All the versions of this article: [English] [français]

Le 16/4/2007, 00:00
named zone sonntag.eu.org: refused notify from non-master

The trick & tips of the moment : we recently upgrade the secondary dns server of Lautre.Net. We are now using bind 9.3.

We has the following error message for all the hosted domains :

Apr 16 00:34:38 ns2 named[4586]: client 212.85.137.31#1293: received notify for zone 'sonntag.eu.org'
Apr 16 00:34:38 ns2 named[4586]: zone taous.net/IN: refused notify from non-master: 212.85.137.31#1293

The server ip is 212.85.137.31. The problem is that when you start bind, it send a "notfiy" message to its own daemon to check if all the hosted zones are up-to-date. But since there is no authorization, it denies himself this request !

This can be solve easily by adding an explicit authorization in bind options (usually in named.conf ) as follow :

(since we are on debian etch, the options are in /etc/bind/named.conf.options)

options {
       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
       allow-query { any; };              // This is the default
       recursion no;                      // Do not provide recursive service
<font color="red">
       // We add a manual authorization for bind own ip
       allow-notify { 212.85.137.31; };
</font>
}

Then, restart bind with /etc/init.d/bind9 restart and you’ll see the good news :

Apr 16 00:43:13 ns2 named[4973]: zone sonntag.eu.org/IN: sending notifies (serial 2004110621)
Apr 16 00:43:13 ns2 named[4973]: client 212.85.137.31#1295: received notify for zone 'sonntag.eu.org'
Apr 16 00:43:13 ns2 named[4973]: zone sonntag.eu.org/IN: notify from 212.85.137.31#1295: zone is up to date

Bind sent a notify message to himself, received it and sent a SOA request to the master to check the zone serial number, to know if it has a up-to-date zone file...

Reply to this article