[bitfolk] BIND9 not authorised - Master zone

23 Jul 2019

Hi all, sorry it's me with a problem. Last night I did a complete reinstall
of the OS. I am running Stretch 64 bit.
I had some troubles with Bind not updating slaves, It said it was not
authoritative. Googled for remedies, tried them all out (will list what I
did in a minute.
No luck so purged and reinstalled Bind, then manually entered a single
zone, restarted Bind. The logs showed this:-
 zone keiths-place.co.uk/IN: sending notifies (serial 2019072335)
 zone 31.172.in-addr.arpa/IN: sending notifies (serial 1)
 zone 127.in-addr.arpa/IN: sending notifies (serial 2)
 zone 27.172.in-addr.arpa/IN: sending notifies (serial 1)
 zone 255.in-addr.arpa/IN: sending notifies (serial 1)
 zone 0.in-addr.arpa/IN: sending notifies (serial 1)
 client 85.119.84.35#35865 (keiths-place.co.uk): bad zone transfer request:
'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH)
 client 85.119.80.222#59271 (keiths-place.co.uk): bad zone transfer
request: 'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH)
 client 85.119.80.198#10938 (keiths-place.co.uk): query '
keiths-place.co.uk/SOA/IN' denied
 client 85.119.80.198#49851 (keiths-place.co.uk): bad zone transfer
request: 'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH)

So you will need to see the conf files
/etc/bind/named.conf.local

// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";

zone "keiths-place.co.uk" {
        type master;
        file "/var/lib/bind/keiths-place.co.uk.hosts";
        allow-query {
                85.119.84.35;
                85.119.80.222;
                2001:ba8:1f1:f085::53;
                2600:3c01:e000:259::53;
                45.33.107.124;
                172.104.29.216;
                2600:3c03::31:2153;
                2001:ba8:1f1:f309::2;
                127.0.0.1;
                };
        check-names warn;
        notify yes;
        };

in frustration I added all the possible slaves and localhost to allow-query
Named.conf
acl slaves {
        85.119.84.35; 2001:ba8:1f1:f309::2;
        };
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

and finally named.conf.options

 options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

         forwarders {
                8.8.8.8;
         };

//========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See
https://www.isc.org/bind-keys

//========================================================================
        dnssec-validation auto;

        auth-nxdomain yes;    # conform to RFC1035
        listen-on-v6 { any; };
        check-names master warn;
        check-names slave warn;
        allow-query {
                85.119.84.35; 2001:ba8:1f1:f309::2;
                };
        also-notify {
                85.119.84.35; 2001:ba8:1f1:f309::2;
                };
        notify yes;
        forward first;
};

And just for good measure the zone file
$ttl 38400
keiths-place.co.uk.     IN      SOA     ns3.keiths-place.co.uk.
keithwilliamsnp.gmail.com. (
                        2019072335
                        10800
                        3600
                        604800
                        38400 )
keiths-place.co.uk.     IN      A       85.119.82.237
www.keiths-place.co.uk. IN      A       85.119.82.237
ns3.keiths-place.co.uk. IN      A       85.119.82.237
mail.keiths-place.co.uk.        IN      A       85.119.84.35
ns1.keiths-place.co.uk. IN      A       85.119.84.35
ns2.keiths-place.co.uk. IN      A       85.119.82.237
webmail.keiths-place.co.uk.     IN      A       85.119.82.237
keiths-place.co.uk.     IN      MX      10 keynesmail.com.
keiths-place.co.uk.     IN      TXT     "v=spf1 mx redirect=keynesmail.com"
keiths-place.co.uk.     IN      AAAA    2001:ba8:1f1:f29d::2
mail.keiths-place.co.uk.        IN      AAAA    2001:ba8:1f1:f309::2
ns1.keiths-place.co.uk. IN      AAAA    2001:ba8:1f1:f309::2
ns2.keiths-place.co.uk. IN      AAAA    2001:ba8:1f1:f309::2
webmail.keiths-place.co.uk.     IN      AAAA    2001:ba8:1f1:f309::2
ns3.keiths-place.co.uk. IN      AAAA    2001:ba8:1f1:f29d::2
www.keiths-place.co.uk. IN      AAAA    2001:ba8:1f1:f29d::2
keiths-place.co.uk.     IN      NS      a.authns.bitfolk.com.
keiths-place.co.uk.     IN      NS      b.authns.bitfolk.com.
keiths-place.co.uk.     IN      NS      c.authns.bitfolk.com.
keiths-place.co.uk.     IN      NS      ns3.keiths-place.co.uk.

Following "solutions" on Google, I checked all permissions, checked
apparmor (no file for bind there) added all possible slaves to allow-query,
checked firewalls. And read all I could find on Bind. Though I have been
running the 2 bind servers for years and they always just seemed to work.
Sorry, should have said, running Bind 9.11

Keith

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[bitfolk] BIND9 not authorised - Master zone