Zone Transfer Problem
Ronan Flood
ronan at noc.ulcc.ac.uk
Fri Jul 23 16:40:12 UTC 2004
On Thu, 22 Jul 2004 14:46:16 -0500 (CDT),
Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> I have a zone transfer problem with one zone from a slave to a slave.
I've had a look at this and have some comments ...
> The zone is
>
> _sites.phy.anl.gov
>
> and it is slaved on a BIND 9.2.2 server
>
> t1dns1.anl.gov
I can't pull that zone from that server; presumably you have an
allow-transfer on it. Can you transfer it with dig or named to
another of your own slaves?
> An offsite slave
>
> ns2.es.net (BIND 9.2.3)
>
> is trying to transfer this zone. There are no problems with zone
> transfers of any other zones from t1dns1.anl.gov to ns2.es.net.
> This zone happens to be a W2k+3 AD zone that is mastered on an MS W2k+3
> DNS Server, and those AD zones do not change frequently. As a test,
> I incremented the serial number in another _sites zone on the W2k+3
> DNS Server, and the new zone was transferred successfully to ns2.es.net.
>
> The message in syslog is
>
> Jul 22 12:19:20 thor.ctd.anl.gov named[190]:
> [ID 866145 daemon.info] client 134.55.6.130#1920:
> transfer of '_sites.phy.anl.gov/IN': AXFR started
>
> the transfer never completes. I have a snoop trace on t1dns1.anl.gov
> for the zone transfer:
Can you compare this with a snoop trace for the other _sites zone
which does transfer successfully?
> Pkt Direction Packet Contents
> --- -------------- --- ------------------------------------
> 43 ns2 <== t1dns1 UDP NOTIFY _sites.phy.anl.gov.
> 44 ns2 ==> t1dns1 UDP SOA query for _sites.phy.anl.gov.
> 45 ns2 ==> t1dns1 UDP SOA query for _sites.phy.anl.gov.
Why two SOA queries? How much time elapsed between these?
> 46 ns2 <== t1dns1 UDP SOA response for _sites.phy.anl.gov.
> 47 ns2 ==> t1dns1 TCP SYN
> 48 ns2 <== t1dns1 TCP ACK SYN
> 49 ns2 ==> t1dns1 TCP ACK
> 50 ns2 ==> t1dns1 TCP ACK PUSH What is this packet?
It's the length of the following DNS message. DNS over TCP has a
2-byte length field before the normal message (see RFC1035 4.2.2).
Bind 9.2.3 (and maybe others, I haven't checked) sends this length
first, then sends the AXFR request. See packet dumps below.
> 51 ns2 <== t1dns1 TCP ACK
> 52 ns2 ==> t1dns1 TCP ACK PUSH X'fc' = 252 = AXFR _sites.phy.anl.gov.
> 53 ns2 <== t1dns1 TCP ACK
> 54 ns2 <== t1dns1 TCP ACK PUSH Small packet with begin AXFR
Should it be "small", though? Looking at your packet dump, that's
supposed to be a 1051-byte IP datagram carrying a 997-byte DNS
message with 24 RRs (plus 2-byte length). How big is the zone?
> 55 ns2 ==> t1dns1 TCP ACK FIN
> 56 ns2 <== t1dns1 TCP ACK
> 57 ns2 <== t1dns1 TCP ACK FIN
>
> Here is the snoop output for packets 50, 52, and 54:
> -----------------------------------------------------------------------
> ETHER: ----- Ether Header -----
> ETHER:
> ETHER: Packet 50 arrived at 14:21:36.14
> ETHER: Packet size = 68 bytes
> ETHER: Destination = 0:3:ba:53:58:c9,
> ETHER: Source = 0:5:5f:34:ff:fc,
> ETHER: Ethertype = 0800 (IP)
> ETHER:
> IP: ----- IP Header -----
> IP:
> IP: Version = 4
> IP: Header length = 20 bytes
> IP: Type of service = 0x00
> IP: xxx. .... = 0 (precedence)
> IP: ...0 .... = normal delay
> IP: Header checksum = 66b0
> IP: Source address = 134.55.6.130, 134.55.6.130
> IP: Destination address = 130.202.101.6, 130.202.101.6
> IP: No options
> IP:
> TCP: ----- TCP Header -----
> TCP:
> TCP: Source port = 2171
> TCP: Destination port = 53 (DNS)
> TCP: Sequence number = 1643276396
> TCP: Acknowledgement number = 3319370249
> TCP: Data offset = 32 bytes
> TCP: Flags = 0x18
> TCP: 0... .... = No ECN congestion window reduced
> TCP: .0.. .... = No ECN echo
> TCP: ..0. .... = No urgent pointer
> TCP: ...1 .... = Acknowledgement
> TCP: .... 1... = Push
> TCP: .... .0.. = No reset
> TCP: .... ..0. = No Syn
> TCP: .... ...0 = No Fin
> TCP: Window = 57456
> TCP: Checksum = 0x43f4
> TCP: Urgent pointer = 0
> TCP: Options: (12 bytes)
> TCP: - No operation
> TCP: - No operation
> TCP: - TS Val = 197242397, TS Echo = 59372870
> TCP:
> DNS: ----- DNS: -----
> DNS:
> DNS: ""
> DNS:
>
>
> 0: 0003 ba53 58c9 0005 5f34 fffc 0800 4500 ...SX..._4....E.
> 16: 0036 6788 4000 3806 66b0 8637 0682 82ca .6g. at .8.f..7....
> 32: 6506 087b 0035 61f2 686c c5d9 9209 8018 e..{.5a.hl......
> 48: e070 43f4 0000 0101 080a 0bc1 ae1d 0389 .pC.............
> 64: f546 0024 .F.$
0: 0003 ba53 58c9 0005 5f34 fffc 0800 -- ethernet src/dst/type (IP)
4500 -- IPv4, 5 word hdr, no TOS
16: 0036 -- 54 byte packet (inc hdr)
6788 4000 3806 66b0 8637 0682 82ca -- rest of IP hdr (src/dst etc)
32: 6506 -- ...
087b 0035 61f2 686c c5d9 9209 -- TCP hdr (src/dst ports etc)
8018 -- 8 word hdr, flags ACK+PUSH
48: e070 43f4 0000
0101 080a 0bc1 ae1d 0389 -- TCP options (nop, nop, time)
64: f546 -- ...
0024 -- data! length of DNS message
-- following, 36 bytes
>
> -----------------------------------------------------------------------
> ETHER: ----- Ether Header -----
> ETHER:
> ETHER: Packet 52 arrived at 14:21:36.17
> ETHER: Packet size = 102 bytes
> ETHER: Destination = 0:3:ba:53:58:c9,
> ETHER: Source = 0:5:5f:34:ff:fc,
> ETHER: Ethertype = 0800 (IP)
> ETHER:
> IP: ----- IP Header -----
> IP:
> IP: Version = 4
> IP: Header length = 20 bytes
> IP: Type of service = 0x00
> IP: xxx. .... = 0 (precedence)
> IP: ...0 .... = normal delay
> IP: .... 0... = normal throughput
> IP: .... .0.. = normal reliability
> IP: .... ..0. = not ECN capable transport
> IP: .... ...0 = no ECN congestion experienced
> IP: Total length = 88 bytes
> IP: Identification = 26506
> IP: Flags = 0x4
> IP: .1.. .... = do not fragment
> IP: ..0. .... = last fragment
> IP: Fragment offset = 0 bytes
> IP: Time to live = 56 seconds/hops
> IP: Protocol = 6 (TCP)
> IP: Header checksum = 668c
> IP: Source address = 134.55.6.130, 134.55.6.130
> IP: Destination address = 130.202.101.6, 130.202.101.6
> IP: No options
> IP:
> TCP: ----- TCP Header -----
> TCP:
> TCP: Source port = 2171
> TCP: Destination port = 53 (DNS)
> TCP: Sequence number = 1643276398
> TCP: Acknowledgement number = 3319370249
> TCP: Data offset = 32 bytes
> TCP: Flags = 0x18
> TCP: 0... .... = No ECN congestion window reduced
> TCP: .0.. .... = No ECN echo
> TCP: ..0. .... = No urgent pointer
> TCP: ...1 .... = Acknowledgement
> TCP: .... 1... = Push
> TCP: .... .0.. = No reset
> TCP: .... ..0. = No Syn
> TCP: .... ...0 = No Fin
> TCP: Window = 57456
> TCP: Checksum = 0x330e
> TCP: Urgent pointer = 0
> TCP: Options: (12 bytes)
> TCP: - No operation
> TCP: - No operation
> TCP: - TS Val = 197242400, TS Echo = 59372873
> TCP:
> DNS: ----- DNS: -----
> DNS:
> DNS: ""
> DNS:
>
>
> 0: 0003 ba53 58c9 0005 5f34 fffc 0800 4500 ...SX..._4....E.
> 16: 0058 678a 4000 3806 668c 8637 0682 82ca .Xg. at .8.f..7....
> 32: 6506 087b 0035 61f2 686e c5d9 9209 8018 e..{.5a.hn......
> 48: e070 330e 0000 0101 080a 0bc1 ae20 0389 .p3.......... ..
> 64: f549 1a63 0000 0001 0000 0000 0000 065f .I.c..........._
> 80: 7369 7465 7303 7068 7903 616e 6c03 676f sites.phy.anl.go
> 96: 7600 00fc 0001 v.....
0-65 as above, then 36 bytes of DNS as promised in packet 50:
1a63 query id, 0000 standard query, 0001 one question,
0000 0000 0000 no answers no authority no additional,
_sites.phy.anl.gov, 00fc AXFR, 0001 IN
> -----------------------------------------------------------------------
> ETHER: ----- Ether Header -----
> ETHER:
> ETHER: Packet 54 arrived at 14:21:36.17
> ETHER: Packet size = 256 bytes
Note the above.
> ETHER: Destination = 0:0:c:7:ac:0, Cisco
> ETHER: Source = 0:3:ba:53:58:c9,
> ETHER: Ethertype = 0800 (IP)
> ETHER:
> IP: ----- IP Header -----
> IP:
> IP: Version = 4
> IP: Header length = 20 bytes
> IP: Type of service = 0x00
> IP: xxx. .... = 0 (precedence)
> IP: ...0 .... = normal delay
> IP: .... 0... = normal throughput
> IP: .... .0.. = normal reliability
> IP: .... ..0. = not ECN capable transport
> IP: .... ...0 = no ECN congestion experienced
> IP: Total length = 1051 bytes -- truncated
What happened to the rest of it, or did you just run snoop -s 256 ?
> IP: Identification = 29824
> IP: Flags = 0x4
> IP: .1.. .... = do not fragment
> IP: ..0. .... = last fragment
> IP: Fragment offset = 0 bytes
> IP: Time to live = 64 seconds/hops
> IP: Protocol = 6 (TCP)
> IP: Header checksum = 4dd3
> IP: Source address = 130.202.101.6, 130.202.101.6
> IP: Destination address = 134.55.6.130, 134.55.6.130
> IP: No options
> IP:
> TCP: ----- TCP Header -----
> TCP:
> TCP: Source port = 53
> TCP: Destination port = 2171
> TCP: Sequence number = 3319370249
> TCP: Acknowledgement number = 1643276434
> TCP: Data offset = 32 bytes
> TCP: Flags = 0x18
> TCP: 0... .... = No ECN congestion window reduced
> TCP: .0.. .... = No ECN echo
> TCP: ..0. .... = No urgent pointer
> TCP: ...1 .... = Acknowledgement
> TCP: .... 1... = Push
> TCP: .... .0.. = No reset
> TCP: .... ..0. = No Syn
> TCP: .... ...0 = No Fin
> TCP: Window = 49248
> TCP: Checksum = 0x7897
> TCP: Urgent pointer = 0
> TCP: Options: (12 bytes)
> TCP: - No operation
> TCP: - No operation
> TCP: - TS Val = 59372875, TS Echo = 197242400
> TCP:
> DNS: ----- DNS: -----
> DNS:
> DNS: ""
> DNS:
>
>
> 0: 0000 0c07 ac00 0003 ba53 58c9 0800 4500 .........SX...E.
> 16: 041b 7480 4000 4006 4dd3 82ca 6506 8637 ..t. at .@.M...e..7
> 32: 0682 0035 087b c5d9 9209 61f2 6892 8018 ...5.{....a.h...
> 48: c060 7897 0000 0101 080a 0389 f54b 0bc1 .`x..........K..
> 64: ae20 03e5 1a63 8480 0001 0018 0000 0000 . ...c..........
> 80: 065f 7369 7465 7303 7068 7903 616e 6c03 ._sites.phy.anl.
> 96: 676f 7600 00fc 0001 c00c 0006 0001 0000 gov.............
> 112: 0e10 002c 0872 6869 6e6f 3232 31c0 170a ...,.rhino221...
> 128: 686f 7374 6d61 7374 6572 c017 0000 0027 hostmaster.....'
> 144: 0000 0384 0000 0258 0001 5180 0000 0e10 .......X..Q.....
> 160: c00c 0002 0001 0000 0e10 000c 036e 7332 .............ns2
> 176: 0265 7303 6e65 7400 c00c 0002 0001 0000 .es.net.........
> 192: 0e10 000a 036e 7378 036c 626c c01b c00c .....nsx.lbl....
> 208: 0002 0001 0000 0e10 0007 0464 6e73 31c0 ...........dns1.
> 224: 17c0 0c00 0200 0100 000e 1000 0704 646e ..............dn
> 240: 7332 c017 c00c 0002 0001 0000 0e10 0009 s2..............
0-65 as above, then
03e5 997 bytes of DNS message, 1a63 query id, 8480 response AA+RA
NOERROR, 0001 one question, 0018 24 answers, 0000 0000 no authority
no additional, _sites.phy.anl.gov, 00fc AXFR, 0001 IN, c00c compression
pointer back to _sites.phy.anl.gov, 0006 SOA, 0001 IN, 0000 0e10 TTL 3600,
002c 44 bytes of SOA rhino221.anl.gov. hostmaster.anl.gov. (compressed),
0000 0027 serial 39, 0000 0384 refresh 900, 0000 0258 retry 600,
0001 5180 expire 86400, 0000 0e10 minimum TTL 3600, then NS records
> -----------------------------------------------------------------------
>
> Can anyone determine what is happening here? Thanks.
Have you tried turning off many-answers for this server in your
named.conf?
server 134.55.6.130 { transfer-format one-answer; };
Might help narrow the problem down.
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the bind-users
mailing list