Peter,
          As you requested


The Hidden master: ip 4.4.4.4

options:

        dnssec-validation auto;
        recursion no;
        provide-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
        notify explicit;
        listen-on       {127.0.0.1; x.x.x.x; };
        allow-transfer { all the IP ADDRESSES OF THE SLAVES;} ;
        also-notify { all the IP ADDRESSES OF THE SLAVES;} ;

zone "xxx" IN {
  type master;
  file "xxxx.zone";
  allow-update { none; };
};

On knot slave:
(master1 and 3 are down)
remotes {
  master1 {
    address 4.4.4.4@53;
  }
  master2 {
    address 5.5.5.5@53;
  }
  master3 {
    address 6.6.6.6@53;
  }

xxxx {
    file "/var/lib/knot/xxxx";
    xfr-in master1;
    notify-in master1;
    xfr-in master2;
    notify-in master2;
    xfr-in master3;
    notify-in master3;
  }

If one of the slaves could not open connections to the hidden master but could receive the notifies (firewall issue), could this be stalling all the notify process for all name servers?

On 7/8/2014 8:27 PM, Peter Andreev wrote:
Hello,

May be you provide related configs?

2014-07-08 15:45 GMT+04:00 Maren S. Leizaola <leizaola@udr.hk.com>:

Thanks for the bind support.

So far I only have the bind based hidden master working. After implemented
these changes the zone transfers will take too long from the time I do the
rndc reload on the hidden master.

The knot based public servers are a bit quicker typically takes about 1 to 2
minutes.

The bind based public servers are random, I think they are typically
transfer on retry.

Once the transfer starts it is instantaneous.

I have no clue what it is doing that time... It is as if the notifies are
being stalled....

The master is behind a firewall and the NAT is a 1:1 so the source IP of the
Notifies and IXFR is correct.

On knot i am getting a Incoming IXFR of xxx  Falling back to AXFR



On 7/7/2014 7:39 PM, Ondřej Surý wrote:

Hi Maren,

you should turn the explicit notification
both in bind and knot.

For Knot use "notify-out <slave1> <slave2>;" + "xfr-out <slave1>
<slave2>;"

See the documentation:

https://www.knot-dns.cz/static/documentation/html/configuration.html#master-configuration

For Bind use "notify explicit;" + "also-notify;", see:

http://www.zytrax.com/books/dns/ch7/xfer.html#notify

Ondrej
--
  Ondřej Surý -- Chief Science Officer
  -------------------------------------------
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury@nic.cz    http://nic.cz/
  -------------------------------------------

----- Original Message -----

From: "Maren S. Leizaola" <leizaola@udr.hk.com>
To: knot-dns-users@lists.nic.cz
Sent: Monday, July 7, 2014 1:32:52 PM
Subject: [knot-dns-users] Two hidden masters - sending notifications to
public slaves.
Hi,

We are setting up to do zone generations of two separate hidden masters
which will take turns on the zone generation.

Public/visible DNS servers "should" get notifies from both servers and
select the one with the with the highest serial number.

I am planning to run bind on one server and knot on the other. On bind i
have the issue that it would not send notifies to the name servers until
I turned on "notify-soa  yes;". However I realise that his will only
notify one single DNS server and introduces a single point of failure.

Does Knot have any issues sending the notifies. How do I go about
getting this done?

Regards,
Maren

_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users



_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users