zone transfers timeout in bind but work via dig

Barry Margolin barmar at alum.mit.edu
Mon Oct 4 00:09:09 UTC 2004


In article <cjpi3o$1cv5$1 at sf1.isc.org>,
 Christian Smith <none at i.am.invalid> wrote:

> In article <cjoq8b$28na$1 at sf1.isc.org>,
>  Barry Margolin <barmar at alum.mit.edu> wrote:
> 
> > > Because of this, there needs to be an explicit hole punched in the 
> > > firewall at the master server to allow outgoing connections in the 
> > > 1024-65535 range. And, at the slave end there needs to be a matching 
> > > hole to allow in coming connections to those ports (sourced from port 
> > > 53).
> > 
> > This is totally wrong.  The DNS protocol contains no mechanism like this.
> 
> Then explain the difference. DIG works and can transfer the zone using 
> AXFR, but actual transfers initiated by a BIND slave fail. I've seen 
> this time and again and the problem is always with the firewall rules.
> 
> What is different between the way DIG handles the transfer and how BIND 
> handles it?

I don't know, but I know it's not what you said.  To diagnose the 
problem, I'd run a sniffer to see what the slave was sending.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***


More information about the bind-users mailing list