Zone transfers can be lost forever

Tony Finch dot at dotat.at
Wed Oct 16 13:43:00 UTC 2019


jean-christophe manciot <actionmystique at gmail.com> wrote:

wow something has chewed up your message and vomited it out again but some
of the remnants are vaguely legible...

> - the debug log shows that the zone transfer has *successfully* taken place
> on the primary towards the secondary server:
>
> - actually, the zone transfer could not have succeeded because the port 53
> was closed on the secondary server for the master

I'm not sure this belief is entirely solid, given what the logs said.

> - indeed, the secondary server has no knowledge of the new data:
>
> # named-checkzone -D -f raw -o - sdxlive.com [snip]

You have to use the -j option to include any changes recorded in the
zone's journal, otherwise you are almost certainly looking at a stale
version of the zone.

If a zone is loaded and running, I usually find it is easier to use `dig
axfr` (or `host -lA` if I don't want DNSSEC clutter), instead of
named-compilezone, and `dig soa` instead of `named-checkzone`.

You can try `nsdiff -m primary -s secondary zone` to verify that the zone
files are consistent <http://www.dotat.at/prog/nsdiff/>, e.g.

$ nsdiff -m pri0.dns.cam.ac.uk -s auth0.dns.cam.ac.uk cam.ac.uk
nsdiff: loading zone cam.ac.uk. via AXFR from auth0.dns.cam.ac.uk
zone cam.ac.uk/IN: loaded serial 1571232847 (DNSSEC signed)
OK
nsdiff: loading zone cam.ac.uk. via AXFR from pri0.dns.cam.ac.uk
zone cam.ac.uk/IN: loaded serial 1571232847 (DNSSEC signed)
OK
$

[ I'm obviously massively biased, but `nsdiff` is amazingly reassuring
when you are doing big DNS provisioning infrastructure changes. ]

> - whatever I try, it seems impossible to retransfer the zone data now that
> the port 53 is open on the primary:

You can:

* run `rndc retransfer` on the secondary

* run `rndc notify` on the master to maybe prompt a retransfer, depending
  on whether the secondaries are up to date

* bump the serial on the primary again to prompt a retransfer by
  persuading the secondaries they are out of date

A primary can't force a transfer to a secondary, it can only send the
secondary a NOTIFY to suggest that the secondary might want to transfer.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Northwest Fitzroy, Sole: Southwesterly 4 to 6, increasing 7 or gale 8. Rough
or very rough becoming very rough or high. Showers. Good, occasionally poor.


More information about the bind-users mailing list