>>>>> "Alexandre" == Alexandre Carante writes:

Alexandre> Hi, I Have 11 DNS servers down here, using Bind 9 and
Alexandre> solaris 9, and they use to work properly, but,
Alexandre> suddenly, about one week ago, they're not doing "zone
Alexandre> transfer" alone anymore, I've write a script to
Alexandre> "recycle" the masters, and this Script sends the slaves
Alexandre> a RSHELL with, rndc stop, /usr/sbin/in.named and it use
Alexandre> to works just fine too, but now when someone X the
Alexandre> script, the zone transfers stops working, and if I run
Alexandre> a netstat it shows me that the IP stack port 53 is not
Alexandre> LISTEN, it is just in IDLE state at the master server,
Alexandre> the master do not "let" the slaves get the new DB
Alexandre> files...Is it a well know problem, have someone face
Alexandre> this kind o' trouble before ?

No, it's not a well known problem. Though DNS/network administrators
sometimes create problems for themselves with zone transfers.

Please think about your question for a moment. The DNS protocol has a
proven, reliable mechanism for synchronising and transferring zone
data between authoritative servers. It's worked perfectly for
years. Millions of zones use it every day and it just works. There's
nothimg wrong with this protocol or its implementation in BIND.

If zone transfers are not working for you, there will be some sort of
local administrative problem that's to blame. [If you'd told us the
zone names, someone on this list could have identified the problem for
you. Oh well.] The most likely explanation is that you're trying tp
transfer the zone from a master server that's no longer authoritative
for it, probably because the zone has not been loaded successfully
Another strong possibility is a connectivity problem. An access
control list in the master server or some firewall is blocking zone
transfer traffic. In either case, the name server logs will be
reporting the reason why zone transfers are failing. But you didn't
provide revelant bits of them either. Consult your name server logs
and if you don't understand them, post the relevant entries here. And
don't "edit" them to obscure domain names or IP addresses.

You would be better to spend your time fixing the underlying problem
instead of working around it with special case scripts. Less effort
will be needed for a proper solution. And from an operational
prespective, your DNS infrastructure won't be dependent on
(undocumented?) kludges that make administration and maintenance a
nightmare. That has to be a Very Good Thing.

Another thing: rsh is dangerous and insecure. Nobody should be using
it. Remote shell access should only be offered though SSH. However for
BIND9 administration, even this isn't needed, except for restarting
the name server. rndc can be used to manage remote name servers. That's
why it's called rndc. It uses a shared secret for authentication, so
it's reasonably secure too.