Unable to completely transfer root zone

Warren Kumari warren at kumari.net
Mon Feb 10 19:32:55 UTC 2020 

On Mon, Feb 10, 2020 at 12:53 PM von Dein, Thomas
<Thomas.vonDein at f-i-ts.de> wrote:
>
> Hi everyone,
>
> we are unable to complete root zone transfer from our nameservers. This is the error we're getting:
>
> Feb 10 18:33:32 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: connected using 192.168.1.1#11281
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: resetting
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: connected using 192.168.1.1#46875
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: failed while receiving responses: connection reset
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: Transfer status: connection reset
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: Transfer completed: 11 messages, 3058 records, 179403 bytes, 0.410 secs (437568 bytes/sec)
>
> I can, however do it manually using "dig +tcp . axfr @lax.xfr.dns.icann.org".
>
> The relevant part of the config is:
>
> zone "." {
>         type slave;
>         file "zone/slave/root.slave";
>         masters {
>                 192.0.32.132;   // lax.xfr.dns.icann.org.
>                 192.0.47.132;   // iad.xfr.dns.icann.org.
>         };
>         notify no;
> };
>
> Does anyone have an idea, what's wrong here and how I could possibly fix this?

This sounds very much like a path MTU issue -- it starts the transfer,
gets part of the way and then a big packet doesn't make it through...
Are you doing the test dig from the same machine? And if so, from the same IP?
Also, can you try:
dig +tcp . axfr @192.0.32.132
dig +tcp . axfr @192.0.47.132
dig +tcp . axfr @b.root-servers.net

(no, I'm not really sure why trying with the first 2 IPs instead of
hostname, but, hey, 'tis easy to test :-))

W


>
>
> Thanks in advance,
> Tom
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

More information about the bind-users mailing list