2

Following the documentation for auth-zone, I tried to declare my dnsmasq server as authoritative for the 10.0.0.0/8 zone (I serve several IP sub-ranges in 10.x).

Unfortunately, whatever I try I end up with

Sep 07 14:37:36 bind named[6812]: transfer of '10.in-addr.arpa/IN' from 10.100.10.254#53: connected using 10.200.0.158#57941
Sep 07 14:37:36 bind named[6812]: transfer of '10.in-addr.arpa/IN' from 10.100.10.254#53: failed while receiving responses: SERVFAIL
Sep 07 14:37:36 bind named[6812]: transfer of '10.in-addr.arpa/IN' from 10.100.10.254#53: Transfer status: SERVFAIL
Sep 07 14:37:36 bind named[6812]: transfer of '10.in-addr.arpa/IN' from 10.100.10.254#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)

on the secondary BIND server (the direct zones are transferred OK).

How should I set this up?

The whole current configuration file for dnsmasq:

no-resolv
no-poll
server=1.1.1.1
server=8.8.4.4
expand-hosts
domain=example.com
domain-needed

auth-server=example.com,lan0,br0
auth-zone=example.com,10.0.0.0/8,lan0,br0
auth-sec-servers=rpi1,bind

dhcp-range=10.100.10.1,10.100.10.230,240h
dhcp-range=10.100.20.1,10.100.20.230,240h
(... more DHCP ranges ...)
dhcp-option=option:ntp-server,129.104.30.42,195.220.194.193
dhcp-option=option:dns-server,10.100.10.30,10.200.0.158
dhcp-authoritative

The config of the secondary BIND server:

zone "example.com" {
  type slave;
  masters { 10.100.10.254; };
  file "/etc/bind/db.example.com";
};

zone "10.in-addr.arpa" {
  type slave;
  masters { 10.100.10.254; };
  file "/etc/bind/db.10";
};
WoJ
  • 3,607
  • 9
  • 49
  • 79
  • 1
    Please add your current configurations. Also... I answered one of your previous questions on DNS.. Did that help or not? – Tommiie Sep 07 '18 at 12:25
  • @Tom: oh sorry. I completely reorganized my DNS environment and lost track of the accepted answers (which I follow religiously :)). Thanks. I will update my question with the full relevant configuration – WoJ Sep 07 '18 at 13:29
  • I mostly wanted to know whether it works or not as I want to include your question in the chapter on DNS that I'm writing. It should make for a challenging exercise! – Tommiie Sep 07 '18 at 13:31
  • @Tom: oh nice, good luck with the book (I know from experience that this is tough). As I said I reorganized the whole DNS setup but if you are looking for some challenges / exercises I could give you my current setup (which involves containers and DNS servers, and a split view between records on Internet and internal. – WoJ Sep 07 '18 at 13:38
  • I don't use **dnsmasq** but the documentation species that `auth-sec-servers` should contain a list of domains, so did you try specifying the FQDNs instead of only the hostnames? – Tommiie Sep 10 '18 at 08:42
  • @Tom: yes, and beside the transfer of example.com goes though (to the same secondaries). It is just the reverse which fails. – WoJ Sep 10 '18 at 11:52
  • Can we also see the config for the reverse zone on BIND? – Tommiie Sep 11 '18 at 09:42
  • @Tom: I updated the question with the BIND config – WoJ Sep 11 '18 at 11:06
  • First thing that comes to mind, does the file exist, is it writable by the `named` user and/or is the directory writable by that user to create the file? – Tommiie Sep 11 '18 at 11:30
  • @Tom: yes. In addition the `/etc/bind/db.example.com` which is next to it is created/updated without problems. – WoJ Sep 11 '18 at 12:25
  • The secondary bind config is irrelevant because command line transfers will also fail. I have exactly the same problem. I can do forward zone transfers; For reverse zones, `host -t SOA ...` works fine and it reports itself; but `host -t AXFR ...` fails. Individual PTR lookups work fine. – BaseZen Jan 31 '20 at 18:13

1 Answers1

1

CLEANUP EDIT with PROPOSED PATCH

This is not possible yet so I have created a fork to stand as a proposed patch to Simon Kelley's official repository to address this. Please try it out!

Currently, while dnsmasq creates and serves individually the necessary PTR records, and delivers the correct SOA and IN records for 0.0.0.in-addr.arpa, given the line:

auth-zone=example.com,10.0.0.0/8,lan0,br0

it simply will not transfer a full zone.

If you declare auth-zone=0.0.10.in-addr.arpa that will output a garbled zone.

Note in the man page:

Note that at present, reverse (in-addr.arpa and ip6.arpa) zones are
not available in zone transfers, so there is no point arranging
secondary servers for reverse lookups.
BaseZen
  • 394
  • 2
  • 14
  • Thanks for a great answer. What's the status of that branch? For others in this boat I've put in the reverse zone as a `forward only` zone on the secondary back to dnsmasq so at least we get correct lookups with some caching all around the network. – Greg Apr 11 '22 at 11:06