Re: [bitfolk] BIND9 not authorised - Master zone

client 85.119.84.35#46541 (keiths-place.co.uk): bad zone transfer request: 'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH) On Tue, 23 Jul 2019 at 22:48, Keith Williams <keithwilliamsnp(a)gmail.com> wrote: > I started to draw up an acl, with all those addresses in, as I had > previously, but then put them in "bare" when trying to test what was > happening. I couldn't see the point of the restricted queries on an > authoritative server. Seemed daft. But it was suggested that specifically > naming the slaves while trying it out would be a sensible move ????? The > forwarding was something I have always had. That's easily removed. as with > the allow queries. > Let me try that now > > On Tue, 23 Jul 2019 at 22:28, Andy Smith <andy(a)bitfolk.com> wrote: > >> Hi Keith, >> >> On Tue, Jul 23, 2019 at 10:06:20PM +0100, Keith Williams wrote: >> > So you will need to see the conf files >> > /etc/bind/named.conf.local >> > >> > // Consider adding the 1918 zones here, if they are not used in your >> > // organization >> > include "/etc/bind/zones.rfc1918"; >> > >> > zone "keiths-place.co.uk" { >> > type master; >> > file "/var/lib/bind/keiths-place.co.uk.hosts"; >> > allow-query { >> > 85.119.84.35; >> > 85.119.80.222; >> > 2001:ba8:1f1:f085::53; >> > 2600:3c01:e000:259::53; >> > 45.33.107.124; >> > 172.104.29.216; >> > 2600:3c03::31:2153; >> > 2001:ba8:1f1:f309::2; >> > 127.0.0.1; >> > }; >> > check-names warn; >> > notify yes; >> > }; >> >> I am confused as to why you are trying to limit who can query your >> zone when you are running an authoritative server. I get that you >> only have the BitFolk nameservers listed at the registry, but >> blocking queries makes debugging harder. >> >> > Named.conf >> > acl slaves { >> > 85.119.84.35; 2001:ba8:1f1:f309::2; >> > }; >> >> Nothing appears to reference this acl as far as I can see. >> >> > // This is the primary configuration file for the BIND DNS server >> named. >> > // >> > // Please read /usr/share/doc/bind9/README.Debian.gz for information >> on the >> > // structure of BIND configuration files in Debian, *BEFORE* you >> customize >> > // this configuration file. >> > // >> > // If you are just adding zones, please do that in >> > /etc/bind/named.conf.local >> > >> > include "/etc/bind/named.conf.options"; >> > include "/etc/bind/named.conf.local"; >> > include "/etc/bind/named.conf.default-zones"; >> > >> > and finally named.conf.options >> > >> > options { >> > directory "/var/cache/bind"; >> > >> > // If there is a firewall between you and nameservers you want >> > // to talk to, you may need to fix the firewall to allow >> multiple >> > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 >> > >> > // If your ISP provided one or more IP addresses for stable >> > // nameservers, you probably want to use them as forwarders. >> > // Uncomment the following block, and insert the addresses >> replacing >> > // the all-0's placeholder. >> > >> > forwarders { >> > 8.8.8.8; >> > }; >> >> Why are you forwarding queries anywhere? This is an authoritative >> server; it should only be receiving queries for the zones you've put >> in it, so no need for forwarders. >> >> > allow-query { >> > 85.119.84.35; 2001:ba8:1f1:f309::2; >> > }; >> >> Down here again you are restricting queries. I am not sure whether >> this global option overrides the one in the zone, as well - probably >> not. But why is it even here? >> >> > also-notify { >> > 85.119.84.35; 2001:ba8:1f1:f309::2; >> > }; >> > notify yes; >> > forward first; >> >> I am a bit concerned about the effect of "forward first" on an auth >> DNS server… >> >> And as Antony mentioned I don't see any allow-transfer. In my >> named.conf.options I have an >> >> allow-transfer { >> a; >> list; >> of; >> acl; >> names; >> }; >> >> which match all the servers I want to be allowed to do transfers. >> >> Your previous config must have similar, right? >> >> Cheers, >> Andy >> >> -- >> https://bitfolk.com/ -- No-nonsense VPS hosting >> _______________________________________________ >> users mailing list >> users(a)lists.bitfolk.com >> https://lists.bitfolk.com/mailman/listinfo/users >> >