zone transfer problem (newbie issue)

Brad Knowles brad at stop.mail-abuse.org
Sat May 14 01:25:17 UTC 2005


At 4:51 PM -0700 2005-05-13, Dave Stewart wrote:

>  So at this point, "rusty" can only resolve the zone's it's a master
>  for, yet "diagnostics" can resolve all zones. It appears to me after a
>  week of splitting my head open on this issue (searching archives,
>  documentation, O'Reilly's online "DNS and BIND", and any and all
>  tutorials and help files I can grab:) that "diagnostics" is approving
>  the request for a zone transfer, but then not sending a response back
>  to "rusty". To check this suspicion I ran the following on "rusty" to
>  force a transfer:

	One thing to check is the firewall settings on both machines, as 
well as on all the network equipment between them.  Most DNS queries 
happen over UDP, but zone transfers are done over TCP.  However, many 
clueless firewall admins will block TCP port 53 under the mistaken 
assumption that this will protect their zones from being transferred, 
and this can interfere with secondaries trying to transfer the zone 
legitimately.

	Of course, there are real queries that sometimes happen over TCP 
as well, and anyone who knows anything about what they're doing with 
the DNS could easily just iterate over all the IP addresses in your 
network and effectively get a copy of the zone that way, so blocking 
TCP port 53 has no valid purpose.


	Another thing to check is the zone transfer format.  IIRC, this 
changed between BIND-8 and BIND-9, and while BIND-9 has no problems 
doing zone transfers from BIND-8 servers (it reads the older format 
just fine), some older servers may have problems doing zone transfers 
from BIND-9 servers (they may have problems with the new format, if 
there are too many records).

	See the ISC BIND FAQ and search the page for " Zone transfers 
from my BIND 9 master".  While this particular entry is aimed towards 
the Windows 2000 DNS server, you may be facing the same problem.

	There's lots of other good stuff in the ISC BIND FAQ.  I highly 
recommend you read the whole thing.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list