I get access denied when trying to initiate zone transfer.
For a dig @ns.example.com example.com axfr i'm getting
client 71.252.219.43#58392: zone transfer 'balticovo.eu/AXFR/IN' denied
Configuration:
- Server is NATed, behind firewall. If it would be firewalls issue, i wouldn't see in my computer log files that there such a request has been made.
- named process runs as bind user which is chrooted in
/var/lib/named. named.conf:
web:/var/lib/named/etc# cat named.conf options { directory "/etc"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; allow-transfer { 127.0.0.1; }; listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; }; logging { category default { default_syslog; default_debug; }; category unmatched { null; }; channel default_syslog { syslog daemon; severity info; }; channel default_debug { file "named.run"; severity dynamic; }; channel default_stderr { stderr; severity info; }; channel null { null; }; }; zone "." { type hint; file "/etc/root.hints"; }; zone "localhost" { type master; file "/etc/localhost"; }; zone "0.0.127.in-addr.arpa" { type master; file "/etc/127.0.0"; }; zone "example.com" IN { type master; file "sites/example.com/forward.zone"; allow-transfer { 202.157.182.142; 71.252.219.43; }; allow-update { none; }; allow-query { any; }; zone-statistics yes; };- All files are owned by bind. And the named process truly runs by the chrooted user.
- Digging other than axfr record works.
named -voutputsBIND 9.6-ESV-R3
The issue has been solved now. I did fairly major changes:
And then.... when i was making changes in named.conf and restarted, it seems that previous process wasn't killed, but new ones spawned and i had such lines in my log:
Now i did
killall namedand then/etc/init.d/bind9 startand all went fine.Probably the third point solved the problem, because when i was changing named.conf, it actually wasn't working with the latest conf file.