zone transfers timeout in bind but work via dig
barmar at alum.mit.edu
Mon Oct 4 00:09:09 UTC 2004
In article <cjpi3o$1cv5$1 at sf1.isc.org>,
Christian Smith <none at i.am.invalid> wrote:
> In article <cjoq8b$28na$1 at sf1.isc.org>,
> Barry Margolin <barmar at alum.mit.edu> wrote:
> > > Because of this, there needs to be an explicit hole punched in the
> > > firewall at the master server to allow outgoing connections in the
> > > 1024-65535 range. And, at the slave end there needs to be a matching
> > > hole to allow in coming connections to those ports (sourced from port
> > > 53).
> > This is totally wrong. The DNS protocol contains no mechanism like this.
> Then explain the difference. DIG works and can transfer the zone using
> AXFR, but actual transfers initiated by a BIND slave fail. I've seen
> this time and again and the problem is always with the firewall rules.
> What is different between the way DIG handles the transfer and how BIND
> handles it?
I don't know, but I know it's not what you said. To diagnose the
problem, I'd run a sniffer to see what the slave was sending.
Barry Margolin, barmar at alum.mit.edu
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users