zone transfers sticking on one port?
Chris Fabri
fabric at northwestern.edu
Tue Mar 16 16:02:48 UTC 2004
At 06:35 PM 3/15/2004, Mark Andrews wrote:
> > At 05:56 PM 3/15/2004, Mark Andrews wrote:
> >
> >
> > > Failure to get a answer is not normally a reason to change
> > > port. It normally indicates that a host / link is down.
> > > Changing port is not a indicated solution to this problem.
> > >
> > > Even if named was capable of receiving the ICMP message
> > > (your firewall does generate a ICMP message?) there is
> > > nothing in ICMP messages to say "Try a different source
> > > port".
> >
> >
> > Not a firewall. Just a port block on the border. But this is what I need
> > to know, named should behave that way. And I know what to look for in
> the
> > future.
>
> You implemented a firewall when you blocked the port. While
> firewall often perform other functions the simplest firewalls
> are just port blockers.
Ah yes, Mr. Specific, that is true. :) I like to think of a port block as
a port block, and a firewall as something a bit more complex . Po-tay-to,
po-tah-to, just how we look at it. I think lumping a simple port block
into the category of "firewall" justs adds to the confusion when you have
to describe this stuff to the non-technical, despite the fact that they do
in fact server the exact same function.
>
> > named may not be capable of receiving an ICMP message, but it knows if it
> > doesn't get a response back or not, right (based on whether the zone gets
> > transferred or not)? Is this something that would be useful for bind to
> > do, skip on to another port if it's not successfully loading the
> > zone?
>
> No. Stupid firewalls should be fixed not worked around.
My suggessting was for dealing with stuff outside of *my* control. If NU
made the mistake of blocking this port, it's certainly feasible for other's
to do the same. I can't fix somebody else's stupid firewall, and will
perhaps only be marginally more successful dealing with it's adminstrator.
You may say it's stupid firewalls, but the way I see this, the application
is not dealing with this in an optimal fashion.
However, would disabling IXFR, which would force a TCP port AXFR transfer
make this specific point a non-issue? Since the TCP connection would
realize it's not hearing back, and then use a different port? Obviously
this is sub-optimal for a number of other reasons, but I'm just trying to
get my head around all aspects of this. chris
More information about the bind-users
mailing list