refresh SOA queries use both transfer-source and query-source !?

Danny Thomas d.thomas at its.uq.edu.au
Sat Dec 10 00:50:20 UTC 2005 

Our main 9.3.1 name-server runs as a combined authoritative and resolving
DNS service with bind configured to use specific addresses for each:
  listen-on { 127.0.0.1; 130.102.128.43; 130.102.128.53; };        
  query-source address 130.102.128.43 port *;
  transfer-source 130.102.128.53;
  notify-source 130.102.128.53;

Secondarying zones from a third-party's name-server recently started failing
which came about after a router ACL was significantly tightened. For DNS the
relevant change was to allow only UDP connections from the ip-address used
for the authoritative service. I had the ACL changed to also allow TCP
connections but secondarying was still failing:
  Dec  9 07:35:01 <local1.info> cuscus named[1027]: general: info:
    zone yertafe.qld.edu.au/IN: refresh: retry limit for master
    155.71.144.251#53 exceeded (source 0.0.0.0#0)
  Dec  9 07:35:01 <local1.info> cuscus named[1027]: general: info:
    zone yertafe.qld.edu.au/IN: Transfer started.
  Dec  9 07:35:01 <local1.err> cuscus named[1027]: xfer-in: error:
    transfer of 'yertafe.qld.edu.au/IN' from 155.71.144.251#53:
    failed to connect: connection refused
  Dec  9 07:35:01 <local1.info> cuscus named[1027]: xfer-in: info:
    transfer of 'yertafe.qld.edu.au/IN' from 155.71.144.251#53: end of transfer

NB "rndc retransfer yertafe.qld.edu.au" succeeded.

These messages went away after the ACL was changed to allow UDP connections
from the ip-address used for the resolving DNS service. This seems strange
as the documentation seems fairly clear:

transfer-source
transfer-source determines which local address will be bound to
IPv4 TCP connections used to fetch zones transferred inbound by the
server. It also determines the source IPv4 address, and optionally
the UDP port, used for the refresh queries and forwarded dynamic
updates. If not set, it defaults to a system controlled value which
will usually be the address of the interface "closest to" the remote
end. This address must appear in the remote end's allow-transfer
option for the zone being transferred, if one is specified. This
statement sets the transfer-source for all zones, but can be
overridden on a per-view or per-zone basis by including a transfer-source
statement within the view or zone block in the configuration file.

There's also a few items of interest is those messages
  1) the first line indicates the refresh failed, yet the subsequent lines
     talk about the zone transfer failing. Naively, I would have expected
     no zone transfer attempt to be made if refresh fails. Even if a transfer
     was tried as a fallback position, I have no reason to believe it was
     failing, e.g. the manual retransfer worked.
  2) the refresh failure message says "source 0.0.0.0#0" even though we have
     configured an explicit transfer source address

Sometime after the error messages went away I used tcpdump:
  10:55:00.135688 130.102.128.53.3383 > 155.71.144.251.domain:
    47256 [1au] SOA? 71.155.in-addr.arpa. (48)
  10:55:00.140458 155.71.144.251.domain > 130.102.128.53.3383:
    47256* 1/0/2 SOA[|domain]
  10:55:00.637036 130.102.128.43.4907 > 155.71.144.251.domain: 
    42264 [1au] SOA? 71.155.in-addr.arpa. (48)
  10:55:00.640809 155.71.144.251.domain > 130.102.128.43.4907:
    42264* 1/0/2 SOA[|domain]

This appears to be a refresh in which bind first tries the transfer-source
address, and even though that presumably succeeds, then tries the query-source
address. What's more, if the router ACL blocks the latter, then the whole
refresh/zone transfer fails.

The same try transfer-source then query-source was observed with another
randomly chosen name-server which has not exhibited transfer failures.

I wonder whether this is related to
from bind-9.3.2rc1 changes
1864.   [bug]           Don't try the alternative transfer source if you
                        got a answer / transfer with the main source
                        address. [RT #14802]
 
not that we use alt-<anything>
alt-transfer-source
An alternate transfer source if the one listed in transfer-source
fails and use-alt-transfer-source is set.

Danny

-- 
   d.thomas at its.uq.edu.au    Danny Thomas,                                    
          +61-7-3365-8221    Software Infrastructure,
 http://www.its.uq.edu.au    ITS, The University of Queensland

More information about the bind-users mailing list