spf-discuss
[Top] [All Lists]

Re: trusted-forwarder trouble

2005-05-08 10:00:20
In <427CEA21(_dot_)7010901(_at_)ohmi(_dot_)org> Radu Hociung 
<radu(_dot_)spf(_at_)ohmi(_dot_)org> writes:

wayne wrote:
In <427C1A64(_dot_)2010102(_at_)ohmi(_dot_)org> Radu Hociung 
<radu(_dot_)spf(_at_)ohmi(_dot_)org> writes:
Today, as the zone expired due to failure to contact the master zone
server for a week, the trusted-forwarder domain just disapeared.

Is it possible that you had a hard coded IP address?  When I switched
ISPs, I had to switch IP addresses.

Yes, that was it... I used this:

#zone "trusted-forwarder.org" {
#       type slave;
#       file "trusted-forwarder.org";
#       masters { 206.222.212.234; 199.175.137.211; 209.69.32.138; };
#};

BIND only allows IP addresses in the masters list.

Uh, duh.  Yes, of course.

Somehow I assumed that most people would do:
  dig @dns.trusted-forwarder.org -t AXFR trusted-forwarder.org

That is what I recommend on the T-F web page.


I believe this is by design, because [...]

Yes, that is my understanding also.

To point to your master zone server with a name, I would have had to use
a cron script that updates the IP address in the named.conf file, *and*
query a NS server other than the local server.

Well, over the last 10 years that I've had a static IP address, it has
changed a grand total of 3 times.  Maybe it will change again in a few
years, I can't make any promises.  I have, however, updated the
trusted-forwarder.org webpage to note this.


I am only pointing this out in case you also use this service with zone
trasfers.

It would have been nice if the move was more prominently announced, on
the spf lists.


If I thought it would have caused problems, I certainly would have
made an announcement.

You said that your logs only show 2 sources for AFXR requests. So it's
only me and one other domain that are affected. The other domain would
only be affected if he rejected based on SPF. If they don't, currently
all their SPF results are TempFail, and they're wondering why. ;)

Yeah, and there is currently only one persion who is regularly doing
an rsync transfer of the zone.  This may change in the future.

By the way, when you changed (if you did) the IP address of your master
server, did you not have to inform your slaves of the IP address change
in some way?

Yep, I made sure that all the secondar name servers for the T-FWL were
updated well before the old IP address was phased out.


I can't find that timestamp in my logs, and my clock is NTP synchronized
to time.nrc.ca hourly, and is never off my more than 50 milliseconds or so.

I highly recommend using using an NTP server and pool.ntp.org.  See
http://www.pool.ntp.org.   (Yeah, this is another volunteer project
I've been working on for the last year or so.)



-wayne


<Prev in Thread] Current Thread [Next in Thread>