bind: client X… zone transfer ‘example.com/AXFR/IN’ denied, but allow-transfer { X; }; is set!

I get access denied when trying to initiate zone transfer.

For a dig @ns.example.com example.com axfr i’m getting

client 71.252.219.43#58392: zone transfer 'balticovo.eu/AXFR/IN' denied

Configuration:

1. Server is NATed, behind firewall. If it would be firewalls issue, i wouldn’t see in my computer log files that there such a request has been made.
2. named process runs as bind user which is chrooted in /var/lib/named.

3. named.conf:

   web:/var/lib/named/etc# cat named.conf
   options {
       directory "/etc";
       pid-file "/var/run/named.pid";
       statistics-file "/var/run/named.stats";
       allow-transfer { 127.0.0.1; };
       listen-on port 53 { any; };
       listen-on-v6 port 53 { any; };
   };logging {
       category default { default_syslog; default_debug; };
       category unmatched { null; };    channel default_syslog {
           syslog daemon;
           severity info;
       };    channel default_debug {
           file "named.run";
           severity dynamic;
       };    channel default_stderr {
           stderr;
           severity info;
       };    channel null {
           null;
       };
   };zone "." {
       type hint;
       file "/etc/root.hints";
   };zone "localhost" {
       type master;
       file "/etc/localhost";
   };zone "0.0.127.in-addr.arpa" {
       type master;
       file "/etc/127.0.0";
   };zone "example.com" IN {
           type master;
           file "sites/example.com/forward.zone";
           allow-transfer { 202.157.182.142; 71.252.219.43; };
           allow-update { none; };
           allow-query { any; };
           zone-statistics yes;
   };   
   

4. All files are owned by bind. And the named process truly runs by the chrooted user.
5. Digging other than axfr record works.
6. named -v outputs BIND 9.6-ESV-R3

The issue has been solved now. I did fairly major changes:

1. Tightening security by some permissions for files (this probably isn’t the case, because they were OK before this also)
2. Didn’t have rndc configuration in place. Generated key and set up rndc.

3. And then…. when i was making changes in named.conf and restarted, it seems that previous process wasn’t killed, but new ones spawned and i had such lines in my log:

   Jan 25 15:43:22 web named[18863]: listening on IPv6 interfaces, port 53
   Jan 25 15:43:22 web named[18863]: binding TCP socket: address in use
   Jan 25 15:43:22 web named[18863]: listening on IPv4 interface lo, 127.0.0.1#53
   Jan 25 15:43:22 web named[18863]: binding TCP socket: address in use
   Jan 25 15:43:22 web named[18863]: listening on IPv4 interface eth0, 10.3.0.10#53
   Jan 25 15:43:22 web named[18863]: binding TCP socket: address in use
   ...
   Jan 25 15:43:22 web named[18863]: /etc/named.conf:12: couldn't add command channel 0.0.0.0#953: address in use
   

   Now i did killall named and then /etc/init.d/bind9 start and all went fine.

Probably the third point solved the problem, because when i was changing named.conf, it actually wasn’t working with the latest conf file.

Check more discussion of this question.

Related posts:

1. DNS zone transfer (AXFR) failing
2. out of zone data BIND problem
3. Does _msdcs needs to have Zone Transfer enabled with 2 domain controllers
4. BIND not answering query
5. How do I use BIND DNS with multiple domain names?