Linux – How to verify that a BIND slave name server is actually synchronizing properly with master (and fix it afterwards)

binddomain-name-systemlinuxnameserver

I've set up two name servers, a master and a slave according to this link. The setup is functioning evidenced by the fact that sites featured on the master server gets served as expected.

Recently though, I've begun suspecting that the slave server doesn't synchronize correctly with the master. During an error inspection I tried reloading a random zone file:

rndc reload domain.tld

("domain.tld" being a placeholder)

only to be greeted by this:

zone refresh queued

Above is the message that is returned, regardless of domain tested.

I've tried searching the whole slave server for any zone files (find / -name *.zone), with no result (but since I'm not fully aware of how the BIND setup works, I'm not even sure that the slave server is supposed to contain the zone files like the master, making the search potentially redundant).

Then I checked the named.run log, it's filled with the likes of following entries:

dumping master file: tmp-CWKpRfrNi0: open: permission denied

Looks like a permission problem to me, but I'm honestly not entirely sure. BTW, I have also tried reloading zone files after incrementing the serial, with no luck.

Is there a way to verify that the slave server is functioning as intended?
Assuming above information is enough to conclude that en error is in fact the culprit and the server is faulty, how do I fix it?

Best Answer

My bind-9.8.2-0.37 from CentOS 6 says after a slave is restarted (for each of the zones, even if they are already cached):

08-Apr-2016 12:15:07.571 zone example.com/IN: loaded serial 2016040103

The named.conf contains, among other stuff::

logging {
  channel general_file      { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
  category general      { general_file; };
};

No need to search for zone files, you should have them manually defined in named.conf, so their location should be easily determinable. Maybe you have chroot misconfigured, that is named runs thinking the root of the filesystem is somewhere like /var/named/chroot and it has no proper permissions set there.

Related Solutions

Reverse DNS doesn’t work – NXDOMAIN

The nameserver which resolves the PTR records for that subnet is ns1.ghostdns.de which, I'm guessing, you do not operate. It looks like it is operated by hostmaster@ghostnet.de.

You need to contact whoever does operate that nameserver and ask them to add a PTR entry for 137.214.249.94.in-addr.arpa.

$ dig -x    94.249.214.137 -t SOA
; <<>> DiG 9.7.0-P1 <<>> -x 94.249.214.137 -t SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35612
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;137.214.249.94.in-addr.arpa.   IN  SOA

;; AUTHORITY SECTION:
214.249.94.in-addr.arpa. 0  IN  SOA ns1.ghostdns.de. hostmaster.ghostnet.de. 2012032301 10800 1800 604800 10800

;; Query time: 32 msec
;; SERVER: 172.16.255.1#53(172.16.255.1)
;; WHEN: Sat May 26 15:16:41 2012
;; MSG SIZE  rcvd: 116

BIND slave doesn’t sync up with master until it is restarted

From your description I can't tell you exactly what is the problem but I can help you rule out several things.

The cache size settings and cache ttl settings are for cached recursive query data and (as you already suspected) don't apply to authoritative data. Similarly rndc flush is inapplicable here.

Suggested troubleshooting method:

Verify that the notify messages are being sent by the master as expected. Check the logs and/or sniff traffic between the master and slave.
Verify from the logs that the notify message is being received by the slave.
If you cannot see the slave receiving the notify, troubleshoot as a notify issue, i.e. double-check your notify options in named.conf on the master, making sure they are defined as you expect, are not overridden later, and are scoped appropriately. I recommend using "notify explicit;" with "also-notify {slave-server;};"
If the slave is seeing the notify, your issue is figuring out why the zone file is not being updated as you expect. What should happen is after the notify is received, the slave should make an SOA query, compare to its current SOA, and do an AXFR (or IXFR if you have enabled it) to get the updated zone copy (assuming the SOA on the master is higher.) You should be able to observe all of this happening with a sniffer and you should also be seeing evidence of it in the logs on both servers.
If operations do not occur as you expect, start by manually comparing the SOA serial numbers on the two servers (dig @server $zonename SOA) to make sure you didn't accidentally give the slave a higher-than-expected serial number some time in the past which is now higher than the master's serial number.

If that doesn't work, consider posting more information, including named.conf sections from both the master and slave and logs from both servers of what is occurring after you load a freshly edited zone on the master.

Best Answer

Related Solutions

Reverse DNS doesn’t work – NXDOMAIN

BIND slave doesn’t sync up with master until it is restarted

Related Topic