Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?
pgbind9 at ml1.net
pgbind9 at ml1.net
Fri Mar 8 02:00:19 UTC 2013
hi,
with all of your questions/guidance, I made some progress.
definitely some PEBKAC. made mapping adjustment/correction in my NAT
src mapping table.
checking
dig soa rpz.spamhaus.org @199.168.90.52
; <<>> DiG 9.9.2-rpz+rl.028.23-P1 <<>> soa
rpz.spamhaus.org @199.168.90.52
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
30074
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rpz.spamhaus.org. IN SOA
;; ANSWER SECTION:
rpz.spamhaus.org. 300 IN SOA
need.to.know.only. hostmaster.spamhaus.org. 1362706462
120 120 432000 60
;; AUTHORITY SECTION:
rpz.spamhaus.org. 300 IN NS
LOCALHOST.
;; Query time: 84 msec
;; SERVER: 199.168.90.52#53(199.168.90.52)
;; WHEN: Thu Mar 7 17:40:16 2013
;; MSG SIZE rcvd: 132
and,
dig +vc soa rpz.spamhaus.org @199.168.90.52 +trace
; <<>> DiG 9.9.2-rpz+rl.028.23-P1 <<>> +vc soa
rpz.spamhaus.org @199.168.90.52 +trace
;; global options: +cmd
;; Received 28 bytes from
199.168.90.52#53(199.168.90.52) in 85 ms
now
rndc retransfer drop.rpz.spamhaus.org
generates in logs
@ /var/log/messages
07-Mar-2013 17:36:19.459 general: info: received control
channel command 'retransfer drop.rpz.spamhaus.org'
07-Mar-2013 17:36:19.544 general: info: zone
drop.rpz.spamhaus.org/IN/internal: Transfer started.
07-Mar-2013 17:36:20.518 general: info: zone
drop.rpz.spamhaus.org/IN/internal: transferred serial
1362249322
07-Mar-2013 17:40:36.105 general: info: zone
drop.rpz.spamhaus.org/IN/internal: serial number
(1362249321) received from master 199.168.90.52#53 <
ours (1362249322)
07-Mar-2013 17:40:36.190 general: info: zone
drop.rpz.spamhaus.org/IN/internal: serial number
(1362249321) received from master 199.168.90.53#53 <
ours (1362249322)
07-Mar-2013 17:44:38.188 general: info: zone
drop.rpz.spamhaus.org/IN/internal: serial number
(1362249321) received from master 199.168.90.52#53 <
ours (1362249322)
07-Mar-2013 17:44:38.273 general: info: zone
drop.rpz.spamhaus.org/IN/internal: serial number
(1362249321) received from master 199.168.90.53#53 <
ours (1362249322)
@ bind xfer log
...
07-Mar-2013 17:36:19.627 xfer-in: info: transfer of
'drop.rpz.spamhaus.org/IN/internal' from
199.168.90.51#53: connected using x.x.x.144#46189
07-Mar-2013 17:36:20.518 xfer-in: info: transfer of
'drop.rpz.spamhaus.org/IN/internal' from
199.168.90.51#53: Transfer completed: 17 messages, 18019
records, 350529 bytes, 0.890 secs (393852 bytes/sec)
...
So, I *think* it's working as it should now.
One minor issue: I'm running in a chroot. My chroot ROOT dir is
"/data/chroot/named"
So with a named.conf zone stanza of:
zone "drop.rpz.spamhaus.org" IN {
type slave;
file "/namedb/slave/drop.rpz.spamhaus.org.zone";
masters { rpz4_spamhaus; };
allow-query { localhost; };
allow-transfer { rpz4_spamhaus; };
request-ixfr yes;
notify no;
};
I end up with the zone xfer *file* in
ls -al /data/chroot/named/namedb/slave
total 1.3M
drwxr-xr-x 2 named named 4.0K Mar 7 17:36 ./
drwxr-xr-x 5 root root 4.0K Mar 7 17:34 ../
-rw-r--r-- 1 named named 1.3M Mar 7 17:49
drop.rpz.spamhaus.org.zone
The problem is that that chroot gets torn down on bind stop/restart.
Prior to bind start the chroot is assembled from sources in:
/usr/local/etc/named
copied/mapped to the chroot ROOT
/data/chroot/named
I.e., iiuc, I'll lose that xfer'd zone data at any time I stop/restart
the bind daemon, requiring a complete re-Axfr, rather than just the next
IXFR.
Do I need to manually copy the RPZ locally-stored zone data prior to
teardown? Or is there some appropriate config to save/write the zone
data to a non-chroot dir at xfr ?
-pg
More information about the bind-users
mailing list