I just went through and re-wrote it. Seems to run through ok.

I do keep finding little things here and there. But I think I am close to the end.

Last thing is the old server allowed a person to ssh, then run co -l "zone file", and the file would allow that person edit it. They had to be part of the named group, to do so.
I am on the fence if I want to keep it that way, or require the editor to sudo the command. However, I am not where to make this change. I have to named group, with the, currently 2 people, set up.
Currently, I get this error:
co: RCS/zone,v: user not on the access list

As I said, I'm on the fence, but even if I don't go the old route, I'd still like to know where I would change this. I'll probably find it, sooner or later! Doesn't hurt to know.

So, I have made headway. I found part of my issue was the named service. On rhel, it seems better to run named-chroot, instead of just named.
Once I found that out, I was able to clear up most issues.

Now, when I make a change on the new master, it propagates down to the slaves, as it should.
The only error I seem to be running into, and it isn't much of an error, is this:

Named: zone dnszone.con/IN: refused to notify from non-master: xxx.xxx.xxx.xxx

So, essentially, it appears that 1 slave, is refusing something from the other slave. It isn't affecting the operation, otherwise. The other slave(which is an older slave that will be put to rest) does not have this error, only the new slave. I went into the named.conf and added the old slaves IP, to the "allow-notify".
The old slave does not get this error, nor does it have the new slave"s IP under "allow-notify".

So, I'm not sure what is causing this. Even if it isn't affecting operation, I'd still prefer to have no errors.

As a refresh, the old slave is rhel 6.10. The new slave is rhel 8.6.

The rule is if it is listed as a NS server, the master will send notify to the slave when serial changes. Then the slave "gets" the zone, it is allowed by default.

But if the it isn't listed as a NS server, the master (or stealth slave to slave) must have a also-notify to send it. And the master (or slave) must have a allow-transfer to allow the transfer.

Ok, so I decided to start from scratch. Sometimes you just have to.
So, I got things A little further along. I now have a different error. I receive a "client @0x7stringofcharacters : query (cache) example.com/a/IN denied"

In my named.conf, I tried to change the "allow-query". First by changing it to "trusted-servers" then by # it out.
Perhaps I need to add an entry called "allow-query-cache" or similar?

allow-query-cache is a newer concept, but probably should never be used by normal users.
Your default should be allow-query {any;}; and for the your internal nets like allow-recursion that want to recurse.

If it is a mastered zone, it must be allow-query any. allow-recursion is your trusted users if you are serving them (this might or might not be the case).


https://kb.isc.org/docs/aa-00503