zone xfers alternate port again

Jan Vicherek honza at ied.com
Thu Nov 4 03:08:19 UTC 1999 


   Hello, that's me again about a way to do a zone xfer when the regular
port is blocked.

  This thread is intended to discuss what it technically takes to
implement automatic zone transfers from a PRIMARY(master) when the
PRIMARY(master) is behind a firewall which denies the ?TCP? port needed to
do zone transfers.
  This thread is not intended to discuss whether it is morally correct,
whether one has permission or whether the whole thing shoudln't be solved
by reconfiguring the firewall. For such discussion please start a new
separate thread with an altogether different subject.


  The setup looks like :

SECONDARY(slave)----Internet----Firewall---PRIMARY(master)
IPs:   [4.3.2.1]                [1.2.3.4]   [1.2.3.5]

  I learned from this list that currently there is no automatic built-in
elegant way to do a zone transfer (such as updating the SECONDARY(slave)
from the PRIMARY(master) ) when the PRIMARY(master) is behind a Firewall
which blocks zone transfers.

 Note: I'm guessing that zone transfers are done using a TCP connection.
If that's not right, please let me know.
 This TCP connection is blocked at the Firewall. The Firewall cannot be
reconfigured under any circumstances. The UDP connection needed to do
regular queries is not blocked, and the PRIMARY can serve individual
domain queries as per usual.


 SUGGESTION for solution: This is my suggestion as to how to solve the
problem using an enhancement to the bind software. It requires that both
SECONDARY (slave) and PRIMARY (master) have this enhancement installed.
 In short: ``Add a "port" option to the "allow-transfer" statement for
both "master" and "slave" zone types. Then the master listens on this port
to allow zone xfer and the slave initiates request for zone xfer to this
port.''


 Please comment on the above solution and suggest another, perhaps better
solution.


   Thanks in advance,

      Jan



PS : the "port" option for the "masters" statement in slave type zone
config is not documented. (In the HTML pages anyway.) What does it do ?

 -- Gospel of Jesus is the saving power of God for all who believe --
                ## To some, nothing is impossible. ##
                   http://Vicherek.Waterloo.on.ca/

More information about the bind-users mailing list