refresh times out from Win DNS

Vinny Abello vinny at tellurian.com
Mon Jul 19 03:19:56 UTC 2004 

At 05:15 PM 7/16/2004, Barry Finkel wrote:
>Mark Jeftovic <mark at jeftovic.net> wrote:
>
> >>>We've been seeing this sporadically for awhile and it is possible this
> >>>happens more often with Win DNS masters (we're not sure but the latest
> >>>case is definitely a WIN DNS box)
> >>>
> >>>We are able to do the first transfer OK after which point subsequent
> >>>refreshes fail with the usual complaint of
> >>>
> >>>Jul 12 07:23:26 ds2 named[1879]: zone example.com/IN: refresh:
> >>>failure  trying master 10.2.229.181#53: timed out
> >>>
> >>>Left to its own the zone eventually expires.
> >>>
> >>>The thing is, we can do AXFR and IXFR from the command line just fine
> >>>using host or dig. Also, the slave is not clogged up with transfers
> >>>in progress (there are 6 SOA queries in progress and 0 xfers running
> >>>as I type this, on a slave with approx. 85K zones configured).
> >>>
> >>>This is bind9.2.3
>
>At 09:55 AM 7/16/2004, Barry Finkel wrote:
> >>I am assuming that the Windows DNS masters are either W2k or W2k+3.
> >>The only idea I have is to turn on full logging on the Windows DNS
> >>Server and see what it logs.  The MS W2k DNS code does not log failed
> >>zone transfers in the EventLog, only successful ones.  (The MS
> >>developers did not want to fill up the event log.)  So the only way
> >>to see a failed zone transfer on the MS side is to look at the dns.log
> >>file.  That will tell you if the AXFR/IXFR request is reaching the
> >>windows DNS Server; it will not tell you why the transfer was refused.
> >>If you find that the request is getting to the Windows DNS Server, then
> >>report back as to what is in the log.
>
>And Danny Mayer <mayer at gis.net> replied:
>
> >Why bother logging something that needs to get fixed? Sigh.
>
>Unless I am misunderstanding the problem, Mark is trying to do a
>zone transfer on his BIND server from a W2k DNS Server and is getting
>a timeout reported on the BIND side.  I was suggesting seeing on the
>W2k side whether the AXFR/IXFR request ever gets to the W2k DNS Server.
>I have no idea what is causing the timeout.

Win2k doesn't support EDNS which BIND will attempt to do when querying for 
an SOA record. MS DNS seems to rate limit the "bad" queries because it 
doesn't know how to handle them. Try turning off EDNS to that particular 
server in your configuration and see if that corrects it.

In named.conf:

server 1.2.3.4 {
         edns no;
};


Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and 
those that don't.

More information about the bind-users mailing list