Zone transfer problem for BIND name server

[Michael Kjorling]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You have to open up both 53/tcp and 53/udp in order for DNS to work
properly. Queries use UDP by default, but if the answer is truncated
(the TC bit is set in the response) then that query should be retried
using TCP. Zone transfers always use TCP and as far as I am aware
there is no way to change this other than to write
non-standards-compliant software. I seriously doubt that other servers
would accept zone transfers over UDP anyway, given that the relevant
RFCs say TCP _only_ for transfers, and UDP and _possibly_ TCP for
queries.

What is the problem with punching the 53/tcp hole in your firewall? As
long as you have something listening on the other end, and that
something is trusted, I see very little reason not to.


Michael Kjörling
PS. I have had 53/tcp and 53/udp open in my firewall since I started
hosting DNS using BIND 9.1.0 at first, and have never had any problems
because of that.


On Aug 8 2001 08:45 +0800, amran at isp.time.net.my wrote:

> Hi all
>
> I'm having problem to do a zone transfer for my off-site slaves name server
> as the local firewall does not
> allow TCP for port 53. Could I configure my BIND name servers to do the zone
> transfer by using UDP instead of TCP ?
> or ;
> If  I'm running a slave name server to an off-site master server, do I need
> to open the TCP port in the local firewall for the zone transfer?

- -- 
Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^     Support the wolves in Norway -- go to     ^..^
 \/   http://home.no.net/ulvelist/protest_int.htm   \/

***** Please only send me emails which concern me *****

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7cRa8KqN7/Ypw4z4RAv4MAJ4re/mMDLHuBTmWXArCQpf1ix1WSwCfeJcu
E6d7UousPloD4UtJcoIBXqc=
=f3Jg
-----END PGP SIGNATURE-----