axfr fails, telnet to 53 works

/dev/rob0 rob0 at
Fri Jun 10 02:46:48 UTC 2005

Sorry, this might be a routing or firewall issue, but I'm hoping perhaps 
someone here can help anyway. I maintain my own internal DNS over a 
network of VPN links. The master server died recently and I replaced it 
with a machine on another IP. But I did bind the old IP,, to 
the new master.

The client at can't do a zone transfer. All the following 
commands are on that machine. It can route there through the VPN:

$ traceroute
traceroute to (, 30 hops max, 38 byte packets
  1  fw (  0.179 ms  0.083 ms  0.068 ms
  2 (  35.087 ms  40.455 ms  38.363 ms

It can ping and get replies:

$ ping -c2
PING ( 56 octets data
64 octets from icmp_seq=0 ttl=63 time=52.0 ms
64 octets from icmp_seq=1 ttl=63 time=34.4 ms

--- ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 34.4/43.2/52.0 ms

Individual queries, both UDP and TCP, work:

$ host
Using domain server:
Aliases: domain name pointer master.lan.
$ host -T
Using domain server:
Aliases: domain name pointer master.lan.

But here's axfr:

$ dig @ master.lan. axfr

; <<>> DiG 9.2.1 <<>> @ master.lan. axfr
;; global options:  printcmd
;; connection timed out; no servers could be reached

This is logged on the server:

Jun  9 20:50:25 whn named[1376]: client transfer of 
'master.lan/IN': AXFR started is in an ACL which is included in an allow-transfer 
directive for the master.lan. zone on the server.

The OS is Slackware Linux, a hybrid of 9.1 through 10.1, and the BIND 
version on the server is a bit old, 9.2.3. I'll try upgrading that and 
will report back on whether it worked. The client is older, Slackware 
8.1 and BIND 9.2.1, as you can see above. Could that be the problem?

The main IP on the interface was assigned by a stupid router (the server 
that died had also been my DHCP server and Internet gateway.) The main 
IP is with a /16 netmask.

Any ideas about how to troubleshoot this will be appreciated. Oh, and of 
course it used to work on the old server, which had the same BIND version.
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header

More information about the bind-users mailing list