The problem is now solved.. Thanks to Mark.Andrews@xxxxxxx and
eravin@xxxxxxxxx for excellent
information.
Solution:
=========
The file doc/misc/migration contains the following inormation:
>1.4. Notify messages and Refesh queries
>
>The source address and port for these is now controlled by
>"notify-source" and "transfer-source", respectively, rather that
>query-source as in BIND 8.
And the solution was to modify the beginning of the 'options' clause in
named.conf,
it now reads:
}options {
} // query-source determines which local address and port will
} // be used by IPv4 UDP connections to query remote nameservers.
} query-source address * port 53;
}
} // transfer-source determines which local address and port will
} // be bound to IPv4 TCP connections used to fetch zones
} // transferred inbound by the server.
} transfer-source * port 53;
}
} // notify-source determines which local source address and port
} // will be used to send NOTIFY messages.
} notify-source * port 53;
I guess just adding transfer-source would have solved the problem
(query-source was already there).
The issue is solved.
- Rikhardur Egilsson
-----Original Message-----
From: Rikhardur.EGILSSON@xxxxxxxx [mailto:Rikhardur.EGILSSON@xxxxxxxx]
Sent: 16 July, 2003 3:49 PM
To: bind9-users@xxxxxxx
Subject: Bind 9.2.1 using UDP port != 53 for SOA query before zone transf
er.
In the process of upgrading one of our Linux servers, bind version 8.2.5 got
replaced with version 9.2.1 and I now have a brand new problem.
We have multiple DMZ networks, and between two of them we allow 2 bind
servers to exchange zones.
We allow udp traffic on ports 53<-->53 and tcp zone transfers from high
ports<-->53 on the other server.
Everything is working fine, except that before initiating a zone transfer,
the slave server sends a UDP request to the primary server for the SOA
record of the domain, but that request is sent from a high unprivileged
port.
Every other request sent from the this slave server is sent from port 53.
And since the request is blocked by a firewall, the slave will never start
the zone transfer..
I did compile version 9.2.2 and ran it, but that didn't seem to change much
..
My named.conf
acl authorized {
192.134.4.0/24;
};
acl AllowRecursion { // Try to limit the number of lines here.
10.10.0.0/16;
};
options {
// Old Bind behaviour
query-source address * port 53;
directory "/etc/Zones";
// Maximum number of simultaneous client TCP connections
tcp-clients 1024;
allow-transfer {
authorized;
};
allow-recursion { AllowRecursion; };
allow-query {
any;
};
pid-file "/var/run/named/named.pid";
version " ";
};
key "rndc-key" {
algorithm hmac-md5;
secret "SecretChanged4ObviousReasons==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "oecdnews.com" {
type slave;
file "Secondary/oecdnews.com";
masters {
193.51.65.34;
};
};
|
