IXFR journal dump making 9.2.4 server non-responsive

Mark Andrews Mark_Andrews at isc.org
Tue Dec 21 01:09:18 UTC 2004 

> I download, built and installed 9.3.0 today.  Most everything is OK,
> except now I am getting the following errors:
> 
> "Dec 20 18:17:08 penn.admin.private named[26121]: [ID 866145
> local1.info] zone dns-rbl.SOMEDOME.org/IN: refresh: unexpected rcode
> (NXDOMAIN) from master XXX.XX.X.XXX#53 (source 0.0.0.0#0)"
> 
> Where XXX.XX.X.XXX is the remote master server.
> 
> This machine is behind a Cisco 11503 load balancer and also is running
> Solaris 8 with IPMP enabled.  Here is the options section of the
> config:
> 
> options {
> directory       "/var/dns/namedb";
> pid-file        "/var/run/named.pid";
> 
> statistics-file "/var/dns/dns.stats";
> 
> version "Surely you must be joking";
> 
> // Look for more specfics in the zone entries
> transfer-source 172.30.30.43;
> notify-source 172.30.30.43;
> provide-ixfr yes;
> request-ixfr yes;
> notify explicit;
> 
> query-source address 172.30.30.43;
> 
> listen-on { 127.0.0.1;
> 172.30.10.43;
> 172.30.20.43;
> 172.30.30.43;   };
> 
> };
> 
> This machine has two "data" interfaces into the 172.30.30.0/24 net.
> The .43 address should be used for the "bind data", but I am seeing
> traffic get sourced from the other interface when I do a "rndc refresh
> ZONE" when it goes to get the SOA records from the masters and thus
> don't pass the rewrite rules going out the load balancer.
> 
> I know that I am not providing enough enough information in this post,
> but also not sure exactly what info I should post to further trouble
> shoot this.
> 
> Thanks.

	From CHANGES.

1446.   [func]          Implemented undocumented alternate transfer sources
                        from BIND 8.  See use-alt-transfer-source,
                        alt-transfer-source and alt-transfer-source-v6.

                        SECURITY: use-alt-transfer-source is ENABLED unless
                        you are using views.  This may cause a security risk
                        resulting in accidental disclosure of wrong zone
                        content if the master supplying different source
                        content based on IP address.  If you are not certain
                        ISC recommends setting use-alt-transfer-source no;

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list