client 85.119.84.35#46541 (keiths-place.co.uk): bad zone transfer request: '
keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH)
On Tue, 23 Jul 2019 at 22:48, Keith Williams <keithwilliamsnp@???>
wrote:
> I started to draw up an acl, with all those addresses in, as I had
> previously, but then put them in "bare" when trying to test what was
> happening. I couldn't see the point of the restricted queries on an
> authoritative server. Seemed daft. But it was suggested that specifically
> naming the slaves while trying it out would be a sensible move ????? The
> forwarding was something I have always had. That's easily removed. as with
> the allow queries.
> Let me try that now
>
> On Tue, 23 Jul 2019 at 22:28, Andy Smith <andy@???> wrote:
>
>> Hi Keith,
>>
>> On Tue, Jul 23, 2019 at 10:06:20PM +0100, Keith Williams wrote:
>> > So you will need to see the conf files
>> > /etc/bind/named.conf.local
>> >
>> > // Consider adding the 1918 zones here, if they are not used in your
>> > // organization
>> > include "/etc/bind/zones.rfc1918";
>> >
>> > zone "keiths-place.co.uk" {
>> > type master;
>> > file "/var/lib/bind/keiths-place.co.uk.hosts";
>> > allow-query {
>> > 85.119.84.35;
>> > 85.119.80.222;
>> > 2001:ba8:1f1:f085::53;
>> > 2600:3c01:e000:259::53;
>> > 45.33.107.124;
>> > 172.104.29.216;
>> > 2600:3c03::31:2153;
>> > 2001:ba8:1f1:f309::2;
>> > 127.0.0.1;
>> > };
>> > check-names warn;
>> > notify yes;
>> > };
>>
>> I am confused as to why you are trying to limit who can query your
>> zone when you are running an authoritative server. I get that you
>> only have the BitFolk nameservers listed at the registry, but
>> blocking queries makes debugging harder.
>>
>> > Named.conf
>> > acl slaves {
>> > 85.119.84.35; 2001:ba8:1f1:f309::2;
>> > };
>>
>> Nothing appears to reference this acl as far as I can see.
>>
>> > // This is the primary configuration file for the BIND DNS server named.
>> > //
>> > // Please read /usr/share/doc/bind9/README.Debian.gz for information on
>> the
>> > // structure of BIND configuration files in Debian, *BEFORE* you
>> customize
>> > // this configuration file.
>> > //
>> > // If you are just adding zones, please do that in
>> > /etc/bind/named.conf.local
>> >
>> > include "/etc/bind/named.conf.options";
>> > include "/etc/bind/named.conf.local";
>> > include "/etc/bind/named.conf.default-zones";
>> >
>> > and finally named.conf.options
>> >
>> > options {
>> > directory "/var/cache/bind";
>> >
>> > // If there is a firewall between you and nameservers you want
>> > // to talk to, you may need to fix the firewall to allow
>> multiple
>> > // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>> >
>> > // If your ISP provided one or more IP addresses for stable
>> > // nameservers, you probably want to use them as forwarders.
>> > // Uncomment the following block, and insert the addresses
>> replacing
>> > // the all-0's placeholder.
>> >
>> > forwarders {
>> > 8.8.8.8;
>> > };
>>
>> Why are you forwarding queries anywhere? This is an authoritative
>> server; it should only be receiving queries for the zones you've put
>> in it, so no need for forwarders.
>>
>> > allow-query {
>> > 85.119.84.35; 2001:ba8:1f1:f309::2;
>> > };
>>
>> Down here again you are restricting queries. I am not sure whether
>> this global option overrides the one in the zone, as well - probably
>> not. But why is it even here?
>>
>> > also-notify {
>> > 85.119.84.35; 2001:ba8:1f1:f309::2;
>> > };
>> > notify yes;
>> > forward first;
>>
>> I am a bit concerned about the effect of "forward first" on an auth
>> DNS server…
>>
>> And as Antony mentioned I don't see any allow-transfer. In my
>> named.conf.options I have an
>>
>> allow-transfer {
>> a;
>> list;
>> of;
>> acl;
>> names;
>> };
>>
>> which match all the servers I want to be allowed to do transfers.
>>
>> Your previous config must have similar, right?
>>
>> Cheers,
>> Andy
>>
>> --
>> https://bitfolk.com/ -- No-nonsense VPS hosting
>> _______________________________________________
>> users mailing list
>> users@???
>> https://lists.bitfolk.com/mailman/listinfo/users
>>
>
