bind axfr refused but still allows ixfr?
Mark Andrews
Mark_Andrews at isc.org
Mon Apr 10 20:50:28 UTC 2006
> Using bind 9
>
> I set allow-transfer { none; }
>
> It seems to refuse an AXFR request, but still allows IXFR.. how do i disabl
> e this.
>
>
> $ dig @localhost AXFR domain.tld
>
> ; <<>> DiG 9.2.4 <<>> @localhost AXFR domain.tld
> ;; global options: printcmd
> ; Transfer failed.
>
>
>
> $ dig @localhost IXFR domain.tld
> ;; Warning, ixfr requires a serial number
>
> ; <<>> DiG 9.2.4 <<>> @localhost IXFR domain.tld
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22975
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;domain.tld. IN A
>
> ;; AUTHORITY SECTION:
> . 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VER
> ISIGN-GRS.COM. 2006040700 1800 900 604800 86400
>
> ;; Query time: 10 msec
> ;; SERVER: 127.0.0.1#53(localhost)
> ;; WHEN: Fri Apr 7 21:45:06 2006
> ;; MSG SIZE rcvd: 103
>
>
> >From another box i tried this also. The AXFR had the same result. For the IX
> FR request, it said it required an SOA. Im assuming that means
> it would have performed the transfer. Is this true, or am I covered for both
> ?
Well dig cannot attempt a IXFR if it doesn't know where to start
the IXFR from. You actually asked for the A record for domain.tld.
dig domain.tld ixfr=1 @localhost +all
also use "ixfr=" not "IXFR=". One of the compares in not case
insensitive.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list