9.14 -> 9.16 - Slaves zones fail to transfer - dns_request_createvia4() failed: permission denied
Kimmo Suominen
kimmo at suominen.com
Mon Mar 30 06:53:50 UTC 2020
https://lists.isc.org/pipermail/bind-announce/2020-March/001151.html
From: Michael McNally
Date: Wed Mar 18 23:24:14 UTC 2020
Subject: New releases of BIND are available: 9.11.17, 9.16.1, and 9.17.0
[... snip ...]
And finally, a note for users of the 9.16 branch (which will be added
to documentation in the future but was inadvertently omitted in the
first releases of that branch): One of the major features of the BIND
9.16 branch is a reworked networking stack designed around the use of
libuv, a multi-platform library for event-driven communications. One
side effect of this restructured networking stack is that beginning
with 9.16.0, BIND must now use a different port number for sending
queries, notifies, and transfers than the port on which it listens.
Under default circumstances BIND will do the right thing but if you
have specifically configured BIND to set the source port on queries,
notifies, or zone transfers, that port needs to be different than the
main port on which BIND listens (usually port 53.)
On Mon, 30 Mar 2020 at 09:23, Lars-Johan Liman <liman at netnod.se> wrote:
>
> Why?
>
> marka at isc.org 2020-03-30 09:00 [+1100]:
> > Stop using a fixed reserved port for transfers.
>
> >> On 30 Mar 2020, at 08:55, Karl Pielorz <karl.pielorz at getonline.co.uk> wrote:
> >>
> >>
> >> Hi,
> >>
> >> I've recently switched one of our DNS servers from Bind 9.14 to Bind
> >> 9.16 - this is under FreeBSD 11.3
> >>
> >> The switch seemed to go ok - no errors logged, all the master zones
> >> loaded - all the slave zones reloaded, and queries worked until
> >> today - where we just got:
> >>
> >> named[72036]: zone mydomain.com/IN: expired
> >>
> >> And nothing answered for queries for 'mydomain.com' So, wanting a
> >> 'quick fix' - I shut down bind, remove the slave zone from disk -
> >> and restarted it (thinking it would just pull it in again).
> >>
> >> This didn't result in a successful AXFR from the master - and
> >> instead just another 'expired' error logged.
> >>
> >> Having turned up logging to 'debug' - I seem to be left with:
> >>
> >> 22:29:19.116 general: debug 1: soa_query: zone mydomain.com/IN:
> >> dns_request_createvia4() failed: permission denied
> >>
> >> Anyone know if this is the likely cause of the slave zone not
> >> getting AXFR'd - and any idea how I can fix it?
> >>
> >> The same config worked under 9.14 - I can't see anything in our
> >> config that's 'broken' in 9.16 (and no errors logged) - and I can
> >> manually 'dig' the AXFR from the command line - I'm just a bit
> >> stumped as to what 'dns_request_createvia4()' failing could mean,
> >> and if that's the likely cause.
> >>
> >> Regards,
> >>
> >> -Karl
> >> _______________________________________________
> >> bind-workers mailing list
> >> bind-workers at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-workers
>
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
> > _______________________________________________
> > bind-workers mailing list
> > bind-workers at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-workers
>
>
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-workers
More information about the bind-workers
mailing list