Zone transfers can be lost forever
jean-christophe manciot
actionmystique at gmail.com
Wed Oct 16 13:07:06 UTC 2019
Hi there,
Here's the *context*:
*Ubuntu 19.10 / Debian bullseye 11*
*bind9 9.15.4*
*zone "sdxlive.com <http://sdxlive.com>"
{
type master;
file "/etc/bind/db.sdxlive.com <http://db.sdxlive.com>";
// Publishing and activating dnssec keys
auto-dnssec maintain;
// Using inline signing
inline-signing yes;
*
* allow-transfer { w.x.y.z; };*
*...
*
*}*
I'm experiencing a peculiar situation in both aforementioned distributions:
- I have modified a zone file and incremented its serial number on the
master to 2019101515
- the debug log shows that the zone transfer has *successfully* taken place
on the primary towards the secondary server:
*15-Oct-2019 16:54:59.075 xfer-out: info: client @0xaaaaaaaaaaaa
w.x.y.z#54219 (sdxlive.com <http://sdxlive.com>): transfer of
'sdxlive.com/IN <http://sdxlive.com/IN>': IXFR started (serial 2019092407
-> 2019101515)15-Oct-2019 16:54:59.075 xfer-out: info: client
@0xaaaaaaaaaaaa w.x.y.z#54219 (sdxlive.com <http://sdxlive.com>): transfer
of 'sdxlive.com/IN <http://sdxlive.com/IN>': IXFR ended: 1 messages, 14
records, 1412 bytes, 0.001 secs (1412000 bytes/sec)15-Oct-2019 16:55:14.078
xfer-out: info: client @0xbbbbbbbbbbbb w.x.y.z#58529 (sdxlive.com
<http://sdxlive.com>): transfer of 'sdxlive.com/IN
<http://sdxlive.com/IN>': AXFR started (serial 2019101515)15-Oct-2019
16:55:14.078 xfer-out: info: client @0xbbbbbbbbbbbb w.x.y.z#58529
(sdxlive.com <http://sdxlive.com>): transfer of 'sdxlive.com/IN
<http://sdxlive.com/IN>': AXFR ended: 1 messages, 36 records, 2906 bytes,
0.001 secs (2906000 bytes/sec)*
- actually, the zone transfer could not have succeeded because the port 53
was closed on the secondary server for the master
- indeed, the secondary server has no knowledge of the new data:
*# named-checkzone -D -f raw -o - sdxlive.com <http://sdxlive.com>
db.sdxlive.com.signedzone sdxlive.com/IN <http://sdxlive.com/IN>: loaded
serial 2019092407 (DNSSEC signed)*
- whatever I try, it seems impossible to retransfer the zone data now that
the port 53 is open:
on the primary:
*rndc freeze sdxlive.com <http://sdxlive.com>*
*serial number --> 2019101614*
*rndc thaw sdxlive.com <http://sdxlive.com>*
*A zone reload and thaw was started.Check the logs to see the result.*
*# grep -P "16-Oct-2019 .* xfer-out: .* -> 2019101614"
/var/log/named/debug.log*
*#*
on the secondary server:
# named-checkzone -D -f raw -o - sdxlive.com db.sdxlive.com.signed
zone sdxlive.com/IN: loaded serial 2019092407 (DNSSEC signed)
As a summary:
+ there should be some kind of zone transfer control to check whether the
transfer has really taken place or not
+ there should be a way to manually force a immediate zone transfer from
the master to the secondary server(s) even though only the serial number
has changed
So, are these
+ bugs
+ some missing features
+ or am I missing something?
--
Jean-Christophe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191016/9220c901/attachment.htm>
More information about the bind-users
mailing list