AW: AXFR Problems sind Upgrade to 9.16.12
klaus.darilion at nic.at
Mon Mar 15 23:06:05 UTC 2021
For the records. With the help of Ondrej we found the cause: The problem is related to TCP timeouts not working as expected. If you are affected set tcp-initial-timeout and tcp-idle-timeout to 1200 (=120s). If you have huge zones with AXFRs > 120s you can download the source, increase the max timeoutvalue to some higher value and rebuild bind9.
I guess the problem is not related with 9.16.12 but we didn't noticed it as we usually use IXFR. For whatever reason our Bind used AXFR and now the timeout problems appeared.
> -----Ursprüngliche Nachricht-----
> Von: bind-users <bind-users-bounces at lists.isc.org> Im Auftrag von Klaus
> Gesendet: Donnerstag, 11. März 2021 21:24
> An: bind-users at lists.isc.org
> Betreff: AXFR Problems sind Upgrade to 9.16.12
> Our setup: Customer Primary --> bind-1 --> bind-2 --> public secondaries
> Today we upgraded bind-1 and bind-2 from:
> 9.16.6-3+ubuntu18.04.1+isc+3 ---> 9.16.12-2+ubuntu18.04.1+isc+1
> AXFR from customer to bind-1 still works. But since the upgrade, bind-2 can
> not transfer the zone from bind-1 anymore:
> bind-1: client @0x7f6090274c78 xx.xx.xx.20#42767/key rcode0-
> internal (example): transfer of 'example/IN': send: operation canceled
> bind2: transfer of 'example/IN' from xx.xx.xx.22#53: failed while
> receiving responses: end of file
> bind2: transfer of 'example/IN' from xx.xx.xx.22#53: Transfer status:
> end of file
> bind2: transfer of 'example/IN' from xx.xx.xx.22#53: Transfer
> completed: 25079 messages, 9787583 records, 334058940 bytes, 30.171 secs
> (11072186 bytes/sec) (serial 1069865757)
> I tried "dig axfr @bind-1 ..." which also fails:
> ;; communications error to xx.xx.xx.22#53: end of file
> Same with kdig:
> ;; WARNING: can't connect to 220.127.116.11 at 53(TCP)
> ;; ERROR: failed to query server 18.104.22.168 at 53(TCP)
> The AXFR fails after receiving ~ 400MB. The full zone would be ~600MB.
> Of course also AXFR from bind-2 to our public secondaries fail to. So I suspect
> this is problem on the "sending" side of bind9. As it worked without problem
> until the upgrade I think this is a regression.
> Are there any known issues with 9.16.12?
> Do you provide old PPA packages so that we can downgrade?
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users