zone transfer problem (newbie issue)
Brad Knowles
brad at stop.mail-abuse.org
Sat May 14 01:25:17 UTC 2005
At 4:51 PM -0700 2005-05-13, Dave Stewart wrote:
> So at this point, "rusty" can only resolve the zone's it's a master
> for, yet "diagnostics" can resolve all zones. It appears to me after a
> week of splitting my head open on this issue (searching archives,
> documentation, O'Reilly's online "DNS and BIND", and any and all
> tutorials and help files I can grab:) that "diagnostics" is approving
> the request for a zone transfer, but then not sending a response back
> to "rusty". To check this suspicion I ran the following on "rusty" to
> force a transfer:
One thing to check is the firewall settings on both machines, as
well as on all the network equipment between them. Most DNS queries
happen over UDP, but zone transfers are done over TCP. However, many
clueless firewall admins will block TCP port 53 under the mistaken
assumption that this will protect their zones from being transferred,
and this can interfere with secondaries trying to transfer the zone
legitimately.
Of course, there are real queries that sometimes happen over TCP
as well, and anyone who knows anything about what they're doing with
the DNS could easily just iterate over all the IP addresses in your
network and effectively get a copy of the zone that way, so blocking
TCP port 53 has no valid purpose.
Another thing to check is the zone transfer format. IIRC, this
changed between BIND-8 and BIND-9, and while BIND-9 has no problems
doing zone transfers from BIND-8 servers (it reads the older format
just fine), some older servers may have problems doing zone transfers
from BIND-9 servers (they may have problems with the new format, if
there are too many records).
See the ISC BIND FAQ and search the page for " Zone transfers
from my BIND 9 master". While this particular entry is aimed towards
the Windows 2000 DNS server, you may be facing the same problem.
There's lots of other good stuff in the ISC BIND FAQ. I highly
recommend you read the whole thing.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list