bind10-devel-20120119 outgoing zone transfer failure

Spain, Dr. Jeffry A. spainj at countryday.net
Thu Feb 23 16:04:51 UTC 2012


>> The problem seems to be at step 8 where nsb0 is closing the TCP session after responding to the SOA query, contrary to the expectations of nsb0s. I don't know for sure whether or not the DNS protocol allows for more than one query/response over a single TCP session, but bind9 seems to be designed that way.

> It is allowed. We are allowed to close inactive TCP sessions, but considering it inactive after a single query is probably using the lawyer approach (bend it until it breaks) on the specs (meaning, we shouldn't do it, but if we chose the right wording, it could be allowed).

> Anyway, sharing the same TCP connection between auth and xfrout could be another reason for the receptionist approach (the one that does the answering itself, and there's a single TCP connection to each of the answering processes).

Thanks. I think the receptionist approach will be necessary if you want to be able to interoperate with bind9 servers. In my scenario bind9 sends the SOA query over TCP and bind10 responds. Then it becomes a race between bind10 sending its [FIN, ACK] segment and bind9 sending its AXFR query. Bind10 usually wins with a time of about 100 microseconds with bind9 coming in between 300 and 400 microseconds after the SOA response. It's clearly not reasonable to consider the TCP session inactive after less than a millisecond of idle time. I don't believe that there is any way to configure bind9 to not send multiple queries over the same TCP session. Jeff.


More information about the bind10-users mailing list