Bind9 slave refresh question

I have 1 master (dns01) dns server and 2 (dns2,dns3) slaves running on centos 5.4 and bind-9.3.6-4.P1.el5_4.2.  The master is set to notify the slaves of changes for all zones under options on dns01.  On the master I update a record/change serial and run rndc reload and the change is applied to dns02 but not dns03.  

If I update a record and DO NOT run rndc reload the slave servers never update even though the serial number is different than what they have. I have the refresh set for 2 hrs.  rndc reload on the slaves doesn't update the record either. Neither does rndc refresh  "zone-name"

My questions are:

1. Wil lthe slaves eventually expire the zone because they are not refreshing from the master?  I have expire set for 2 weeks
2. Is there a way to force the slaves to refresh from the master?
3. Where can i look to see the last time the slave tried to contact the master?  This should happen every two hours. I actually changed it to 15 minutes for testing but didn't see any change.
4. What could be causing dns02 to update but not dns03.  The have the exact named.conf.  They also have the exact config in the master in named.conf.

A few notes:
Servers are in the same vlan on the same switch
I've tried this with iptables on and off on all servers
when I run rndc reload on the slaves I can see the packet hit the master via tcpdump
when I run rndc reload on the master it only updates slave dns02 not dns03. On dns03 I don't see anything come from dns01 on tcpdump.  I see all kinds of dns traffic on dns02.

Configs
dns01 (master)

include "/etc/rndc.key";

logging{
  channel default_syslog {
    syslog daemon;
    severity warning;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default {
    default_syslog;
};
};

acl internal-hosts {
        127.0.0.1;
        10.17.65.10/32;                  //dns01
        10.17.65.11/32;                  //dns02
        10.17.65.12/32;                  //dns03
};

options {
        version "";
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        notify yes ;
        allow-transfer {
                        127.0.0.1;
                        10.17.65.10;    //dns01
                        10.17.65.11;    //dns02
                        10.17.65.12;    //dns03
                        };
        allow-notify {
                        10.17.65.10;    //dns01
                        10.17.65.11;    //dns02
                        10.17.65.12;    //dns03
                        };
        allow-recursion {
                        internal-hosts;
                        };
        allow-query {
                        internal-hosts;
                        };
};

zone "test.net" {
        type master;
        file "/var/named/test.net";
        allow-transfer { 10.17.65.10;      //dns01
                         10.17.65.11;      //dns02
                         10.17.65.12;      //dns03
                        };
        allow-query { any; };
        };

zone "test.com" {
        type master;
        file "/var/named/test.com";
        allow-transfer { 10.17.65.10;      //dns01
                         10.17.65.11;      //dns02
                         10.17.65.12;      //dns03
                         };
        allow-query { any; };
        };
(I deleted all of the reverse zones here for brevity)

};

dns2/dns3 (slaves)
include "/etc/rndc.key";

logging{
  channel default_syslog {
    syslog daemon;
    severity warning;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default {
    default_syslog;
};
};

acl internal-hosts {
        10.17.65.10/32;                  //dns01            //dendns01 (master)
        10.17.65.11/32;                  //dns02
        10.17.65.12/32;                  //dns03
};

options {
        version "";
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        allow-notify {
                        10.17.65.10;    //dendns01 (master)
                        };
        allow-recursion {
                        internal-hosts;
                        };
        allow-query {
                        internal-hosts;
                        };
        allow-transfer {
                        10.17.65.10;    //dendns01 (master)
                        };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/var/named/data/db.root";
};

// Setup authoritative zones
zone "test.net" {
        type slave;
        masters { 10.17.65.10; };            //dendns01 (master)
        file "/var/named/data/test.net";
        allow-query { any; };
        };

zone "test.com" {
        type slave;
        masters { 10.17.65.10; };            //dendns01 (master)
        file "/var/named/data/test.com";
        allow-query { any; };
        };
            
(I deleted all of the reverse zones here for brevity)
};

any help will be greatly appreciated
bevegeAsked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
The serial has to be updated on any change or the slaves will not retrieve and load the zone since based on the serial number of the zone on the master server no changes have been made.


Even if a notify is received, as long as the serial did not increment, the slave will not update the zone.
0
 
nociSoftware EngineerCommented:
CAn you also show the SOA RR's all servers give?
0
 
arnoldCommented:
Not sure why you are defining per zone allow-transfer when you have the exact same rule of the allow-transfer defined globally.

The issue for notify depends on the NS records that are defined in the ZONEs.
Alternatively, you should use also-notify versus allow-notify in the options on dns1
also-notify {
                        10.17.65.11;    //dns02
                        10.17.65.12;    //dns03
                 };
http://www.zytrax.com/books/dns/ch7/xfer.html

Also-notify generates a notify event whether or not dns02,dns03 are referenced as NS records within the zone.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
mikebernhardtCommented:
I think the above will do it. Allow-notify tells it to accept inbound notifications from the defined addresses. Also-notify tells it WHO to notify. And I agree, you don't need it in the global options and the zone-specific options.

But, you don't need it at all if the slaves are listed in NS records.

You haven't provided any zone data so we can't see whether dns03 is listed in a NS record but I suspect it's missing.
0
 
bevegeAuthor Commented:
Thank you all for replying.  I think I was just looking at this the wrong way.  If you do not run RNDC reload the new updates in the zone file are not read into memory.  When the slaves do a refresh they think it is the same info which it is, even though the files on disk are updated.  

When you actually run rndc reload the notifies are sent to the slaves and all servers are up to date.  If the slave does a refresh then it sees that nothing has changed.

I was thinking that the refresh on the slaves would pull down updates from the master even if rndc reload had not been run, which doesn't make sense.  Refresh looks at the serial of whatever the master has in memory not the actual file on disk.  It turns out that you really only need to do notifies.  The refresh really doesn't do anything if your notifies are working.  Refresh only comes into play if your masters are totally down or the slaves cannot reach the master for some reason.

I will look at my config a little closer and make sure that my notifies are setup correctly and award some points there.

Thanks

0
 
nociSoftware EngineerCommented:
And the zones do need to be reloaded at the master using rndc (preferred) or restart of server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.