<html><body><span style="font-family:Verdana; color:#000; font-size:10pt;"><div>Mark,</div>
<div> </div>
<div>Thanks. I saw you'd answered a similar question about 10 years ago, but RRSIG records weren't around then so I didn't want to assume that was the problem and miss something else.</div>
<div> </div>
<div>Thanks again,</div>
<div>Todd</div>
<div> </div>
<BLOCKQUOTE id=replyBlockquote style="FONT-SIZE: 10pt; FONT-FAMILY: verdana; COLOR: black; PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT: blue 2px solid" webmail="1">
<DIV id=wmQuoteWrapper>-------- Original Message --------<BR>Subject: Re: transfer signed zone<BR>From: Mark Andrews <<a href="mailto:marka@isc.org">marka@isc.org</a>><BR>Date: Sat, January 18, 2014 7:40 am<BR>To: <a href="mailto:tlarsen@dns-research.com">tlarsen@dns-research.com</a><BR>Cc: <a href="mailto:bind-users@isc.org">bind-users@isc.org</a><BR><BR><BR><BR>A zone transfer starts and ends with a SOA record. This server added<BR>a SIG record for the SOA after the final SOA.<BR><BR><a href="http://example.com">example.com</a>.            86400 IN        SOA     <a href="http://ns1.example.com">ns1.example.com</a>. <a href="http://hostmaster.example.com">hostmaster.example.com</a>. 2014011701 10800 15 604800 10800<BR><a href="http://example.com">example.com</a>.            86400 IN        RRSIG   SOA 8 2 86400 20140417221308 20140116221308 15093 <a href="http://example.com">example.com</a>. alxE/TLfVRML1EAHCiVDEwmaOjaPdowXxfkompXG3MwJ7tDOQcFV2O2+ 9F4TlB+l0nbfWi0mk7YWBk+w03God8RnUez9KZwhmrGAgEfWtH6kiO7A LEwSPgHTS5cfQah8KGAT6o7DMWOdH0ii2EnJNzqi3gt+SR1bSPw8kTNE TOU=<BR>;; Query time: 10 msec<BR>;; SERVER: 10.0.20.22#53(10.0.20.22)<BR>;; WHEN: Fri Jan 17 18:44:36 EST 2014<BR>;; XFR size: 15 records (messages 7, bytes 2291)<BR><BR><BR><BR>In message <<a href="mailto:20140117164922.2cd7822c2bd73f63aacfc236a41a89ed.ca7833120a.wbe@email18.secureserver.net">20140117164922.2cd7822c2bd73f63aacfc236a41a89ed.ca7833120a.wbe@email18.secureserver.net</a>>, tlarse<BR><a href="mailto:n@dns-research.com">n@dns-research.com</a> writes:<BR>> --===============6909298250656410026==<BR>> Content-Transfer-Encoding: quoted-printable<BR>> Content-Type: text/html; charset="utf-8"<BR>> <BR>> <html><body><span style=3D"font-family:Verdana; color:#000; font-size:10pt;=<BR>> "><div>Receiving the following lines when transferring from a non-BIND serv=<BR>> er. Is there a way to identify the "extra input data"?<br></div><div><br></=<BR>> div><div>Jan 17 17:16:35 had4 named[6497]: running<br>Jan 17 17:16:35 had4 =<BR>> named[6497]: zone <A href="https://email18.secureserver.net/3D%22http://example.com/IN%22" target='3D"_blank"'>examp=<BR>> le.com/IN</A>: Transfer started.<br>Jan 17 17:16:35 had4 named[6497]: trans=<BR>> fer of 'example.com/IN' from 10.0.20.22#53: connected using 10.0.20.23#5091=<BR>> 7<br>Jan 17 17:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10=<BR>> .0.20.22#53: failed while receiving responses: extra input data<br>Jan 17 1=<BR>> 7:16:35 had4 named[6497]: transfer of 'example.com/IN' from 10.0.20.22#53: =<BR>> Transfer completed: 6 messages, 16 records, 2046 bytes, 0.005 secs (409200 =<BR>> bytes/sec)<br></div><div><br></div><div>Here's the dig output.</div><div><b=<BR>> r></div><div><br>[root@had4 local]# dig @10.0.20.22 AXFR <A href="https://email18.secureserver.net/3D%22http://=%3Cbr">> example.com">example.com</A><br><br>; &lt;&lt;&gt;&gt; DiG 9.9.4-P2 &lt;&lt=<BR>> ;&gt;&gt; @10.0.20.22 AXFR <A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</A><b=<BR>> r>; (1 server found)<br>;; global options: +cmd<br><A href="https://email18.secureserver.net/3D%22http://exampl=%3Cbr"> > e.com">example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=<BR>> p;&nbsp;&nbsp; 86400 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOA&nbsp;=<BR>> &nbsp;&nbsp;&nbsp; <A href="https://email18.secureserver.net/3D%22http://ns1.example.com%22">ns1.example.com</A>. =<BR>> <A href="https://email18.secureserver.net/3D%22http://hostmaster.example.com%22">hostmaster.example.com</A>. 20140=<BR>> 11701 10800 15 604800 10800<br><A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</=<BR /> > a>.            86400=<BR>> IN        RRSIG   SOA 8 2 864=<BR>> 00 20140417221308 20140116221308 15093 <A href="https://email18.secureserver.net/3D%22http://example.com%22">examp=<BR>> le.com</A>. alxE/TLfVRML1EAHCiVDEwmaOjaPdowXxfkompXG3MwJ7tDOQcFV2O2+ 9F4TlB=<BR>> +l0nbfWi0mk7YWBk+w03God8RnUez9KZwhmrGAgEfWtH6kiO7A LEwSPgHTS5cfQah8KGAT6o7D=<BR>> MWOdH0ii2EnJNzqi3gt+SR1bSPw8kTNE TOU=3D<br><A href="https://email18.secureserver.net/3D%22http://example.com%22">e=<BR>> xample.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=<BR>> &nbsp; 86400 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nb=<BR>> sp;&nbsp;&nbsp; <A href="https://email18.secureserver.net/3D%22http://ns.example.com%22">ns.example.com</A>.<br><A=<BR /> > href=3D"http://example.com">example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=<BR>> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 86400 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=<BR>> &nbsp;&nbsp; RRSIG&nbsp;&nbsp; NS 8 2 86400 20140417221308 20140116221308 1=<BR>> 5093 <A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</A>. hlkdQhwcElD3bWtsIkySNJ=<BR>> uwaXKtiVQaRiZX3IRcK8xU6UHwg4QQOt96 oNFCdCx3TZOROL3rf7OyESdL4YeSlzj9CAMuEzKP=<BR>> POrcJXyILMJdGymY JEQxMkrz+YbA9gbZwlA0Agk9bNBa51zQThsQD4bB9y3lTtOvuIcI3cxg 1=<BR>> Qw=3D<br><A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</A>.&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10800 IN&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp; NSEC&nbsp;&nbsp;&nbsp; <A href="https://email18.secureserver.net/3D%22http://ns.example=%3Cbr">> .com">ns.example.com</A>. NS SOA RRSIG NSEC<br><A href="https://email18.secureserver.net/3D%22http://example.co=%3Cbr"> > m">example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=<BR>> bsp;&nbsp; 10800 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RRSIG&nbsp;&n=<BR>> bsp; NSEC 8 2 10800 20140417221308 20140116221308 15093 <A href="https://email18.secureserver.net/3D%22http://e=%3Cbr">> xample.com">example.com</A>. jGZPr5cSMs8vZaBcrA4ldTxz5J1u13vIimT5oeq6ZPsNOD=<BR>> l9GGWjtrjA a6w6ElUgpHredujLG8GnBQpwOj+6Si110omD0RioVyqtoIzdTxh5PnJw w7ni5XW=<BR>> V1MpyeDVp1Nl1+CGH8tyGB1DTrVMjTvdUlOWS/fM/FGCvpyAZ WMs=3D<br><A href="https://email18.secureserver.net/3D%22http=%3Cbr"> > ://example.com">example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp; 3600&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=<BR>> bsp; DNSKEY&nbsp; 257 3 8 AwEAAb1H+j4Nt3UNOagcrgeJWjM1HepFd1EmG7mPYVGxhWeeJ=<BR>> wVU6zOB eqwqpazyuFac+o+YG5YN4xk9wjaXcgNZgEnmOVTK2QpWd/f8M/9FKGjv OiUmTcnccY=<BR>> Xli/w7r93Gm14hX52TdBRjtUVMEFqoTypFvTEK46e+DUsf 7/z4sItvaQM/xAhqMXmNJwuPd6HA=<BR>> QviPX6pR6KLz7nR10MoPbMVNUipz ajGXUb8mTLqbRgdRdxWcJ/KSt5WgykLwGe1jSCpIPF7MDF=<BR>> Eh7uaZQUTO geuieKVZoVWblEK9Bv6I3VBYOx+eAXVrmSxbWz2LZlo8uaY7i6TWN+aB hgwcg+J=<BR>> NUKM=3D<br><A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</A>.&nbsp;&nbsp;&nbsp=<BR>> ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3600&nbsp; IN&nbsp;&nbsp;=<BR>> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DNSKEY&nbsp; 256 3 8 AwEAAeAVPTRCtLy6aSpJbsd=<BR>> wNMGDmLl218uKYGa0LosgpwIKdMuyp5z4 3E06O4WAR7CMZMeWo0AJ5Ma5zVp8QFkDt77r+FR8p=<BR>> EemNTsFJFF0/yGz 5UjvIrTkAgkqRQRiFucS2JmYCXv5YfVINr/0bk7oY9EV8rnno44bZc92 OT=<BR>> 6MIk7X<br><A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</A>.&nbsp;&nbsp;&nbsp;=<BR>> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3600&nbsp; IN&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RRSIG&nbsp;&nbsp; DNSKEY 8 2 3600 20140417221=<BR>> 308 20140116221308 21961 <A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</A>. S6=<BR>> 7jOAEUEL15uylQ4y6kno7naCR0wvsHJq74ZFHlDrfHHAHXaiDO3nxM ikmn+kv6mULsdH6xddCw=<BR>> vtLmDaYokF4zsIJGdQmyXqCCg8y4A4SsivaO uM+oO1AoXLKKo3XqNEq95gg4e70yj5FNrEk9c4=<BR>> zi0uT2TEOItBsZ9Y/T 8Gl2RDnLrjHf5YOO3py9SM/btwjZcu18TOJBWb9fbdYtKvntmG8tFlld=<BR>> McefBwn0QJ9REmy4oXf00LKXG2xZ2E20m887j3KLzY1pYIp1GZgaRwJZ ssfreEwQpcSoz1DD4=<BR>> MKAU0At3uCa7O8IcWx6VonhF0pZW+PzMVQGOriN 9bXLUg=3D=3D<br><A href="https://email18.secureserver.net/3D%22http://e=%3Cbr"> > xample.com">example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=<BR>> ;&nbsp;&nbsp;&nbsp; 3600&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=<BR>> RRSIG&nbsp;&nbsp; DNSKEY 8 2 3600 20140417221308 20140116221308 15093 <A h="<br">> ref=3D"http://example.com">example.com</A>. KwBcvyQYmX7qDZaQfrS931Fyrf1B8z/=<BR>> PFsXX+hYTQ1y7dIhHIEtN0WBR vyuyson0VA8PrEeUnEvWZrQL+z0Z1h9tpuFQqVWqFyBLooZAT=<BR>> k/psPW0 7DcgXMBZ1JEq/srfJQye2MDX/iT5/+hWUJiOW+dcnIVZg2lOaehaKSQv faE=3D<br>=<BR>> <A href="https://email18.secureserver.net/3D%22http://ns.example.com%22">ns.example.com</A>.&nbsp;&nbsp;&nbsp;&nbs=<BR>> p;&nbsp;&nbsp;&nbsp;&nbsp; 86400 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=<BR>> p; A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.1<br><A href="https://email18.secureserver.net/3D%22http://n=%3Cbr"> > s.example.com">ns.example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=<BR>> ;&nbsp; 86400 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RRSIG&nbsp;&nbsp=<BR>> ; A 8 3 86400 20140417221308 20140116221308 15093 <A href="https://email18.secureserver.net/3D%22http://example=%3Cbr">> .com">example.com</A>. 0KgiOQwgavCWFxd5bFTtBEMXfO4yzwC8BeKYPSMqPHSdcIsLBMF7=<BR>> wUAR YV193/OM6mTJF9vRzdlUro9kfmFBnX3xC0jVkpcpj1YVP6pTGeB8KGSk OdfC6+H658Ksc=<BR>> B2eq/XcvFtE4VktU3QPZOW8zj4GquNpNR79fan/Idh2 OXA=3D<br><A href="https://email18.secureserver.net/3D%22http://ns.=%3Cbr"> > example.com">ns.example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=<BR>> nbsp; 10800 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NSEC&nbsp;&nbsp;&n=<BR>> bsp; <A href="https://email18.secureserver.net/3D%22http://example.com%22">example.com</A>. A RRSIG NSEC<br><A hre="<br"> > f=3D"http://ns.example.com">ns.example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbs=<BR>> p;&nbsp;&nbsp;&nbsp; 10800 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RRS=<BR>> IG&nbsp;&nbsp; NSEC 8 3 10800 20140417221308 20140116221308 15093 <A href="https://email18.secureserver.net/%3Cbr">> =3D"http://example.com">example.com</A>. Tf+bAbucKKVh7HoBaE2xZNb1yxyON/x5JC=<BR>> PRJs9ybFi1a5eE26Thi1L0 +mrIpZVwTIwPJSfKqKO2MZePqB0fXWBq0M1HPslRbW9pjb+K+IqN=<BR>> Si/k ybSshxj/fdkhown/a0wPZ2w0XAYY5Q8x3sc2UO2+GD8nJReAcNkO3hWe tKs=3D<br><A ="<br"> > href=3D"http://example.com">example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 86400 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp; SOA&nbsp;&nbsp;&nbsp;&nbsp; <A href="https://email18.secureserver.net/3D%22http://ns1.example.com%22">=<BR>> ns1.example.com</A>. <A href="https://email18.secureserver.net/3D%22http://hostmaster.example.com%22">hostmaster.e=<BR>> xample.com</A>. 2014011701 10800 15 604800 10800<br><A href="https://email18.secureserver.net/3D%22http://examp=%3Cbr"> > le.com">example.com</A>.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=<BR>> sp;&nbsp;&nbsp; 86400 IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RRSIG&nb=<BR>> sp;&nbsp; SOA 8 2 86400 20140417221308 20140116221308 15093 <A href="https://email18.secureserver.net/3D%22http=%3Cbr">> ://example.com">example.com</A>. alxE/TLfVRML1EAHCiVDEwmaOjaPdowXxfkompXG3M=<BR>> wJ7tDOQcFV2O2+ 9F4TlB+l0nbfWi0mk7YWBk+w03God8RnUez9KZwhmrGAgEfWtH6kiO7A LEw=<BR>> SPgHTS5cfQah8KGAT6o7DMWOdH0ii2EnJNzqi3gt+SR1bSPw8kTNE TOU=3D<br>;; Query ti=<BR>> me: 10 msec<br>;; SERVER: 10.0.20.22#53(10.0.20.22)<br>;; WHEN: Fri Jan 17 =<BR>> 18:44:36 EST 2014<br>;; XFR size: 15 records (messages 7, bytes 2291)</div>=<BR>> <div><br></div><div><br></div><div><br></div><div><br></div><div>Here's the=<BR>> config:</div><div><br></div><div>options {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbs=<BR>> p;&nbsp;&nbsp; directory "/opt/local";<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=<BR>> sp;&nbsp; pid-file "server.pid";<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=<BR>> sp; dnssec-enable yes;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; versio=<BR>> n "SNIP";<br><br>};<br><br><br>zone "z1.example.com" IN {<br>&nbsp;&nbsp; t=<BR>> ype master;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file "<A href="http://z1.exampl/">z1.exampl</A>e.=<BR>> com.db";<br>};<br><br>zone "example.com" IN {<br>&nbsp;&nbsp; type slave;<b=<BR>> r>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file "<A href="http://secondary.example.com.db/">secondary.example.com.db</A>=<BR>> ";<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; masters {10.0.20.22; };<br=<BR>> >};<br><br><br>logging {<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =<BR>> channel dnssec {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file "dnssec" versions 10 size 500k;<br=<BR>> >&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=<BR>> bsp;&nbsp;&nbsp; severity debug 3;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print-category no;<br=<BR>> >&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=<BR>> bsp;&nbsp;&nbsp; print-severity yes;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=<BR>> ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print-time yes;<br>=<BR>> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; };<br><br><br>&nbsp;&nbsp;&nbsp;=<BR>> &nbsp;&nbsp;&nbsp;&nbsp; category dnssec {dnssec; };<br>&nbsp;&nbsp;&nbsp;&=<BR>> nbsp;&nbsp;&nbsp;&nbsp; category default {default_syslog; };<br>};<br><br><=<BR>> br><br></div><div><br></div><div><br></div></span></body></html><BR>> <BR>> --===============6909298250656410026==<BR>> Content-Type: text/plain; charset="us-ascii"<BR>> MIME-Version: 1.0<BR>> Content-Transfer-Encoding: 7bit<BR>> Content-Disposition: inline<BR>> <BR>> _______________________________________________<BR>> Please visit <A href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</A> to unsubscribe from this list<BR>> <BR>> bind-users mailing list<BR>> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><BR>> <A href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</A><BR>> --===============6909298250656410026==--<BR>-- <BR>Mark Andrews, ISC<BR>1 Seymour St., Dundas Valley, NSW 2117, Australia<BR>PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org">marka@isc.org</a><BR></DIV></BLOCKQUOTE></span></body></html>