Recently we moved our primary external DNS server. It has three caching DNS slaves in front of it provided by our ISP. They've told us they've started getting access denied requests when doing zone transfers (AXFR). If I add in my own IPs to the allow-transfer list, I also get a transfer failed when using dig with the AXFR argument. Here is what my bind configuration looks like:
options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
zone-statistics yes;
statistics-file "/var/log/named.stats";
listen-on-v6 { any; };
notify-source 10.19.0.68 port 53;
querylog yes;
notify yes;
allow-transfer {
127.0.0.1; //localhost
1.1.1.1; //public dns slave 1
2.2.2.2; //public dns slave 2
3.3.3.3; //public dns slave 3
};
also-notify {
1.1.1.1; //public dns slave 1
2.2.2.2; //public dns slave 2
3.3.3.3; //public dns slave 3
};
include "/etc/named.d/forwarders.conf";
};
logging {
channel simple_log {
file "/var/log/bind.log" versions 10 size 3m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default{ simple_log; };
channel log_zone_transfers {
file "/var/log/axfr.log" versions 10 size 3m;
print-time yes;
print-category yes;
print-severity yes;
};
category xfer-out { log_zone_transfers; };
channel log_notify {
file "/var/log/notify.log" versions 10 size 3m;
print-time yes;
print-category yes;
print-severity yes;
};
category notify { log_notify; };
channel queries {
file "/var/log/queries.log" versions 10 size 30m;
print-time yes;
severity info;
print-category yes;
print-severity yes;
};
category queries { queries; };
};
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
include "/etc/named.conf.include";
zone "example.net " {
type master;
file "/var/lib/named/master/example.net.hosts";
};
zone "example.com " {
type master;
file "/var/lib/named/master/example.com.hosts";
};
## -- other master files --
And the errors in the xfer log look like the following:
29-Oct-2012 14:20:02.806 xfer-out: info: client 1.1.1.1#59069: bad zone transfer request: 'example.com./IN': non-authoritative zone (NOTAUTH)
I've tried adding allow-transfer parameters directly on the zone files and still get failed transfers. Any idea what I'm doing wrong?
Is that accurately copied? You shouldn't have a space there.