Solved

new dns zone will not transfer to slave server

Posted on 2014-01-03
16
2,975 Views
Last Modified: 2014-01-27
I'm using webmin to manage our linux DNS servers. Over the past few years I have added zones to both the master and slave systems and synced them without a problem. This time I need to create a child domain so wildcard references can go to our ezproxy server. I created the domain on both boxes, but when I try to force an update from the slave, I get this message: NDC command failed : rndc: 'reload' failed: partial match
The last transferred status is never and the records file is empty on the slave.

Updates for other zones are still working fine.
0
Comment
Question by:batesit
  • 9
  • 7
16 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39759711
RNDC is a standard DNS tool that webmin is using behind the scenes to manage the software. It's hard to say what's wrong without seeing the configs. Please post named.conf for both master and slave, and the appropriate .db file for the new zone on the master side.

What I'm looking for:
Correct configuration for the zone on both sides, and correct delegation.
0
 
LVL 1

Author Comment

by:batesit
ID: 39768659
Since the files didn't appear to transfer, I will post the contents. As I stated when I posted the files, I removed the references to our public addresses and school name. If you need more, let me know.

Master named.conf

options {
 directory "/var/named";
 ## added by bs on 21Jul08
 pid-file "/var/run/named/named.pid";
 dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
 /*
  * If there is a firewall between you and nameservers you want
  * to talk to, you might need to uncomment the query-source
  * directive below.  Previous versions of BIND always asked
  * questions using port 53, but BIND 8.1 uses an unprivileged
  * port by default.
  */
  // query-source address * port 53;
 allow-recursion { "public-range"; 172.31.0.0/16; 172.29.0.0/16; 172.30.0.0/16; };
 allow-transfer {
  "ip of slave";
  };
};

//
// a caching only nameserver config
//
controls {
 inet * allow { localhost; any; } keys { rndckey; };
};

zone "." IN {
 type hint;
 file "named.ca";
};

zone "localdomain" IN {
 type master;
 file "localdomain.zone";
 allow-update { none; };
};

zone "localhost" IN {
 type master;
 file "localhost.zone";
 allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
 type master;
 file "named.local";
 allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
 file "named.ip6.local";
 allow-update { none; };
};

zone "255.in-addr.arpa" IN {
 type master;
 file "named.broadcast";
 allow-update { none; };
};

zone "0.in-addr.arpa" IN {
 type master;
 file "named.zero";
 allow-update { none; };
};

include "/etc/rndc.key";
server "ip of master" {
 };
zone "school-name.edu" {
 type master;
 file "/var/named/data/school-name.edu.hosts";
 };
zone "0.1.16.172.in-addr.arpa" {
 type master;
 file "/var/named/data/172.16.1.0.rev";
 };
zone "mcafee.com" {
 type master;
 file "/var/named/data/mcafee.com.hosts";
 };
zone "67.29.172.in-addr.arpa" {
      type master;
      file "/var/named/data/172.29.67.rev";
      };
zone "ezproxy.school-name.edu" {
      type master;
      file "/var/named/data/ezproxy.school-name.edu.hosts";
      };


Slave named.conf

options {
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
 /*
  * If there is a firewall between you and nameservers you want
  * to talk to, you might need to uncomment the query-source
  * directive below.  Previous versions of BIND always asked
  * questions using port 53, but BIND 8.1 uses an unprivileged
  * port by default.
  */
  // query-source address * port 53;
 allow-recursion { "public ips"; 172.31.0.0/20; };
 allow-notify { "ip of master"; };
};

//
// a caching only nameserver config
//
controls {
 inet * allow { localhost; any; } keys { rndckey; };
};

zone "." IN {
 type hint;
 file "named.ca";
};

zone "localdomain" IN {
 type master;
 file "localdomain.zone";
 allow-update { none; };
};

zone "localhost" IN {
 type master;
 file "localhost.zone";
 allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
 type master;
 file "named.local";
 allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
 file "named.ip6.local";
 allow-update { none; };
};

zone "255.in-addr.arpa" IN {
 type master;
 file "named.broadcast";
 allow-update { none; };
};

zone "0.in-addr.arpa" IN {
 type master;
 file "named.zero";
 allow-update { none; };
};

include "/etc/rndc.key";
server "ip of master" {
 };
zone "school-name.edu" {
 type slave;
 masters {
  "ip of master";
  };
 file "/var/named/data/school-name.edu.hosts";
 };
zone "school-name.com" {
      type slave;
      masters {
            "ip of master";
            };
      file "/var/named/data/school-name.com.hosts";
      };
zone "mcafee.com" {
      type master;
      file "/var/named/data/mcafee.com.hosts";
      };
zone "67.29.172.in-addr.arpa" {
      type slave;
      masters {
            "ip of master";
            };
      file "/var/named/data/172.29.67.rev";
      };
zone "ezproxy.school-name.edu" {
      type slave;
      masters {
            "ip of master";
            };
      file "/var/named/data/ezproxy.school-name.edu.hosts";
      };

Zone file on master

$ttl 38400
ezproxy.school-name.edu.      IN      SOA      "ip of master". my-name.school-name.edu. (
                  1388763268
                  10800
                  3600
                  604800
                  38400 )
ezproxy.school-name.edu.      IN      NS      "ip-of master".
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39768752
Does the file /var/named/data/ezproxy.school-name.edu.hosts already exist on the slave? If so, delete it.

What do you see in /var/log/messages (I'm assuming that's where the named logging is placed) on both the master and the slave in relation to that zone?
0
 
LVL 1

Author Comment

by:batesit
ID: 39769138
This page shows the DNS records file /var/named/data/ezproxy.school-name.edu.hosts, created by BIND when the zone was transferred from the master server.

However the file is currently empty, probably because the zone has not yet been transferred from the master server.

Jan  3 06:11:07 hal named[2541]: client "ip of master"#32769: received notify for zone 'ezproxy.school-name.edu': not authoritative
Jan  3 06:44:08 hal named[2541]: client "ip of master"#32769: received notify for zone 'ezproxy.school-name.edu': not authoritative


Jan  3 06:18:38 dave named[2756]: zone ezproxy.school-name.edu/IN: loaded serial 1388758685
Jan  3 06:24:14 dave named[2756]: zone ezproxy.school-name.edu/IN: loaded serial 1388758687
Jan  3 06:24:14 dave named[2756]: zone ezproxy.school-name.edu/IN: sending notifies (serial 1388758687)
Jan  3 06:57:15 dave named[2756]: zone ezproxy.school-name.edu/IN: loaded serial 1388758688
Jan  3 06:57:15 dave named[2756]: zone ezproxy.school-name.edu/IN: sending notifies (serial 1388758688)
Jan  3 07:42:46 dave named[2756]: zone ezproxy.school-name.edu/IN: loaded serial 1388763268
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39769678
OK, I think the problem is that you are missing the "glue" record in the child domain. You need to add an A record in the child zone for the NS named at the top of the zone.

 "ip-of master"     IN     A     ezproxy.school-name.edu.
0
 
LVL 1

Author Comment

by:batesit
ID: 39772691
This sounds plausible to me. I had to delete the child domain because it interfered with the normal lookup of ezproxy from the master. There was considerable confusion when the slave gave out the IP for ezproxy but the master didn't. As soon as she has finshed her tests without the wildcard, I will add this. Thanks.
0
 
LVL 1

Author Comment

by:batesit
ID: 39789174
I finally got permission to do more experiments. Here is what is now in the master file.
I still get the same error when I try to force an update from the slave. The complicating factor is when this zone exists, the master no longer gives out an IP for the ezproxy server. It's as if the entry for ezproxy in the parent domain is stepped on by this child domain.

$ttl 38400
ezproxy.school-name.edu.      IN      SOA      "ip of master". myname.school-name.edu. (
                  1389951250
                  10800
                  3600
                  604800
                  38400 )
ezproxy.school-name.edu.      IN      NS      "ip of master".
*.ezproxy.school-name.edu.      IN      A      "ip of ezproxy server"
ezproxy.school-name.edu.      IN      NS      "fully qualified name of slave".
dave.ezproxy.school-name.edu.      IN      A      "ip of master"
hal.ezproxy.school-name.edu.      IN      A      "ip of slave"
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39789574
To simplify this, let's call the master "dave" and the slave "hal" as it appears you're already doing.

According to the book, here's what you should have for the CHILD domain. BTW, "myname.school-name.edu." should correspond to a valid hostmaster email address, i.e. myname@school-name.edu:
$ttl 38400
@      IN      SOA      dave.ezproxy.school-name.edu.   myname.school-name.edu. (
                  1389951250
                  10800
                  3600
                  604800
                  38400 )
         IN      NS      dave
         IN      NS      hal

dave    IN     A      "ip of master"
hal      IN      A      "ip of slave"

Then in the PARENT zone, add this:
fx     IN      NS       dave.ezproxy.school-name.edu.
        IN      NS       hal.ezproxy.school-name.edu.
dave.ezproxy.school-name.edu.    IN     A      "ip of master"
hal.ezproxy.school-name.edu.       IN     A      "ip of master"

Do you plan to have a PTR zone for this child domain?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:batesit
ID: 39790008
Once again my posting got lost. The myname entry is my email. I placed the entries as you specified except the fx in the zones as you specified.  We have a PTR zone for our DMZ and there is a reverse entry for ezproxy.
After making the changes:
Hal still gets the same error when I force update.
Nslookup pointing to dave returns the right IP for test.ezproxy.school-name.edu.
Nslookup pointing to dave fails to return an IP for ezproxy.school-name.edu.

Am I going about this in the wrong way? I found this link suggesting I can do the subdomain within the parent: http://www.zytrax.com/books/dns/ch9/subdomain.html
Would this be a better way to solve the problem?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39790060
Oops, I screwed up! "fx" should be replaced with "ezproxy"

>Nslookup pointing to dave fails to return an IP for ezproxy.school-name.edu.
This is expected unless you create a wildcard entry, because this is the domain name itself. If you add
*      IN      A      "name of ezproxy server"
"name of ezproxy server"  IN A "ip of ezproxy server"

to the child domain, then anything that can't be resolved in the subdomain will return the ezproxy server IP.

That said, if you're only going to have a couple of records then it may be simpler to do it completely within the parent domain.

Regarding the RNDC issue, that *may* be unrelated:
1. If you comment out the ezproxy zone configuration on the slave and then run the reload command, does it work?
2. If not, then the problem is not with your new zone. Try running "rndc reload" on the command line. You may have to specify the absolute path to "rndc" for this to work
0
 
LVL 1

Author Comment

by:batesit
ID: 39797844
I already have this in the child domain in the master.
*.ezproxy.school-name.edu.      IN      A      "ip of ezproxy"

I made the change you suggested in place of fx and it still doesn't work.

I finally looked at the parent domain on hal and even though it says the file was updated today, none of the recent changes I made are reflected in it although the ezproxy entry I added before playing with subdomains is there. If adding this child domain breaks replication, I need to go back to a working configuration. These servers are the public DNS for the school and I can't afford to break them. At this time my inclination is to return dave to the working config and add the subdomain from within the parent. The only entry for the child was to be the wildcard reference.
Do you disagree?
Thanks for catching the fx part. That confused me.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 39797907
Just to check- have you updated the serial numbers in both zones after making the changes?

I agree that if you're only going to do the wildcard record, then you may as well just do it in the parent zone. It's a lot of configuration for a single record.

Just so you can get it working for the future though, I'd suggest setting up a dummy zone like "schooltest.edu" and sub.schooltest.edu" on the same machines and continue to work on it. There's no reason that the subdomain you're working on should behave differently than the others unless there's a typo or some kind of simple misconfiguration.
0
 
LVL 1

Author Comment

by:batesit
ID: 39801419
As usual, you were right. When I manually edited the files, I didn't remember to increment the serial number.
Since the server admin is working on her part again, I had to delete the child zone so the base name of ezproxy again worked.
I would like to experiment until I find the reason, but other duties call. In the last 24 hours, I was asked to deal with creating a novel wireless solution and deal with an intermittent backbone connection at one campus. I am the only one here who will touch unix and would like to become as knowledgable in linux as windows, but given current circumstances, this will not happen. I appreciate the help and if I get stuck on the parent configuration, I will post another question.
Thanks.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39804035
Good luck! If we are done with this question, I'd appreciate some points :-) If you want to keep it open, that's OK too.
0
 
LVL 1

Author Comment

by:batesit
ID: 39813618
I clicked accept, but it appears it didn't work. Will do it again.
0
 
LVL 1

Author Closing Comment

by:batesit
ID: 39813623
Given the issues, I consider his suggestions excellent.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now