sorry clicked send a bit soon. So I did all that and this is what I got logged. Still saying notauth. The client the request came from is on the allowed transfer list. Which will become the acl which will be written in place of the long list


On Tue, 23 Jul 2019 at 22:53, Keith Williams <keithwilliamsnp@gmail.com> wrote:
client 85.119.84.35#46541 (keiths-place.co.uk): bad zone transfer request: 'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH)

On Tue, 23 Jul 2019 at 22:48, Keith Williams <keithwilliamsnp@gmail.com> wrote:
I started to draw up an acl, with all those addresses in, as I had previously, but then put them in "bare" when trying to test what was happening. I couldn't see the point of the restricted queries on an authoritative server. Seemed daft. But it was suggested that specifically naming the slaves while trying it out would be a sensible move ?????  The forwarding was something I have always had. That's easily removed. as with the allow queries.
Let me try that now

On Tue, 23 Jul 2019 at 22:28, Andy Smith <andy@bitfolk.com> wrote:
Hi Keith,

On Tue, Jul 23, 2019 at 10:06:20PM +0100, Keith Williams wrote:
> So you will need to see the conf files
> /etc/bind/named.conf.local
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> include "/etc/bind/zones.rfc1918";
>
> zone "keiths-place.co.uk" {
>         type master;
>         file "/var/lib/bind/keiths-place.co.uk.hosts";
>         allow-query {
>                 85.119.84.35;
>                 85.119.80.222;
>                 2001:ba8:1f1:f085::53;
>                 2600:3c01:e000:259::53;
>                 45.33.107.124;
>                 172.104.29.216;
>                 2600:3c03::31:2153;
>                 2001:ba8:1f1:f309::2;
>                 127.0.0.1;
>                 };
>         check-names warn;
>         notify yes;
>         };

I am confused as to why you are trying to limit who can query your
zone when you are running an authoritative server. I get that you
only have the BitFolk nameservers listed at the registry, but
blocking queries makes debugging harder.

> Named.conf
> acl slaves {
>         85.119.84.35; 2001:ba8:1f1:f309::2;
>         };

Nothing appears to reference this acl as far as I can see.

> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> and finally named.conf.options
>
>  options {
>         directory "/var/cache/bind";
>
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you may need to fix the firewall to allow multiple
>         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>
>         // If your ISP provided one or more IP addresses for stable
>         // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the addresses replacing
>         // the all-0's placeholder.
>
>          forwarders {
>                 8.8.8.8;
>          };

Why are you forwarding queries anywhere? This is an authoritative
server; it should only be receiving queries for the zones you've put
in it, so no need for forwarders.

>         allow-query {
>                 85.119.84.35; 2001:ba8:1f1:f309::2;
>                 };

Down here again you are restricting queries. I am not sure whether
this global option overrides the one in the zone, as well - probably
not. But why is it even here?

>         also-notify {
>                 85.119.84.35; 2001:ba8:1f1:f309::2;
>                 };
>         notify yes;
>         forward first;

I am a bit concerned about the effect of "forward first" on an auth
DNS server…

And as Antony mentioned I don't see any allow-transfer. In my
named.conf.options I have an

allow-transfer {
    a;
    list;
    of;
    acl;
    names;
};

which match all the servers I want to be allowed to do transfers.

Your previous config must have similar, right?

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users