project722
2018-09-21 14:05:04 UTC
I've got two recursive dns servers running ISC 9.11 and 9.12. We are using
RPZ and I have a whitelist/blacklist exception zone file on both servers. I
need the ability to change it only on one server and have it propogate to
the other servers. My config is working, but I'm getting some delays that
i'd like to eliminate. First off, on the "master" server, when I update the
rpz-local file and run a rndc reload, it takes about 2 minutes before I see
the xfer-out in the logs. On the "slave", I also see the xfer-in at the
same time. There are no errors, just that kickoff delay.
Then, on the "slave", it takes about 15 minutes for the file to actaully
update with the new info from the time of the xfer-in. I've tried adding NS
records for the slave in the zone file and doing some things with notify,
but nothing seems to help. I'd like the changes to be almost instantaneous
from the time I run the rndc relaod. Here is the config from the "master".
/etc/named.conf
acl RPZ {
192.168.1.100;
};
zone "rpz-local" {
type master;
file "db.rpz-local";
allow-transfer { localhost; RPZ; };
allow-query { localhost; RPZ; };
};
zone file:
$TTL 150
@ IN SOA localhost. need.to.know.only. (
201707314 ; Serial number
10 ; Refresh every 10 seconds
10 ; Retry every 30 seconds
432000 ; Expire in 5 days
60 ) ; negative caching ttl 1 minute
IN NS ns1master.example.com
IN NS ns2slave.example.com
;# -------------------------------------------------------------------
;# Whitelist entries using rpz-passthru
;# -------------------------------------------------------------------
deteque.com IN CNAME rpz-passthru.
*.deteque.com IN CNAME rpz-passthru.
Here is the config from the slave:
/etc/named.conf
acl RPZ {
192.168.1.101;
};
zone "rpz-local" {
type slave;
file "db.rpz-local";
masters { 192.168.1.101; };
allow-transfer { localhost; RPZ; };
masterfile-format text;
allow-query { localhost; RPZ; };
};
RPZ and I have a whitelist/blacklist exception zone file on both servers. I
need the ability to change it only on one server and have it propogate to
the other servers. My config is working, but I'm getting some delays that
i'd like to eliminate. First off, on the "master" server, when I update the
rpz-local file and run a rndc reload, it takes about 2 minutes before I see
the xfer-out in the logs. On the "slave", I also see the xfer-in at the
same time. There are no errors, just that kickoff delay.
Then, on the "slave", it takes about 15 minutes for the file to actaully
update with the new info from the time of the xfer-in. I've tried adding NS
records for the slave in the zone file and doing some things with notify,
but nothing seems to help. I'd like the changes to be almost instantaneous
from the time I run the rndc relaod. Here is the config from the "master".
/etc/named.conf
acl RPZ {
192.168.1.100;
};
zone "rpz-local" {
type master;
file "db.rpz-local";
allow-transfer { localhost; RPZ; };
allow-query { localhost; RPZ; };
};
zone file:
$TTL 150
@ IN SOA localhost. need.to.know.only. (
201707314 ; Serial number
10 ; Refresh every 10 seconds
10 ; Retry every 30 seconds
432000 ; Expire in 5 days
60 ) ; negative caching ttl 1 minute
IN NS ns1master.example.com
IN NS ns2slave.example.com
;# -------------------------------------------------------------------
;# Whitelist entries using rpz-passthru
;# -------------------------------------------------------------------
deteque.com IN CNAME rpz-passthru.
*.deteque.com IN CNAME rpz-passthru.
Here is the config from the slave:
/etc/named.conf
acl RPZ {
192.168.1.101;
};
zone "rpz-local" {
type slave;
file "db.rpz-local";
masters { 192.168.1.101; };
allow-transfer { localhost; RPZ; };
masterfile-format text;
allow-query { localhost; RPZ; };
};