re: Tuning for lots of SERVFAIL responses
Grant Taylor wrote: > > Is there anything that the networking team can do to help alleviate some of > the pain? I.e. make sure that equipment returns no route to host error > messages? Will this make named abort queries before they would otherwise > timeout? Dunno :-) One of the outages we had was due to a large DDoS attack against JANET which meant we only had partial connectivity; some things worked, some didn't, but our DNS resolvers were particularly badly affected. So though you might be able to get your network to return ICMP failures quickly if you have lost connectivity cleanly, that might not make sense in a dirty outage. Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking: Northerly or northwesterly 6 to gale 8. Rough or very rough, occasionally high later. Wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent NXDOMAIN for a name we are forwarding
On 21.02.16 19:07, blrmaani wrote: the cache dump also has this entry (myname.mydomain.com is name I am interested in) myname.mydomain.com 10324 \-ANY ;-$NXDOMAIN Which probably means if anyone requests for myname.mydomain.com, they will be handed NXDOMAIN for upto 10324 seconds from now.. doesn't the log also contain info where did that message come from? Our current work around is to restart named (which cache) or we could do a 'rndc flush'. "rndc flushname myname.mydomain.com" should be enough - not needed to flush whole cache. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc signing -list not working?
This may be a case of my not understanding what this command should do. Our domain, adi.com, is signed. But when I issue the following command: rndc signing -list adi.com in external I get 'No signing records found' Note that we use views and view external is what the world sees. I expected that the rndc signing command would show that the zone is signed. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc signing -list not working?a
On Mon, Feb 22, 2016 at 10:52:25AM -0500, Thomas Schulz wrote: > rndc signing -list adi.com in external > > I get 'No signing records found' > > Note that we use views and view external is what the world sees. I expected > that the rndc signing command would show that the zone is signed. When a zone is being signed by named, it stores temporary records at the zone apex (RR type TYPE65534) to indicate the current state of the signing process, so that if there's a power failure in the middle, named will be able to resume. Those are the "signing records" referred to here. At the end of the process there's a record left behind for each DNSKEY, indicating that signing is complete for that key. At that point you can use "rndc signing -clear" to remove them if you want to (though personally I just leave them). Since those records aren't there now, I would guess you either already cleared them at some point, or else some other signing mechanism was used such as dnssec-signzone instead of the automatic signing in named. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc signing -list not working?a
> On Mon, Feb 22, 2016 at 10:52:25AM -0500, Thomas Schulz wrote:
> > rndc signing -list adi.com in external
> >
> > I get 'No signing records found'
> >
> > Note that we use views and view external is what the world sees. I expected
> > that the rndc signing command would show that the zone is signed.
>
> When a zone is being signed by named, it stores temporary records at the
> zone apex (RR type TYPE65534) to indicate the current state of the
> signing process, so that if there's a power failure in the middle, named
> will be able to resume. Those are the "signing records" referred to here.
>
> At the end of the process there's a record left behind for each DNSKEY,
> indicating that signing is complete for that key. At that point you can
> use "rndc signing -clear" to remove them if you want to (though personally
> I just leave them).
>
> Since those records aren't there now, I would guess you either already
> cleared them at some point, or else some other signing mechanism was
> used such as dnssec-signzone instead of the automatic signing in named.
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
We are using automatic signing with the following in named.conf
zone "adi.com" {
type master;
file "adi.com.hosts.ext";
inline-signing yes;
key-directory "dnssec";
auto-dnssec maintain;
};
I don't think that I have ever done a clear, but named has been restarted
since the signing was done. The signing was done over a year ago.
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: A Zone Transfer Question
Barry and others:
Thanks for the help!
It's my bad that the slave zone's subnet range was missing from
allow-query. I also added the slave IP explicitly to the
allow-transfer option. Now it's seems to be working.
Another issue that I haven't quite figured out is the errors in the
syslog. I have no idea where these are coming from:
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:503:c27::2:30#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:7fd::1#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:500:1::803f:235#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:503:c27::2:30#53
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:7fd::1#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:dc3::35#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving 'node2/A/IN': 2001:7fe::53#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/IN': 2001:dc3::35#53
Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
resolving './NS/
I don't have a zone file that have these records defined. Any idea?
David
> --
>
> Message: 3
> Date: Fri, 19 Feb 2016 21:25:43 -0500
> From: Barry Margolin
> To: comp-protocols-dns-b...@isc.org
> Subject: Re: A Zone Transfer Question
> Message-ID:
>
> In article ,
> David Li wrote:
>
>> Hi John,
>>
>> Well, I was wrong about the log. I did find some info about why zone
>> transfer failed. On one server running zone rack1.com, I see:
>>
>> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
>> (rack1.com): query 'rack1.com/SOA/IN' denied
>> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
>> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
>>
>> Any idea why it's denied?
>
> VM1 has the option:
>
> allow-query {
>10.4.1/24;
>127.0.0.1;
> };
>
> 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the
> master.
>
> --
> Barry Margolin
> Arlington, MA
>
>
> --
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: A Zone Transfer Question
The Internet roots publish both A (IPv4) and (IPv6) address records.
The log noise you show is what happens when you enable IPv6 but don't have the
necessary routing in place to the IPv6 Internet, either natively or through
some sort of tunnel mechanism.
You could certainly turn IPv6 *off*, at the OS or the BIND level, but that's a
return to the past. Maybe this is a good reminder to think about your long-term
IPv6 strategy.
- Kevin
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of David Li
Sent: Monday, February 22, 2016 6:48 PM
To: BIND Users
Subject: Re: A Zone Transfer Question
Barry and others:
Thanks for the help!
It's my bad that the slave zone's subnet range was missing from allow-query. I
also added the slave IP explicitly to the allow-transfer option. Now it's seems
to be working.
Another issue that I haven't quite figured out is the errors in the syslog. I
have no idea where these are coming from:
Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving
'node2/A/IN': 2001:503:c27::2:30#53 Feb 22 15:27:33 dli-centos7 named[2170]:
error (network unreachable) resolving 'node2/A/IN': 2001:7fd::1#53 Feb 22
15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving
'./NS/IN': 2001:500:1::803f:235#53 Feb 22 15:27:33 dli-centos7 named[2170]:
error (network unreachable) resolving './NS/IN': 2001:503:c27::2:30#53 Feb 22
15:27:33 dli-centos7 named[2170]: error (network unreachable) resolving
'./NS/IN': 2001:7fd::1#53 Feb 22 15:27:38 dli-centos7 named[2170]: error
(network unreachable) resolving 'node2/A/IN': 2001:dc3::35#53 Feb 22 15:27:38
dli-centos7 named[2170]: error (network unreachable) resolving 'node2/A/IN':
2001:7fe::53#53 Feb 22 15:27:38 dli-centos7 named[2170]: error (network
unreachable) resolving './NS/IN': 2001:dc3::35#53 Feb 22 15:27:38 dli-centos7
named[2170]: error (network unreachable) resolving './NS/
I don't have a zone file that have these records defined. Any idea?
David
> --
>
> Message: 3
> Date: Fri, 19 Feb 2016 21:25:43 -0500
> From: Barry Margolin
> To: comp-protocols-dns-b...@isc.org
> Subject: Re: A Zone Transfer Question
> Message-ID:
>
> In article ,
> David Li wrote:
>
>> Hi John,
>>
>> Well, I was wrong about the log. I did find some info about why zone
>> transfer failed. On one server running zone rack1.com, I see:
>>
>> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
>> (rack1.com): query 'rack1.com/SOA/IN' denied Feb 19 16:04:27
>> dli-centos7 named[13882]: client 10.4.3.101#52612
>> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
>>
>> Any idea why it's denied?
>
> VM1 has the option:
>
> allow-query {
>10.4.1/24;
>127.0.0.1;
> };
>
> 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query
> the master.
>
> --
> Barry Margolin
> Arlington, MA
>
>
> --
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: A Zone Transfer Question
This is named trying to talk to nameservers over IPv6 and being
told by the OS that they are unreachable.
At this point in time you should be yelling at your ISP to supply
you with IPv6 connectivity if they aren't already as the world ran
out of IPv4 addresses years ago and the network is only running
because ISP's that don't have enough addresses are sharing them
between multiple customers which is costing everyone in one way or
another.
If your ISP is offering you IPv6 you may need to update your CPE
router to one which supports IPv6.
There is no valid excuse for a ISP not supplying IPv6 in 2016. They
have had over a decade to plan for how to deliver IPv6 to you.
Mark
In message
, David Li writes:
> Barry and others:
>
> Thanks for the help!
> It's my bad that the slave zone's subnet range was missing from
> allow-query. I also added the slave IP explicitly to the
> allow-transfer option. Now it's seems to be working.
>
>
> Another issue that I haven't quite figured out is the errors in the
> syslog. I have no idea where these are coming from:
>
>
>
> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> resolving 'node2/A/IN': 2001:503:c27::2:30#53
> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> resolving 'node2/A/IN': 2001:7fd::1#53
> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> resolving './NS/IN': 2001:500:1::803f:235#53
> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> resolving './NS/IN': 2001:503:c27::2:30#53
> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> resolving './NS/IN': 2001:7fd::1#53
> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> resolving 'node2/A/IN': 2001:dc3::35#53
> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> resolving 'node2/A/IN': 2001:7fe::53#53
> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> resolving './NS/IN': 2001:dc3::35#53
> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> resolving './NS/
>
>
> I don't have a zone file that have these records defined. Any idea?
>
> David
>
>
>
>
> > --
> >
> > Message: 3
> > Date: Fri, 19 Feb 2016 21:25:43 -0500
> > From: Barry Margolin
> > To: comp-protocols-dns-b...@isc.org
> > Subject: Re: A Zone Transfer Question
> > Message-ID:
> >
> > In article ,
> > David Li wrote:
> >
> >> Hi John,
> >>
> >> Well, I was wrong about the log. I did find some info about why zone
> >> transfer failed. On one server running zone rack1.com, I see:
> >>
> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
> >> (rack1.com): query 'rack1.com/SOA/IN' denied
> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
> >> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
> >>
> >> Any idea why it's denied?
> >
> > VM1 has the option:
> >
> > allow-query {
> >10.4.1/24;
> >127.0.0.1;
> > };
> >
> > 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the
> > master.
> >
> > --
> > Barry Margolin
> > Arlington, MA
> >
> >
> > --
> >
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: A Zone Transfer Question
Hi Mark,
Thanks for the explanation!
At this time all my stuff are internal to the data center so I just
added an option to listen to the IPv4 only. This seems to have made
these error messages gone away.
I do have another question: If I don't need to do reverse lookup, do
I still need PTR records? In other words, is there any downside if I
don't have PTR records in my zone files?
David
On Mon, Feb 22, 2016 at 4:04 PM, Mark Andrews wrote:
>
> This is named trying to talk to nameservers over IPv6 and being
> told by the OS that they are unreachable.
>
> At this point in time you should be yelling at your ISP to supply
> you with IPv6 connectivity if they aren't already as the world ran
> out of IPv4 addresses years ago and the network is only running
> because ISP's that don't have enough addresses are sharing them
> between multiple customers which is costing everyone in one way or
> another.
>
> If your ISP is offering you IPv6 you may need to update your CPE
> router to one which supports IPv6.
>
> There is no valid excuse for a ISP not supplying IPv6 in 2016. They
> have had over a decade to plan for how to deliver IPv6 to you.
>
> Mark
>
>
> In message
>
> , David Li writes:
>> Barry and others:
>>
>> Thanks for the help!
>> It's my bad that the slave zone's subnet range was missing from
>> allow-query. I also added the slave IP explicitly to the
>> allow-transfer option. Now it's seems to be working.
>>
>>
>> Another issue that I haven't quite figured out is the errors in the
>> syslog. I have no idea where these are coming from:
>>
>>
>>
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:503:c27::2:30#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:7fd::1#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:500:1::803f:235#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:503:c27::2:30#53
>> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:7fd::1#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:dc3::35#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving 'node2/A/IN': 2001:7fe::53#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/IN': 2001:dc3::35#53
>> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
>> resolving './NS/
>>
>>
>> I don't have a zone file that have these records defined. Any idea?
>>
>> David
>>
>>
>>
>>
>> > --
>> >
>> > Message: 3
>> > Date: Fri, 19 Feb 2016 21:25:43 -0500
>> > From: Barry Margolin
>> > To: comp-protocols-dns-b...@isc.org
>> > Subject: Re: A Zone Transfer Question
>> > Message-ID:
>> >
>> > In article ,
>> > David Li wrote:
>> >
>> >> Hi John,
>> >>
>> >> Well, I was wrong about the log. I did find some info about why zone
>> >> transfer failed. On one server running zone rack1.com, I see:
>> >>
>> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
>> >> (rack1.com): query 'rack1.com/SOA/IN' denied
>> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
>> >> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
>> >>
>> >> Any idea why it's denied?
>> >
>> > VM1 has the option:
>> >
>> > allow-query {
>> >10.4.1/24;
>> >127.0.0.1;
>> > };
>> >
>> > 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the
>> > master.
>> >
>> > --
>> > Barry Margolin
>> > Arlington, MA
>> >
>> >
>> > --
>> >
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: A Zone Transfer Question
I've yet to see a system that doesn't do reverse lookups automatically.
Lots of tools do it so, yes, you should be configuring the nameserver
to return PTR records.
Mark
In message
, David Li writes:
> Hi Mark,
>
> Thanks for the explanation!
>
> At this time all my stuff are internal to the data center so I just
> added an option to listen to the IPv4 only. This seems to have made
> these error messages gone away.
>
> I do have another question: If I don't need to do reverse lookup, do
> I still need PTR records? In other words, is there any downside if I
> don't have PTR records in my zone files?
>
> David
>
>
>
>
>
> On Mon, Feb 22, 2016 at 4:04 PM, Mark Andrews wrote:
> >
> > This is named trying to talk to nameservers over IPv6 and being
> > told by the OS that they are unreachable.
> >
> > At this point in time you should be yelling at your ISP to supply
> > you with IPv6 connectivity if they aren't already as the world ran
> > out of IPv4 addresses years ago and the network is only running
> > because ISP's that don't have enough addresses are sharing them
> > between multiple customers which is costing everyone in one way or
> > another.
> >
> > If your ISP is offering you IPv6 you may need to update your CPE
> > router to one which supports IPv6.
> >
> > There is no valid excuse for a ISP not supplying IPv6 in 2016. They
> > have had over a decade to plan for how to deliver IPv6 to you.
> >
> > Mark
> >
> >
> > In message com>
> > , David Li writes:
> >> Barry and others:
> >>
> >> Thanks for the help!
> >> It's my bad that the slave zone's subnet range was missing from
> >> allow-query. I also added the slave IP explicitly to the
> >> allow-transfer option. Now it's seems to be working.
> >>
> >>
> >> Another issue that I haven't quite figured out is the errors in the
> >> syslog. I have no idea where these are coming from:
> >>
> >>
> >>
> >> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> >> resolving 'node2/A/IN': 2001:503:c27::2:30#53
> >> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> >> resolving 'node2/A/IN': 2001:7fd::1#53
> >> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> >> resolving './NS/IN': 2001:500:1::803f:235#53
> >> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> >> resolving './NS/IN': 2001:503:c27::2:30#53
> >> Feb 22 15:27:33 dli-centos7 named[2170]: error (network unreachable)
> >> resolving './NS/IN': 2001:7fd::1#53
> >> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> >> resolving 'node2/A/IN': 2001:dc3::35#53
> >> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> >> resolving 'node2/A/IN': 2001:7fe::53#53
> >> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> >> resolving './NS/IN': 2001:dc3::35#53
> >> Feb 22 15:27:38 dli-centos7 named[2170]: error (network unreachable)
> >> resolving './NS/
> >>
> >>
> >> I don't have a zone file that have these records defined. Any idea?
> >>
> >> David
> >>
> >>
> >>
> >>
> >> > --
> >> >
> >> > Message: 3
> >> > Date: Fri, 19 Feb 2016 21:25:43 -0500
> >> > From: Barry Margolin
> >> > To: comp-protocols-dns-b...@isc.org
> >> > Subject: Re: A Zone Transfer Question
> >> > Message-ID:
> >> >
> >> > In article ,
> >> > David Li wrote:
> >> >
> >> >> Hi John,
> >> >>
> >> >> Well, I was wrong about the log. I did find some info about why zone
> >> >> transfer failed. On one server running zone rack1.com, I see:
> >> >>
> >> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
> >> >> (rack1.com): query 'rack1.com/SOA/IN' denied
> >> >> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
> >> >> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
> >> >>
> >> >> Any idea why it's denied?
> >> >
> >> > VM1 has the option:
> >> >
> >> > allow-query {
> >> >10.4.1/24;
> >> >127.0.0.1;
> >> > };
> >> >
> >> > 10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the
> >> > master.
> >> >
> >> > --
> >> > Barry Margolin
> >> > Arlington, MA
> >> >
> >> >
> >> > --
> >> >
> >> ___
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
> ibe
> >> from this list
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listi
