BIND9 Master to MS Secondary Zone Transfer Failure?

Hello,

We are migrating our master (non-AD integrated) DNS server for one zone to
BIND9 and I have having issues with zone transfers to our secondary Microsoft
DNS servers (also not-AD integrated). The test zone (matt-test.com) is
configured properly on the BIND9 server and the server is accessible from the
internet. I am able to connect to the server via nslookup and perform queries
against it form my home machine. However, when I create the secondary zone on
either of my Microsoft DNS servers, they detect there is a new version of the
zone available:

Event ID 6522 - A more recent version, version 2009071304 of zone
matt-test.com was found at the DNS server at 207.x.x.x. Zone transfer is in
progress.

That is quickly followed by this entry in the event Viewer DNS Server log:

Zone matt-test.com failed zone refresh check. Unable to connect to master
DNS server at 207.x.x.x to receive zone transfer. Check that the zone
contains correct IP address for the master server or if network failure has
occurred. For more information, see "To update the master server for a
secondary zone" in the online Help. If available, you can specify more than
one master server in the list for this zone.

I can see where the Microsoft DNS server contacts the BIND9 server and the
zone transfer is approved:

client 76.x.x.x#20031: UDP request
client 76.x.x.x#20031: request is not signed
client 76.x.x.x#20031: recursion not available
client 76.x.x.x#20031: query
client 76.x.x.x#20031: query 'matt-test.com/SOA/IN' approved
client 76.x.x.x#20031: send
client 76.x.x.x#20031: sendto
client 76.x.x.x#20031: senddone
client 76.x.x.x#20031: next
client 76.x.x.x#20031: endrequest
client @0xb58de008: udprecv

My Windows DNS servers are Windows 2003 SP2, one is 32-bit and one is
64-bit. I've tried to apply hotfix 258620_EN but it says it's not necessary.

I had TCP/53 closed in my firewall and only UDP/53 opened. I was informed
that zone transfers occur via TCP, so once I opened TCP/53, everything
immediately worked.

"Matthew Evans" wrote:

> Hello,
>
> We are migrating our master (non-AD integrated) DNS server for one zone to
> BIND9 and I have having issues with zone transfers to our secondary Microsoft
> DNS servers (also not-AD integrated). The test zone (matt-test.com) is
> configured properly on the BIND9 server and the server is accessible from the
> internet. I am able to connect to the server via nslookup and perform queries
> against it form my home machine. However, when I create the secondary zone on
> either of my Microsoft DNS servers, they detect there is a new version of the
> zone available:
>
> Event ID 6522 - A more recent version, version 2009071304 of zone
> matt-test.com was found at the DNS server at 207.x.x.x. Zone transfer is in
> progress.
>
> That is quickly followed by this entry in the event Viewer DNS Server log:
>
> Zone matt-test.com failed zone refresh check. Unable to connect to master
> DNS server at 207.x.x.x to receive zone transfer. Check that the zone
> contains correct IP address for the master server or if network failure has
> occurred. For more information, see "To update the master server for a
> secondary zone" in the online Help. If available, you can specify more than
> one master server in the list for this zone.
>
> I can see where the Microsoft DNS server contacts the BIND9 server and the
> zone transfer is approved:
>
> client 76.x.x.x#20031: UDP request
> client 76.x.x.x#20031: request is not signed
> client 76.x.x.x#20031: recursion not available
> client 76.x.x.x#20031: query
> client 76.x.x.x#20031: query 'matt-test.com/SOA/IN' approved
> client 76.x.x.x#20031: send
> client 76.x.x.x#20031: sendto
> client 76.x.x.x#20031: senddone
> client 76.x.x.x#20031: next
> client 76.x.x.x#20031: endrequest
> client @0xb58de008: udprecv
>
> My Windows DNS servers are Windows 2003 SP2, one is 32-bit and one is
> 64-bit. I've tried to apply hotfix 258620_EN but it says it's not necessary.

"Matthew Evans" <> wrote in message
news:9BC009DC-025E-4850-AF2B-...
>I had TCP/53 closed in my firewall and only UDP/53 opened. I was informed
> that zone transfers occur via TCP, so once I opened TCP/53, everything
> immediately worked.
>

You beat me to it! I was going to ask if both TCP and UDP 53 were opened.

Glad you figured it out!

Cheers!

Ace