The trick & tips of the moment : we recently upgrade the secondary dns server of Lautre.Net. We are now using bind 9.3.
We has the following error message for all the hosted domains :
Apr 16 00:34:38 ns2 named: client 18.104.22.168#1293: received notify for zone 'sonntag.eu.org'
Apr 16 00:34:38 ns2 named: zone taous.net/IN: refused notify from non-master: 22.214.171.124#1293
The server ip is 126.96.36.199. The problem is that when you start bind, it send a “notfiy” message to its own daemon to check if all the hosted zones are up-to-date. But since there is no authorization, it denies himself this request !
This can be solve easily by adding an explicit authorization in bind options (usually in named.conf ) as follow :
(since we are on debian etch, the options are in /etc/bind/named.conf.options)
auth-nxdomain no; # conform to RFC1035
listen-on-v6 any; ;
allow-query any; ; // This is the default
recursion no; // Do not provide recursive service
// We add a manual authorization for bind own ip
allow-notify 188.8.131.52; ;
Then, restart bind with /etc/init.d/bind9 restart and you’ll see the good news :
Apr 16 00:43:13 ns2 named: zone sonntag.eu.org/IN: sending notifies (serial 2004110621)
Apr 16 00:43:13 ns2 named: client 184.108.40.206#1295: received notify for zone 'sonntag.eu.org'
Apr 16 00:43:13 ns2 named: zone sonntag.eu.org/IN: notify from 220.127.116.11#1295: zone is up to date
Bind sent a notify message to himself, received it and sent a SOA request to the master to check the zone serial number, to know if it has a up-to-date zone file…