DNS zones are not transferred to a slave server in Plesk for Linux: zone may fail to transfer to slaves

Symptoms

• A DNS zone is not transferred to a slave server that is setup through the Slave DNS Manager Plesk extension.

• It cannot be queried (where 203.0.113.2 is the IP of Slave server):

  # dig +short ns1.example.com @203.0.113.2
  #

• The following error appears on a Plesk server in /var/log/syslog:

  CONFIG_TEXT: named[23087]: zone example.com/IN: loaded serial 2017100303
  named[23087]: zone example.com/IN: sending notifies (serial 2017100303)
  named[23087]: zone example.com/IN: zone serial (2017100303) unchanged. zone may fail to transfer to slaves.

• The following error messages appear on a slave server side in /var/log/syslog when trying to query zone information from the Slave IP:

  CONFIG_TEXT: named[10511]: #33984 (.): query (cache) './NS/IN' denied
  named[10511]: #38290 (ns1.example.com): query (cache) 'ns1.example.com/A/IN' denied
  <...>
  CONFIG_TEXT: client @0x7fd62c0c71d0 203.0.113.2 3#30266: received notify for zone 'example.com': not authoritative

• Secret keys are different in /etc/bind/rndc.key and /etc/bind/named.conf.local on a Slave server:

  # grep secret /etc/bind/rndc.key && grep secret /etc/bind/named.conf.local
  secret "Ibr1UFFLK6wo5X+Cars8Eg==";
  secret "ui7xsdI4n4cVRUhKAOAAIA==";

Cause

Secret keys are different in /etc/bind/rndc.key and /etc/bind/named.conf.local on the Slave server:

# grep secret /etc/bind/rndc.key && grep secret /etc/bind/named.conf.local
secret "Ibr1UFFLK6wo5X+Cars8Eg==";
secret "ui7xsdI4n4cVRUhKAOAAIA==";

The keys in /etc/bind/rndc.key and /etc/bind/named.conf.local must be the same. Visit this Plesk documentaion page for more details.

Resolution

1. Connect to the Slave server via SSH.

2. Open the file /etc/bind/named.conf.local in a text editor. In this example, we are using the vi editor:

   # vi /etc/bind/named.conf.local

3. Replace "ui7xsdI4n4cVRUhKAOAAIA==" value with the one taken from /etc/bind/rndc.key file (where 203.0.113.3 is the IP of the master Plesk server):

   # cat /etc/bind/named.conf.local
   key "rndc-key-203.0.113.3" {
   algorithm hmac-md5;
   secret "Ibr1UFFLK6wo5X+Cars8Eg==";
   };
   controls {
   inet * port 953 allow { 203.0.113.3; 127.0.0.1; } keys { "rndc-key-203.0.113.3"; };
   };

4. Save the changes and close the file.

5. Restart BIND DNS server:

   # service bind9 restart

6. On the Plesk server, open the file /opt/psa/var/modules/slave-dns-manager/slave_203.0.113.3.conf for editing and set the same key from /etc/bind/rndc.key:

   # grep secret /opt/psa/var/modules/slave-dns-manager/slave_203.0.113.3.conf_backup
   secret "Ibr1UFFLK6wo5X+Cars8Eg==";

7. Save the changes and close the file.
8. In Plesk, re-sync all zones in the Slave manager extension: Extensions > My Extensions > Slave Manager > Resync.