Named Errors In /var/log/messages

Home » CentOS » Named Errors In /var/log/messages
CentOS 1 Comment

Hello,

can someone explain these errors

Oct 27 15:34:05 vhost01 named[1316]: zone #ZONE#/IN/auth: refresh: retry limit for master IPV6-MASTER#53 exceeded (source IPV6-THIS#0)
Oct 27 15:34:05 vhost01 named[1316]: zone #ZONE#/IN/auth: Transfer started. Oct 27 15:34:06 vhost01 named[1316]: zone #ZONE#/IN/auth: refresh: retry limit for master IPV6-MASTER#53 exceeded (source IPV6-THIS#0)
Oct 27 15:34:06 vhost01 named[1316]: zone #ZONE#/IN/auth: Transfer started. Oct 29 04:06:19 vhost01 named[1316]: zone #ZONE#/IN/auth: refresh: retry limit for master IPV6-MASTER#53 exceeded (source IPV6-THIS#0)
Oct 29 04:06:19 vhost01 named[1316]: zone #ZONE#/IN/auth: Transfer started.

is this caused by a misconfiguration at the master dns or this dns (slave)?
(the master dns can only be connected by IPv6)

is there a serious problem?

there also can be found such entries

Oct 29 04:06:21 vhost01 named[1316]: transfer of ‘#ZONE#/IN/auth’ from IPV6-MASTER#53: connected using IPV6-THIS#46019
Oct 29 04:06:21 vhost01 named[1316]: transfer of ‘#ZONE#/IN/auth’ from IPV6-MASTER#53: Transfer completed: 0 messages, 1 records, 0 bytes, 0.064 secs (0 bytes/sec)

or is this just caused by #0 – I guess source port 0?

these are the ip6tables entries on this dns (slave)

-A INPUT -i eth0 -d IPV6-THIS -m tcp -p tcp –dport 53 -m state –state NEW -j ACCEPT
-A INPUT -i eth0 -d IPV6-THIS -m udp -p udp –dport 53 -j ACCEPT

the master has these for each dns

-A INPUT -i sit1 -s IPV6-SLAVE -d IPV6-MASTER -m tcp -p tcp –dport 53 -m state –state NEW -j ACCEPT
-A INPUT -i sit1 -s IPV6-SLAVE -d IPV6-MASTER -m udp -p udp –dport 53 -j ACCEPT

the master DNS has this in /etc/named.conf

acl dns-hosts {
IPV6-SLAVE; // IPv6only: slave

};

view “auth” {
match-clients {
dns-hosts;
};
empty-zones-enable no;
recursion no;

additional-from-auth no;
additional-from-cache no;

also-notify {
IPV6-SLAVE; // IPv6only: slave

};
notify-source 0.0.0.0;
notify-source-v6 IPV6-MASTER;
transfer-source 0.0.0.0;
transfer-source-v6 IPV6-MASTER;

zone “#ZONE#” IN {
type master;
notify yes;
file “named._authzone-#ZONE#”;
allow-transfer { dns-hosts; };
allow-update { none; };
};


};

the slaves itself have this in /etc/named.conf

masters masterhost {
IPV6-MASTER; // IPv6only: master
};

view “auth” {
match-clients {
any;
};
empty-zones-enable no;
recursion no;

transfer-source 0.0.0.0;
transfer-source-v6 IPV6-SLAVE;

additional-from-auth no;
additional-from-cache no;

zone “#ZONE#” IN {
type slave;
masters { masterhost; };
file “slaves/named._authzone-#ZONE#”;
};


};

I have 3 slave DNS servers, each has the same master; and such log entries are at all three slave DNS servers;
each of these 3 slaves is DualStack (in the wild) and the master is IPv6only (at home)

Thanks, Walter

One thought on - Named Errors In /var/log/messages

  • https://access.redhat.com/solutions/1231573

    I believe this means that the client is trying to reach the server over UDP, and is unable to do so.

    Probably the firewall or ACL on the master.

    I think so, yes.

    You’re obscuring kind of a lot of information, so it’s hard to guess. 
    If the ACLs are denying transfers, I believe the server’s named logs will reflect that, so check those.  If the firewall is denying it, you should be able to observe that using tcpdump on the server to watch requests and responses from the client.

    You might also want to check whether the client is using RFC4941 temp addresses, and whether your ACLs and rules will actually match the address it uses for requests:

    http://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html