Zone transfers can be lost forever

jean-christophe manciot actionmystique at gmail.com
Wed Oct 16 13:07:06 UTC 2019


Hi there,

Here's the *context*:
*Ubuntu 19.10 / Debian bullseye 11*
*bind9 9.15.4*

*zone "sdxlive.com <http://sdxlive.com>"
{
	type master;
        file "/etc/bind/db.sdxlive.com <http://db.sdxlive.com>";

	// Publishing and activating dnssec keys
	auto-dnssec maintain;

	// Using inline signing
	inline-signing yes;
*





*        allow-transfer         {                 w.x.y.z;        };*

*...
*

*}*

I'm experiencing a peculiar situation in both aforementioned distributions:
- I have modified a zone file and incremented its serial number on the
master to 2019101515
- the debug log shows that the zone transfer has *successfully* taken place
on the primary towards the secondary server:




*15-Oct-2019 16:54:59.075 xfer-out: info: client @0xaaaaaaaaaaaa
w.x.y.z#54219 (sdxlive.com <http://sdxlive.com>): transfer of
'sdxlive.com/IN <http://sdxlive.com/IN>': IXFR started (serial 2019092407
-> 2019101515)15-Oct-2019 16:54:59.075 xfer-out: info: client
@0xaaaaaaaaaaaa w.x.y.z#54219 (sdxlive.com <http://sdxlive.com>): transfer
of 'sdxlive.com/IN <http://sdxlive.com/IN>': IXFR ended: 1 messages, 14
records, 1412 bytes, 0.001 secs (1412000 bytes/sec)15-Oct-2019 16:55:14.078
xfer-out: info: client @0xbbbbbbbbbbbb w.x.y.z#58529 (sdxlive.com
<http://sdxlive.com>): transfer of 'sdxlive.com/IN
<http://sdxlive.com/IN>': AXFR started (serial 2019101515)15-Oct-2019
16:55:14.078 xfer-out: info: client @0xbbbbbbbbbbbb w.x.y.z#58529
(sdxlive.com <http://sdxlive.com>): transfer of 'sdxlive.com/IN
<http://sdxlive.com/IN>': AXFR ended: 1 messages, 36 records, 2906 bytes,
0.001 secs (2906000 bytes/sec)*
- actually, the zone transfer could not have succeeded because the port 53
was closed on the secondary server for the master
- indeed, the secondary server has no knowledge of the new data:


*# named-checkzone -D -f raw -o - sdxlive.com <http://sdxlive.com>
db.sdxlive.com.signedzone sdxlive.com/IN <http://sdxlive.com/IN>: loaded
serial 2019092407 (DNSSEC signed)*
- whatever I try, it seems impossible to retransfer the zone data now that
the port 53 is open:
on the primary:

*rndc freeze sdxlive.com <http://sdxlive.com>*
*serial number --> 2019101614*

*rndc thaw sdxlive.com <http://sdxlive.com>*


*A zone reload and thaw was started.Check the logs to see the result.*

*# grep -P "16-Oct-2019 .* xfer-out: .* -> 2019101614"
/var/log/named/debug.log*
*#*
on the secondary server:
# named-checkzone -D -f raw -o - sdxlive.com db.sdxlive.com.signed
zone sdxlive.com/IN: loaded serial 2019092407 (DNSSEC signed)

As a summary:
+ there should be some kind of zone transfer control to check whether the
transfer has really taken place or not
+ there should be a way to manually force a immediate zone transfer from
the master to the secondary server(s) even though only the serial number
has changed

So, are these
+ bugs
+ some missing features
+ or am I missing something?
-- 
Jean-Christophe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191016/9220c901/attachment.htm>


More information about the bind-users mailing list