bind axfr refused but still allows ixfr?
Chris Thompson
cet1 at hermes.cam.ac.uk
Mon Apr 10 20:19:28 UTC 2006
On Apr 10 2006, Troubled User wrote:
>Using bind 9
>
>I set allow-transfer { none; }
>
>It seems to refuse an AXFR request, but still allows IXFR.. how do i disable
>this.
You are misinterpreting the output of dig.
>$ dig @localhost AXFR domain.tld
>
>; <<>> DiG 9.2.4 <<>> @localhost AXFR domain.tld
>;; global options: printcmd
>; Transfer failed.
>
>
>
>$ dig @localhost IXFR domain.tld
>;; Warning, ixfr requires a serial number
" ... so I'm going to forget that you even mentioned ixfr ... "
>
>; <<>> DiG 9.2.4 <<>> @localhost IXFR domain.tld
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22975
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;domain.tld. IN A
" ... and just fall back on my good old default of type A ... "
>
>;; AUTHORITY SECTION:
>. 10800 IN SOA A.ROOT-SERVERS.NET. >NSTLD.VERISIGN-GRS.COM. 2006040700 1800 900 604800 86400
>
>;; Query time: 10 msec
>;; SERVER: 127.0.0.1#53(localhost)
>;; WHEN: Fri Apr 7 21:45:06 2006
>;; MSG SIZE rcvd: 103
>
>
>From another box i tried this also. The AXFR had the same result.
>For the IXFR request, it said it required an SOA.
No it didn't - it requested the A record: see the QUERY SECTION
above. The ANSWER SECTION is empty because that gets an NXDOMAIN
response. The SOA record is in the AUTHORITY SECTION.
You really do need to understand about the four sections of a DNS
response if you are going to interpret dig output correctly.
>I'm assuming that means it would have performed the transfer.
>Is this true, or am I covered for both?
No, you're quite wrong. BIND applies the same tests to AXFR and
IXFR. If you want to test this, use the right dig syntax for the
latter, e.g. "dig @localhost ixfr=0 domain.tld".
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list