notify not getting without also-notify

classic Classic list List threaded Threaded
3 messages Options
btb
Reply | Threaded
Open this post in threaded view
|

notify not getting without also-notify

btb
hi-

i'm having a problem where notifies are not sent unless also-notify is used to explicitly specify hosts.

here is the config from the computer serving the master zone:

>named-checkconf -p
options {
        bindkeys-file "/etc/bind/keys/dnssec/bind.keys";
        blackhole {
                "bogon";
        };
        session-keyalg "hmac-sha512";
        directory "/var/cache/bind";
        hostname "dca-ans-1.example.com";
        interface-interval 0;
        managed-keys-directory "/etc/bind/keys/managed";
        server-id "dca-ans-1.example.com";
        version none;
        additional-from-auth no;
        additional-from-cache no;
        allow-query-cache {
                "none";
        };
        allow-query-cache-on {
                "none";
        };
        allow-recursion {
                "none";
        };
        allow-recursion-on {
                "none";
        };
        dnssec-enable yes;
        empty-zones-enable no;
        minimal-responses yes;
        recursion no;
        allow-query {
                "any";
        };
        allow-query-on {
                "any";
        };
        allow-transfer {
                "loopback";
                "physical_interfaces";
                "slaves";
        };
        check-dup-records fail;
        check-mx fail;
        check-mx-cname fail;
        check-srv-cname fail;
        check-wildcard yes;
        masterfile-format raw;
        zone-statistics full;
};
controls {
        inet 127.0.0.1 port 953 allow {
                127.0.0.1/32;
        } keys {
                "rndc-key-1";
        };
};
acl "loopback" {
        127.0.0.1/32;
        ::1/128;
};
acl "physical_interfaces" {
        10.128.13.62/32;
};
acl "local_network" {
        10.0.0.0/8;
};
acl "slaves" {
        10.128.13.63/32;
};
acl "bogon" {
        0.0.0.0/8;
        169.254.0.0/16;
        172.16.0.0/12;
        192.0.0.0/24;
        192.0.2.0/24;
        192.168.0.0/16;
        198.18.0.0/15;
        198.51.100.0/24;
        203.0.113.0/24;
        224.0.0.0/3;
};
logging {
        [...]
};
key "rndc-key-1" {
        algorithm "hmac-md5";
        secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};
key "ddns-key-1" {
        algorithm "hmac-sha512";
        secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};
zone "10.in-addr.arpa" {
        type master;
        file "/srv/dns/internal/master/reverse/10.in-addr.arpa";
        update-policy {
                grant "ddns-key-1" zonesub "any";
        };
};

and here is the zone being served:

>dig @localhost -x 10 axfr +norec

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @localhost -x 10 axfr +norec
; (1 server found)
;; global options: +cmd
10.in-addr.arpa. 86400 IN SOA dca-ans-1.example.com. hostmaster.example.com. 2015032904 7200 1800 1209600 3600
10.in-addr.arpa. 86400 IN NS dca-ans-1.example.com.
10.in-addr.arpa. 86400 IN NS dca-ans-2.example.com.
10.in-addr.arpa. 86400 IN SOA dca-ans-1.example.com. hostmaster.example.com. 2015032904 7200 1800 1209600 3600
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 29 17:19:51 EDT 2015
;; XFR size: 16 records (messages 1, bytes 449)

dca-ans-2 resolves to 10.128.13.63:
>host dca-ans-2.example.com
dca-ans-2.example.com has address 10.128.13.63

when i trigger a notify, bind never sends a notify to dca-ans-2:

>rndc trace 3
>rndc notify 10.in-addr.arpa.
zone notify queued

debug.log:
29-Mar-2015 17:25:33.860 general: debug 1: received control channel command 'null'
29-Mar-2015 17:25:33.860 general: info: received control channel command 'notify 10.in-addr.arpa.'
29-Mar-2015 17:25:33.860 general: debug 1: zone_settimer: zone 10.in-addr.arpa/IN: enter
29-Mar-2015 17:25:33.860 general: debug 1: zone_timer: zone 10.in-addr.arpa/IN: enter
29-Mar-2015 17:25:33.860 general: debug 1: zone_maintenance: zone 10.in-addr.arpa/IN: enter
29-Mar-2015 17:25:33.860 notify: info: zone 10.in-addr.arpa/IN: sending notifies (serial 2015032904)
29-Mar-2015 17:25:33.860 general: debug 1: zone_settimer: zone 10.in-addr.arpa/IN: enter

but when specifying dca-ans-2 explicitly in also-notify:

    also-notify {
        10.128.13.63;
    };

it does:

29-Mar-2015 17:27:15.945 general: debug 1: received control channel command 'null'
29-Mar-2015 17:27:15.945 general: info: received control channel command 'notify 10.in-addr.arpa.'
29-Mar-2015 17:27:15.945 general: debug 1: zone_settimer: zone 10.in-addr.arpa/IN: enter
29-Mar-2015 17:27:15.945 general: debug 1: zone_timer: zone 10.in-addr.arpa/IN: enter
29-Mar-2015 17:27:15.945 general: debug 1: zone_maintenance: zone 10.in-addr.arpa/IN: enter
29-Mar-2015 17:27:15.945 notify: info: zone 10.in-addr.arpa/IN: sending notifies (serial 2015032904)
29-Mar-2015 17:27:15.945 general: debug 1: zone_settimer: zone 10.in-addr.arpa/IN: enter
29-Mar-2015 17:27:15.945 notify: debug 3: zone 10.in-addr.arpa/IN: sending notify to 10.128.13.63#53
29-Mar-2015 17:27:15.945 general: debug 3: dns_request_createvia
29-Mar-2015 17:27:15.945 general: debug 3: request_render
29-Mar-2015 17:27:15.945 general: debug 3: requestmgr_attach: 0x7fda5c66d010: eref 1 iref 1
29-Mar-2015 17:27:15.945 general: debug 3: mgr_gethash
29-Mar-2015 17:27:15.945 general: debug 3: req_send: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.945 general: debug 3: dns_request_createvia: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.945 general: debug 3: req_senddone: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.946 general: debug 3: req_response: request 0x7fda5c6d1460: success
29-Mar-2015 17:27:15.946 general: debug 3: req_cancel: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.946 general: debug 3: req_sendevent: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.946 general: debug 3: dns_request_getresponse: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.946 notify: debug 3: zone 10.in-addr.arpa/IN: notify response from 10.128.13.63#53: NOERROR
29-Mar-2015 17:27:15.946 general: debug 3: dns_request_destroy: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.946 general: debug 3: req_destroy: request 0x7fda5c6d1460
29-Mar-2015 17:27:15.946 general: debug 3: requestmgr_detach: 0x7fda5c66d010: eref 1 iref 0

version is 9.9.5 courtesy of ubuntu:
>named -v
BIND 9.9.5-3ubuntu0.2-Ubuntu (Extended Support Version)

if i'm understanding the documentation right, by default bind should send notifies to all servers listed in the ns records for a zone, except for the soa mname - which would mean that dca-ans-2 should be notified by default - but it appears to not be.  how can i troubleshoot this further?

thanks
-ben
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: notify not getting without also-notify

Mark Andrews

The nameserver needs to be able to resolve the hostname of the
secondary itself, it does not use the servers listed in resolv.conf.

You may want to open up recursion temporatially to chase down why this
is failing.


In message <[hidden email]>, [hidden email]
writes:

> hi-
>
> i'm having a problem where notifies are not sent unless also-notify is used t
> o explicitly specify hosts.
>
> here is the config from the computer serving the master zone:
>
> >named-checkconf -p
> options {
> bindkeys-file "/etc/bind/keys/dnssec/bind.keys";
> blackhole {
> "bogon";
> };
> session-keyalg "hmac-sha512";
> directory "/var/cache/bind";
> hostname "dca-ans-1.example.com";
> interface-interval 0;
> managed-keys-directory "/etc/bind/keys/managed";
> server-id "dca-ans-1.example.com";
> version none;
> additional-from-auth no;
> additional-from-cache no;
> allow-query-cache {
> "none";
> };
> allow-query-cache-on {
> "none";
> };
> allow-recursion {
> "none";
> };
> allow-recursion-on {
> "none";
> };
> dnssec-enable yes;
> empty-zones-enable no;
> minimal-responses yes;
> recursion no;
> allow-query {
> "any";
> };
> allow-query-on {
> "any";
> };
> allow-transfer {
> "loopback";
> "physical_interfaces";
> "slaves";
> };
> check-dup-records fail;
> check-mx fail;
> check-mx-cname fail;
> check-srv-cname fail;
> check-wildcard yes;
> masterfile-format raw;
> zone-statistics full;
> };
> controls {
> inet 127.0.0.1 port 953 allow {
> 127.0.0.1/32;
> } keys {
> "rndc-key-1";
> };
> };
> acl "loopback" {
> 127.0.0.1/32;
> ::1/128;
> };
> acl "physical_interfaces" {
> 10.128.13.62/32;
> };
> acl "local_network" {
> 10.0.0.0/8;
> };
> acl "slaves" {
> 10.128.13.63/32;
> };
> acl "bogon" {
> 0.0.0.0/8;
> 169.254.0.0/16;
> 172.16.0.0/12;
> 192.0.0.0/24;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 198.18.0.0/15;
> 198.51.100.0/24;
> 203.0.113.0/24;
> 224.0.0.0/3;
> };
> logging {
> [...]
> };
> key "rndc-key-1" {
> algorithm "hmac-md5";
> secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
> };
> key "ddns-key-1" {
> algorithm "hmac-sha512";
> secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
> };
> zone "10.in-addr.arpa" {
> type master;
> file "/srv/dns/internal/master/reverse/10.in-addr.arpa";
> update-policy {
> grant "ddns-key-1" zonesub "any";
> };
> };
>
> and here is the zone being served:
>
> >dig @localhost -x 10 axfr +norec
>
> ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @localhost -x 10 axfr +norec
> ; (1 server found)
> ;; global options: +cmd
> 10.in-addr.arpa. 86400 IN SOA dca-ans-1.example.com. hostmast
> er.example.com. 2015032904 7200 1800 1209600 3600
> 10.in-addr.arpa. 86400 IN NS dca-ans-1.example.com.
> 10.in-addr.arpa. 86400 IN NS dca-ans-2.example.com.
> 10.in-addr.arpa. 86400 IN SOA dca-ans-1.example.com. hostmast
> er.example.com. 2015032904 7200 1800 1209600 3600
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Mar 29 17:19:51 EDT 2015
> ;; XFR size: 16 records (messages 1, bytes 449)
>
> dca-ans-2 resolves to 10.128.13.63:
> >host dca-ans-2.example.com
> dca-ans-2.example.com has address 10.128.13.63
>
> when i trigger a notify, bind never sends a notify to dca-ans-2:
>
> >rndc trace 3
> >rndc notify 10.in-addr.arpa.
> zone notify queued
>
> debug.log:
> 29-Mar-2015 17:25:33.860 general: debug 1: received control channel command '
> null'
> 29-Mar-2015 17:25:33.860 general: info: received control channel command 'not
> ify 10.in-addr.arpa.'
> 29-Mar-2015 17:25:33.860 general: debug 1: zone_settimer: zone 10.in-addr.arp
> a/IN: enter
> 29-Mar-2015 17:25:33.860 general: debug 1: zone_timer: zone 10.in-addr.arpa/I
> N: enter
> 29-Mar-2015 17:25:33.860 general: debug 1: zone_maintenance: zone 10.in-addr.
> arpa/IN: enter
> 29-Mar-2015 17:25:33.860 notify: info: zone 10.in-addr.arpa/IN: sending notif
> ies (serial 2015032904)
> 29-Mar-2015 17:25:33.860 general: debug 1: zone_settimer: zone 10.in-addr.arp
> a/IN: enter
>
> but when specifying dca-ans-2 explicitly in also-notify:
>
>     also-notify {
>         10.128.13.63;
>     };
>
> it does:
>
> 29-Mar-2015 17:27:15.945 general: debug 1: received control channel command '
> null'
> 29-Mar-2015 17:27:15.945 general: info: received control channel command 'not
> ify 10.in-addr.arpa.'
> 29-Mar-2015 17:27:15.945 general: debug 1: zone_settimer: zone 10.in-addr.arp
> a/IN: enter
> 29-Mar-2015 17:27:15.945 general: debug 1: zone_timer: zone 10.in-addr.arpa/I
> N: enter
> 29-Mar-2015 17:27:15.945 general: debug 1: zone_maintenance: zone 10.in-addr.
> arpa/IN: enter
> 29-Mar-2015 17:27:15.945 notify: info: zone 10.in-addr.arpa/IN: sending notif
> ies (serial 2015032904)
> 29-Mar-2015 17:27:15.945 general: debug 1: zone_settimer: zone 10.in-addr.arp
> a/IN: enter
> 29-Mar-2015 17:27:15.945 notify: debug 3: zone 10.in-addr.arpa/IN: sending no
> tify to 10.128.13.63#53
> 29-Mar-2015 17:27:15.945 general: debug 3: dns_request_createvia
> 29-Mar-2015 17:27:15.945 general: debug 3: request_render
> 29-Mar-2015 17:27:15.945 general: debug 3: requestmgr_attach: 0x7fda5c66d010:
>  eref 1 iref 1
> 29-Mar-2015 17:27:15.945 general: debug 3: mgr_gethash
> 29-Mar-2015 17:27:15.945 general: debug 3: req_send: request 0x7fda5c6d1460
> 29-Mar-2015 17:27:15.945 general: debug 3: dns_request_createvia: request 0x7
> fda5c6d1460
> 29-Mar-2015 17:27:15.945 general: debug 3: req_senddone: request 0x7fda5c6d14
> 60
> 29-Mar-2015 17:27:15.946 general: debug 3: req_response: request 0x7fda5c6d14
> 60: success
> 29-Mar-2015 17:27:15.946 general: debug 3: req_cancel: request 0x7fda5c6d1460
> 29-Mar-2015 17:27:15.946 general: debug 3: req_sendevent: request 0x7fda5c6d1
> 460
> 29-Mar-2015 17:27:15.946 general: debug 3: dns_request_getresponse: request 0
> x7fda5c6d1460
> 29-Mar-2015 17:27:15.946 notify: debug 3: zone 10.in-addr.arpa/IN: notify res
> ponse from 10.128.13.63#53: NOERROR
> 29-Mar-2015 17:27:15.946 general: debug 3: dns_request_destroy: request 0x7fd
> a5c6d1460
> 29-Mar-2015 17:27:15.946 general: debug 3: req_destroy: request 0x7fda5c6d146
> 0
> 29-Mar-2015 17:27:15.946 general: debug 3: requestmgr_detach: 0x7fda5c66d010:
>  eref 1 iref 0
>
> version is 9.9.5 courtesy of ubuntu:
> >named -v
> BIND 9.9.5-3ubuntu0.2-Ubuntu (Extended Support Version)
>
> if i'm understanding the documentation right, by default bind should send not
> ifies to all servers listed in the ns records for a zone, except for the soa
> mname - which would mean that dca-ans-2 should be notified by default - but i
> t appears to not be.  how can i troubleshoot this further?
>
> thanks
> -ben
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
btb
Reply | Threaded
Open this post in threaded view
|

Re: notify not getting without also-notify

btb
On Mar 29, 2015, at 18.09, Mark Andrews <[hidden email]> wrote:
>
> The nameserver needs to be able to resolve the hostname of the
> secondary itself, it does not use the servers listed in resolv.conf.

aha, that was the clue i needed, thanks.

-ben
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users