I started to draw up an acl, with all those addresses in, as I had previously, but then put them in "bare" when trying to test what was happening. I couldn't see the point of the restricted queries on an authoritative server. Seemed daft. But it was suggested that specifically naming the slaves while trying it out would be a sensible move ?????  The forwarding was something I have always had. That's easily removed. as with the allow queries.
Let me try that now

On Tue, 23 Jul 2019 at 22:28, Andy Smith <andy@bitfolk.com> wrote:
Hi Keith,

On Tue, Jul 23, 2019 at 10:06:20PM +0100, Keith Williams wrote:
> So you will need to see the conf files
> /etc/bind/named.conf.local
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> include "/etc/bind/zones.rfc1918";
>
> zone "keiths-place.co.uk" {
>         type master;
>         file "/var/lib/bind/keiths-place.co.uk.hosts";
>         allow-query {
>                 85.119.84.35;
>                 85.119.80.222;
>                 2001:ba8:1f1:f085::53;
>                 2600:3c01:e000:259::53;
>                 45.33.107.124;
>                 172.104.29.216;
>                 2600:3c03::31:2153;
>                 2001:ba8:1f1:f309::2;
>                 127.0.0.1;
>                 };
>         check-names warn;
>         notify yes;
>         };

I am confused as to why you are trying to limit who can query your
zone when you are running an authoritative server. I get that you
only have the BitFolk nameservers listed at the registry, but
blocking queries makes debugging harder.

> Named.conf
> acl slaves {
>         85.119.84.35; 2001:ba8:1f1:f309::2;
>         };

Nothing appears to reference this acl as far as I can see.

> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> and finally named.conf.options
>
>  options {
>         directory "/var/cache/bind";
>
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you may need to fix the firewall to allow multiple
>         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>
>         // If your ISP provided one or more IP addresses for stable
>         // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the addresses replacing
>         // the all-0's placeholder.
>
>          forwarders {
>                 8.8.8.8;
>          };

Why are you forwarding queries anywhere? This is an authoritative
server; it should only be receiving queries for the zones you've put
in it, so no need for forwarders.

>         allow-query {
>                 85.119.84.35; 2001:ba8:1f1:f309::2;
>                 };

Down here again you are restricting queries. I am not sure whether
this global option overrides the one in the zone, as well - probably
not. But why is it even here?

>         also-notify {
>                 85.119.84.35; 2001:ba8:1f1:f309::2;
>                 };
>         notify yes;
>         forward first;

I am a bit concerned about the effect of "forward first" on an auth
DNS server…

And as Antony mentioned I don't see any allow-transfer. In my
named.conf.options I have an

allow-transfer {
    a;
    list;
    of;
    acl;
    names;
};

which match all the servers I want to be allowed to do transfers.

Your previous config must have similar, right?

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users