AXFR from Windows 2008R2 failing after upgrading to 9.18

Lefteris Tsintjelis lefty at spes.gr
Tue May 24 16:15:18 UTC 2022 

On 24/5/2022 7:55, Mark Andrews wrote:
> Firstly upgrade the primary.  Microsoft issued a fix for this March 2019.

Would have been the best to do that if possible for sure but 
unfortunately only the workaround can be applied in this case.

> Unknown EDNS options are supposed to be ignored and not produce FORMERR.
> Named has stopped working around broken servers that return FORMERR to unknown
> EDNS options and include the OPT record.  It has also stopped working around
> servers that just echo back the request (including the OPT record) when sending
> FORMERR when the server doesn’t understand EDNS.  These servers should be
> constructing a DNS HEADER from the request with RCODE set to FORMERR and if
> the request was a QUERY and they could parse the QUESTION adding that as well
> as per RFC 1034.  The DNS header alone is enough to send FORMERR.  No where in
> any RFC does it say to echo back the request when sending FORMERR.
> 
> FORMERR + OPT indicates the server understands EDNS.
> 
> You can workaround this by adding “server 1.1.2.2 { request-expire no; };” to
> named.conf.

This worked really well! Thank you very much

>> On 24 May 2022, at 11:12, Lefteris Tsintjelis via bind-users <bind-users at lists.isc.org> wrote:
>>
>> I turned on all logs channels and this is the error I get:
>>
>> zone domain.com/IN: refresh: unexpected rcode (FORMERR) from primary1.1.2.2#53 (source 0.0.0.0#0
>>
>> tcpdump seems to also agree with the FORMERR
>>
>> 1.1.2.2.domain > secondary.58648: 113 FormErr- 0/0/1 (45)
>>
>> On 24/5/2022 3:00, Grant Taylor via bind-users wrote:
>>> On 5/23/22 5:55 PM, Lefteris Tsintjelis via bind-users wrote:
>>>> Nothing actually. Windows logs are clean. Unix logs also.
>>> #trustTheBitsOnTheWire
>>> #useTheSniffer
>>> I'd start by capturing w/ tcpdump using the `-s 0` and `-w /path/to/capture.pcapng` options.  Then use Wireshark to analyze the packet capture.
>>> You may see the problem with tcpdump, especially if you turn verbosity up.  But Wireshark has some much nicer decoding and display than tcpdump does.

Regards,

Lefteris

More information about the bind-users mailing list