Zone Transfer Problem
Barry Finkel
b19141 at achilles.ctd.anl.gov
Mon Jul 26 14:34:19 UTC 2004
>Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
>> and Ronan Flood <ronan at noc.ulcc.ac.uk> replied inline:
>> My replies will also be inline. Note that I have not included my
>> complete original posting nor some of Ronan's reply.
>
>> I have a zone transfer problem with one zone from a slave to a slave.
>I've had a look at this and have some comments ...
>
>> The zone is
>>
>> _sites.phy.anl.gov
>>
>> and it is slaved on a BIND 9.2.2 server
>>
>> t1dns1.anl.gov
>
>I can't pull that zone from that server; presumably you have an
>allow-transfer on it. Can you transfer it with dig or named to
>another of your own slaves?
I have no problem with this zone or any other zone to my other two
slaves, one on-site and one off-site. I also have no problem with
zone transfers of any other zone to this one off-site slave server
that currently cannot transfer this one _sites.phy.anl.gov zone.
An administrator on that remote DNS server was able to do a manual
dig _sites.phy.anl.gov AXFR @t1dns1.anl.gov
without any problems.
-------------------------------------
>> An offsite slave
>>
>> ns2.es.net (BIND 9.2.3)
>>
>> is trying to transfer this zone. There are no problems with zone
>> transfers of any other zones from t1dns1.anl.gov to ns2.es.net.
>> This zone happens to be a W2k+3 AD zone that is mastered on an MS W2k+3
>> DNS Server, and those AD zones do not change frequently. As a test,
>> I incremented the serial number in another _sites zone on the W2k+3
>> DNS Server, and the new zone was transferred successfully to ns2.es.net.
>>
>> The message in syslog is
>>
>> Jul 22 12:19:20 thor.ctd.anl.gov named[190]:
>> [ID 866145 daemon.info] client 134.55.6.130#1920:
>> transfer of '_sites.phy.anl.gov/IN': AXFR started
>>
>> the transfer never completes. I have a snoop trace on t1dns1.anl.gov
>> for the zone transfer:
>
>Can you compare this with a snoop trace for the other _sites zone
>which does transfer successfully?
The other traces I have seen do IXFR, not AXFR. I am running another
snoop trace to get more info.
-------------------------------------
>> Pkt Direction Packet Contents
>> --- -------------- --- ------------------------------------
>> 43 ns2 <== t1dns1 UDP NOTIFY _sites.phy.anl.gov.
>> 44 ns2 ==> t1dns1 UDP SOA query for _sites.phy.anl.gov.
>> 45 ns2 ==> t1dns1 UDP SOA query for _sites.phy.anl.gov.
>
>Why two SOA queries? How much time elapsed between these?
It is the way the MS W2k+3 DNS GUI works. When I updated the
_sites.phy zone, I did not want to add any new records, so I just
increased the serial number. After I had done this, the MS code
determined that something had been updated in the zone, and the code
incremented the serial number again.
-------------------------------------
>
>> 46 ns2 <== t1dns1 UDP SOA response for _sites.phy.anl.gov.
>> 47 ns2 ==> t1dns1 TCP SYN
>> 48 ns2 <== t1dns1 TCP ACK SYN
>> 49 ns2 ==> t1dns1 TCP ACK
>> 50 ns2 ==> t1dns1 TCP ACK PUSH What is this packet?
>
>It's the length of the following DNS message. DNS over TCP has a
>2-byte length field before the normal message (see RFC1035 4.2.2).
>Bind 9.2.3 (and maybe others, I haven't checked) sends this length
>first, then sends the AXFR request. See packet dumps below.
>
>> 51 ns2 <== t1dns1 TCP ACK
>> 52 ns2 ==> t1dns1 TCP ACK PUSH X'fc' = 252 = AXFR _sites.phy.anl.gov.
>> 53 ns2 <== t1dns1 TCP ACK
>> 54 ns2 <== t1dns1 TCP ACK PUSH Small packet with begin AXFR
>
>Should it be "small", though? Looking at your packet dump, that's
>supposed to be a 1051-byte IP datagram carrying a 997-byte DNS
>message with 24 RRs (plus 2-byte length). How big is the zone?
The zone is relatively short; my new snoop trace has "-s3000" instead
of "-s256" so that I can see the entire packet. Here is a manual AXFR:
britaine% dig _sites.phy.anl.gov axfr
; <<>> DiG 8.3 <<>> _sites.phy.anl.gov axfr
$ORIGIN _sites.phy.anl.gov.
@ 1H IN SOA rhino221.anl.gov. hostmaster.anl.gov. (
39 ; serial
15M ; refresh
10M ; retry
1D ; expiry
1H ) ; minimum
1H IN NS ns2.es.net.
1H IN NS nsx.lbl.gov.
1H IN NS dns1.anl.gov.
1H IN NS dns2.anl.gov.
1H IN NS t1dns1.anl.gov.
1H IN NS t1dns2.anl.gov.
_kerberos._tcp.ANL-Idaho 10M IN SRV 0 100 88 phydc1.phy.anl.gov.
10M IN SRV 0 100 88 phydc2.phy.anl.gov.
_ldap._tcp.ANL-Idaho 10M IN SRV 0 100 389 phydc1.phy.anl.gov.
10M IN SRV 0 100 389 phydc2.phy.anl.gov.
_kerberos._tcp.ANL-Illinois 10M IN SRV 0 100 88 phydc1.phy.anl.gov.
10M IN SRV 0 100 88 phydc2.phy.anl.gov.
_ldap._tcp.ANL-Illinois 10M IN SRV 0 100 389 phydc1.phy.anl.gov.
10M IN SRV 0 100 389 phydc2.phy.anl.gov.
_kerberos._tcp.ANL-Illinois-BIO 10M IN SRV 0 100 88 phydc1.phy.anl.gov.
10M IN SRV 0 100 88 phydc2.phy.anl.gov.
_ldap._tcp.ANL-Illinois-BIO 10M IN SRV 0 100 389 phydc1.phy.anl.gov.
10M IN SRV 0 100 389 phydc2.phy.anl.gov.
_kerberos._tcp.ANL-WashDC 10M IN SRV 0 100 88 phydc1.phy.anl.gov.
10M IN SRV 0 100 88 phydc2.phy.anl.gov.
_ldap._tcp.ANL-WashDC 10M IN SRV 0 100 389 phydc1.phy.anl.gov.
10M IN SRV 0 100 389 phydc2.phy.anl.gov.
@ 1H IN SOA rhino221.anl.gov. hostmaster.anl.gov. (
39 ; serial
15M ; refresh
10M ; retry
1D ; expiry
1H ) ; minimum
;; Received 1 answer (24 records).
;; FROM: britaine.ctd.anl.gov to SERVER: 146.139.254.5
;; WHEN: Mon Jul 26 09:31:04 2004
britaine%
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list